AD Rapid Discovery Workload

AD Rapid Discovery is a monitoring workload that detects new PCS servers being joined to the Active Directory domain. Its main job is to keep the Delinea Platform’s inventory of accounts up to date with the contents of Active Directory.

How AD Rapid Discovery Differs from Discovery

  • Discovery: Delinea Discovery scans the entire domain and makes an inventory of all servers, accounts, and so on. The scan typically runs once every 24 hours, but it can also be run manually as required. It is inconvenient to manually start a new scan every time a PCS server is added to the domain.

    For more information about how Discovery works, see Discovery.

  • AD Rapid Discovery: Provides nearly real-time synchronization. It detects PCS related changes in Active Directory and updates the Delinea Platform inventory much faster than regular Discovery: by default, every five minutes. You can configure AD Rapid Discovery to make it even more frequent.

Why Use AD Rapid Discovery?

  • Faster Policy Deployment: You don’t have to wait for the next scheduled sync to apply security policies to new or changed accounts.

  • Up-to-Date Inventory: Your list of accounts in Delinea Platform is always current, reducing security gaps.

  • Better Automation: Enables more responsive automation and security workflows.

The Windows Server Manager can be used to change computer properties within AD. For computers that have been added to a PCS Zone in Delinea Platform, any changes to those computers in AD trigger real-time synchronization through AD Rapid Discovery to the Server Suite Agent. Changes to the computer where AD Rapid Discovery is running appear in the Inventory page of the Delinea Platform after synchronization.

Deployment

The AD Rapid Discovery workload can be installed and run on any domain joined machine. This page gives details about how to set up the workload.

Editing AD Rapid Discovery Settings

To execute the AD Rapid Discovery workload, a Service account must be selected. Use the following steps to add the account. You will only see accounts for which you have permissions.

You can also use these steps to adjust the refresh interval.

  1. Open the Engine management page (use the Search bar to find it).

  2. Select a site.

  3. Click the Settings tab.

  4. In AD Rapid Discovery, click Edit.

  5. You can make the following settings:

    • AD Rapid Discovery Account: This account is used to run AD Rapid Discovery.

    • Synchronizes with AD: Type a new value for the frequency at which AD Rapid Discovery synchronizes with AD.

    Setting Description
    AD Rapid Discovery Account This account is used to run AD Rapid Discovery. You can use any domain account that has the permissions described later in this page, in Setting AD Rapid Discovery Account Permissions.
    Synchronizes with AD Time interval (in minutes) between times when the AD Rapid Discovery workload uploads any new data from AD to the platform.

  6. Click Save.

Setting AD Rapid Discovery Account Permissions

The service account for the Command Relay workload is also configured to support the AD Rapid Discovery workload, because the two workloads are usually installed together. The service account must be configured with the required local server permissions and domain permissions, as described in the rest of this section.

Local Server Permissions

With local permissions on the server where the AD Rapid Discovery workload will be installed, the AD Rapid Discovery service account can run the setup for AD Rapid Discovery.

The local server permissions must include the Log on as a batch job permission and the Log on as a service permission.

To assign the required logon permissions:

  1. Select Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

  2. Select the Log on as a batch job permission and the Log on as a service permission.

  3. On the Local Security Setting tab, click Add User or group.

  4. Navigate to and select the AD Rapid Discovery service account to apply the permissions.

Domain Permissions

The AD Rapid Discovery workload requires the AD permission Replicating Directory Changes. This permission must be granted to the AD Rapid Discovery service account on the root domain node.

In the Permissions section of the Windows Permission Entry dialog, select the checkbox for Replicating Directory Changes.