When HCP joins a domain, it creates an HCP Computer account by authenticating with the user account created by the Active Directory domain admin. The HCP Computer Account is used in all Active Directory operations unless the HCP needs to rejoin the domain. Using the HCP Computer Account for authentication, HCP then joins each of the HCP nodes to the domain through Samba which is required for CIFS authentication of legacy applications.
Once HCP has successfully joined the domain, the HCP Computer Account will update SPNs and add new nodes to the domain if physical nodes are added to the HCP system. HCP will automatically change the password of the HCP Computer Account every 30 days.
The following permissions are required by HCP to join the Active Directory Domain:
- For the HCP Admins SELF group you need read and write permissions. They are required to add the computer object to the group OU permissions.
- Create Computer objects and Delete Computer objects permissions are required to create the HCP Computer Account.
- Change Password and Reset Password permissions are required to reset the password of the HCP Computer Account.
- Read All Properties, Write All Properties, and Delete permissions are required to create and update SPNs.