Description: Looking to join your Canary to AD? Once a Canary has been deployed live into a production network, it can be remotely joined or removed from an Active Directory domain at any time from your Console.
Note: the Windows file share service will need to be enabled for you to join your Canary to AD.
Follow the steps below to join your Canary to AD:
Log in to your Console.
Click on the Canary you want to domain-join.
Click on the gear icon (Configure Canary) to AD join this Canary.
Scroll down to the Windows File Share settings, where the Join Domain button will be present.
After clicking on the Join Domain button, you will be prompted to enter your Active Directory details, before clicking the Join button.
- See below for a note on how the credentials are encrypted.
- See here for information on the Guest Enabled option.
- When using an AD join user with limited privileges, in addition to being able to create objects, it also needs the WRITE permission set to the value msDS-SupportedEncryptionTypes on machines.
Joining takes a few minutes before seeing a response, correct any settings if an error shows or contact support for assistance.
After a successful domain join, your Canary will reboot and report that the Domain join was successful.
Once the Canary has rebooted with the new domain-joined settings, it will show up on your Console as a Domain member.
A note on security
We treat your AD credentials used to join the domain with an abundance of caution. Credentials are encrypted in your browser before they leave your machine, and can only be decrypted with a key that’s present on the Canary. The decryption key is simply not present on the console, so AD credentials cannot be accessed by Thinkst.
- Connect to your device’s configuration interface over Bluetooth.
- Scroll to the bottom of the page and click to view the Canary’s public key.
- In the Console AD domain join modal, click “Canary Public Key”, and confirm that the key matches that shown on the bird.
If an alternative is preferred, the Canary can always be locally joined to a domain-joined when booted into Bluetooth configuration mode.