Many strategies exist to deploy PingCastle and collect its reports
Documentation » Deploy

Monitoring domains from a bastion can be easy. But ones whit no network connection can be difficult. There are many deployment strategies available with PingCastle.


Management support

Active Directory can be seen locally as a critical component or located in an entity without full technical control


We recommend to collect reports on a weekly basis to trap non validated trusts


This is a person which will receive all reports.

1. Get reports

1.1. Option 1: Each domain run PingCastle

PingCastle can be run on every domain of a company using the command:

PingCastle --healthcheck

1.1. Option 2: PingCastle is run at key location

PingCastle can be run on a Bastion Active Directory, generally used to perform administration tasks. In this case, all the domains will be scanned:

PingCastle --healthcheck --server *

The program can be run on every forest root and be limited to that perimeter

PingCastle --healthcheck --server *.forest.root

The tool can be run on every forest child and explore the child and its trusted domains. In this case the forest root is excluded.

PingCastle --healthcheck --explore-trust --server child.forest.root

PingCastle can explore all the domains of all the trusted forests from another forest. This is useful when the root and child doesn’t share the same name.

PingCastle --healthcheck --explore-forest-trust --server anotherforest.root

If needed, exceptions can be set to not scan domains. For example to not scan the Bastion domain multiple times. In this case use the option –explore-exception <domains> where domains are comma separated domain name.

2. Schedule

Even if the management reporting is done on a monthly basis, we recommend to setup a scheduled task on a weekly basis.

This frequency is justified to:

  1. See the improvement almost in real time and avoid the tunnel effect
  2. Detect newly created trusts and be able to remove them if needed with a limited business impact.

Daily scans are not recommended as the additional energy needed to follow up will not provide any additional benefits.

3. Collect the reports

3.1. Encryption to use unsafe channels

Sometimes, domains are unconnected or it is not possible to make the schedule tasks centralize in a single share all the reports. To deal with this case, PingCastle can encrypt the reports to send them in an unsafe channel.

A RSA key pair need to be generated and the public key needs to be shared with all the instance of the program. When producing risks reports and generating the .xml files, add the flag –encrypt to perform the encryption.

You can generate a keypair using the following command and copy the public key in the .config file to be deployed.

PingCastle.exe --generate-key

Starting the task: Generate Key
Public Key (used on the encryption side):
<encryptionSettings encryptionKey="default">
<!-- encryption key -->
<KeySettings name="default" publicKey="&lt;RSAKeyValue&gt;&lt;Modulus&gt;h
<!-- end -->
Private Key (used on the decryption side):
<encryptionSettings encryptionKey="default">
<!-- decryption key -->
<KeySettings name="39b5d076-17be-4999-b43e-b894a55446a1" privateKey="&lt;R
<!-- end -->
Task Generate Key completed

Then copy the private key section in the PingCastle and PingCastleReporting configuration file (.config) used to consolidate the results. PingCastle will perform the decryption automatically.

The program can generate an encrypted copy of a report (public key needed) and a decrypted copy of a report (private key needed) using the following commands:

PingCastle --reload-report report.xml --encrypt

PingCastle --reload-report encrypted-report.xml

Note: Only one key can be specified for encryption but multiple keys can be used for decryption. Their selection is automatic.

3.2. Email

PingCastle can contact if specified a SMTP server to send the reports by email. If the encryption is set, the program will encrypt the reports. Use –sendXmlTo <email> to send only the xml report, –sendHtmlTo <email> to send only the html report and –sendAllTo <email> to send both html and xml report. Email addresses are comma separated ones and the previous flags can be combined.

3.3. API

PingCastle can send the report (encrypted or not) using an API.

You can query a PingCastle API server or build a client or server from Swagger.

The description of the API in swagger format can be found here.