OfficeScan only needs the Read access to the entire tree because it only queries data from the Active Directory.

No, OfficeScan will not change anything in Active Directory. It will only import the user or query tree structure.

The permission of a server does not relate to a user. All the Active Directory queries in OfficeScan are performed by the OfficeScan Active Directory Integration Service and it logs on as a "Network Service" account.

If your OfficeScan servers are integrated with the Active Directory, the users in AD can be imported and can log in to the OfficeScan server console.

Only the users in the OfficeScan database can access the server console. Therefore, the NTLM and/or Kerberos authentication are not supported in OfficeScan 10.5.

Yes, OfficeScan allows users to configure the scheduled Active Directory synchronization. You can perform AD synchronization manually or via a scheduled task.

The traffic depends on the size of your Active Directory; large Active Directory domain will cause larger amount of traffic. However, as of this writing, there is no base line for the precise traffic amount.

OfficeScan uses the Active Directory Service Interface (ADSI) to implement the Active Directory Integration feature. It uses LDAP to query the Active Directory.

Yes, you should rely on DNS for the name resolution of the Domain Controllers as you cannot specify a Domain Controller.

Yes, you can decide which domain will be imported to the OfficeScan server. Therefore, multiple servers can import the same domain. However, it means that all the servers will maintain their own Active Directory domain. The related settings on the Active Directory-related feature, such as sorting rule and outside server management, will be different on these servers. Nevertheless, the tree structure will remain the same.

The following properties are queried for domain structure:

The following properties are queried for domain user for RBA:

The encryption key is powerful. Trend Micro suggests that you use a strong password level to protect the Active Directory credentials.

However, if your environment has already been set up, then you do not need to use specific credential and encryption key. The privilege of the system account is enough to query the Active Directory directly.

When the OfficeScan server is unable to query the Domain Controller and synchronize the AD, the web console will display the "Failed" status for AD synchronization. The detailed information will be logged in the OfficeScan system event log.

When the OfficeScan server is unable to query the Domain Controller and synchronize the AD, the web console will display the "Failed" status for AD synchronization. The detailed information will be logged in the OfficeScan system event log.
 

The only difference is that the previous tree will be kept. OfficeScan will not remove the tree under some error situations.

The steps to rebuild the AD tree are the same as when you initiate an AD tree. You only need to trigger Active Directory synchronization again.

No, OfficeScan 10.5 does not allow you to specify a Domain Controller.

OfficeScan will duplicate the client that has been reinstalled because the client GUID is different. The offline client will be automatically removed every seven (7) days. This is done in the OfficeScan management console > Administration > Inactive clients.

The custom client groups will move the clients from domain A to domain B. Therefore, if the client move to domain B, it will get the settings from the new domain and will lose the settings from domain A. On the other hand, custom client groups will not remove the domain. Therefore, domain A will still keep the client tree even if there is no client belonging to it.