I just got off the phone with Ruckus to figure this out as well. For starters, the second answer given to you here is just weird/wrong, don't go that direction with running lpd.exe on the AD server.
What follows relates to release 22.214.171.124.699.
1. How do I actually add AD users or groups to 'Administrators'?
Review pages 426-427 of the Ruckus SmartZone 100 and Virtual SmartZone-Essentials Administrator Guide, 5.1.2. Where I got stuck though is they had a typo on the AD Group name you have to create which I'll highlight below.
So here's how it works, and if you ask me, this is retarded compared to the way ZoneDirector did it, but at least it gets us back to what we had before.
Under Administration -> Admins and Roles, do the following:
- Setup an AD entry just like you have listed above with Default Role Mapping off, port 389.
- Create a local user on the SZ, for example call it "SuperAdmins". Put in some crazy long and difficult password as this will NEVER be used for actually signing. It doesn't even matter if you remember it afterwards.
- Create a group (Example call it "Super Admins Group" with all rights) and then assign the user you just created to this group (in this case, assign the user "SuperAdmins" to this group.)
Back on your AD server, do the following.
- Create a group in AD called "Ruckus-WSG-User-[username]" (this is the typo on their docs, they have it listed as "Ruckus-WSG-[username]" which is wrong.)
- As example, create the group "Ruckus-WSG-User-SuperAdmins"
- Assign the users to this group that you want to have Super Admin Group access.
Back to your SZ, go to the AAA tab and test with a user, and it should be assigned the "Super Admin Group" (or whatever) Role.
2. How can I add a second Domain Controller?
- You can't for AD (currently.) You can for Radius, but not for AD. How fun!
Port 389 is essentially LDAP in plain text - if I choose port 636
(LDAPS) - it fails. How do I secure comms to the Domain Controller?
- You can't. We apparently lost that security feature in SZ. You can have TLS encryption when you use AD for standard user authentication such as to authenticate to a portal, but not for the Administrator login to the web site. Brilliant, right? All we can do is complain to gain this feature back.