Skip to main content
Hitachi Vantara Knowledge

Configuring Active Directory to support HCP

To enable SSL secured LDAP communication between HCP and AD, you need to create an SSL certificate on each domain controller in AD used by HCP. Installing a valid certificate on a domain controller automatically enables SSL connections for both LDAP and global catalog traffic.

If you don’t want to secure communication, skip Step 1.

To create SSL certificates for communication between HCP and AD, you need to create a certificate on every domain controller that communicates with HCP.

To create the SSL certificate, do the following:

Procedure

  1. (Optional) Create the SSL certificate.

    1. On the Windows server, click Start.

    2. In the Search programs and files field, enter: mmc

      The Console1 - [Console Root] window opens. Console1 - [Console Root] window
    3. On the File menu, select Add/Remove Snap-in.

      The Add or Remove Snap-ins window opens. Add or Remove Snap-ins window
    4. In the Available snap-ins list, select Certificates, then click Add.

      The Certificates snap-in window opens. Certificates snap-in window
    5. Select Computer account, then click Next.

      The Select Computer window opens. Select Computer window
    6. Click Finish.

      Certificates (Local Computer) appears in the Selected snap-ins list in the Add or Remove Snap-ins window. Certificates Local Computer
    7. Click OK.

    8. In the tree view in the left panel of the Console1 - [Console Root] window, expand Certificates (Local Computer) > Personal, then select Certificates.

      The middle panel in the window lists information about the CA root certificate. Select Certificates window
      NoteThe CA root certificate is only shown on the Domain Controller where the CA service is installed.
    9. On the Action menu, select All Tasks > Request New Certificate.

      The Certificate Enrollment window opens. Certificate Enrollment window
    10. Click Next.

      The Select Certificate Enrollment Policy page appears. Select Certificate Enrollment Polilcy window
    11. Click Next.

      The Request Certificates page appears. Request Certificates window
    12. Select Domain Controller. Then click Enroll.

      The Certificates Installation Results page appears. Certificates Installation Results window
    13. Click Finish.

      The Certificates list now includes the SSL certificate for LDAP communication. Certificates list The value in the Issued To column for this certificate is the concatenation of the computer name and the FQDN of the AD domain (for example, WIN-AD-SERVER.example.local).
  2. (Optional) Export the SSL certificate.

    If you are securing communication between HCP and AD, you must export the SSL root certificate of the CA that you created in Create the SSL certificate so that you can upload it to HCP. If you did not create an SSL certificate, skip this step.
    1. 1.On the Windows server running the AD certificate authority, click Start.

    2. In the Search programs and files field, enter: cmd

      A Windows command prompt window opens.
    3. Change to the directory to which you want to write the file containing the exported certificate.

    4. Enter the following command to export the certificate:

      certutil -ca.cert cert-name.cerIn this command, cert-name is the name (minus the .cer extension) of the file that will contain the exported certificate.If the export is successful, the window displays the contents of the certificate followed by this message:CertUtil: -ca.cert command complete successfully.If you don’t see this message, make sure the applicable AD domain has a domain controller that is configured with the certificate authority role and that you ran this command on the domain controller that has the CA role installed.After verifying, try the procedure again, starting from Step 9 in Create the SSL certificate.
    5. Copy the file containing the exported certificate to the Windows client from which you plan to access the HCP System Management Console.

  3. (Optonal) Create an AD group.

    For Active Directory to work with HCP, the HCP computer account must have certain permissions. The HCP computer account may either inherit its HCP management permissions from an AD group created specifically for this purpose or from the Domain Computers group.If you are creating a new AD group to configure HCP management permissions:
    1. On the Windows server from which you can access AD, click the Start button and select Administrative Tools > Active Director Users and Computers.

      The Active Directory Users and Computers window opens. Active Directory Users and Computers window
    2. On the View menu, select Advanced Features.

    3. Under ad-domain-name, right-click the OU or CN in which you want to create the AD group and select New > Group from the drop-down menu.

      The New Object - Group window opens. New Object - Group window
    4. In the Group name field, type a name for the new group (for example, "HCP Admins").

      Then click the OK button.
    5. In the left panel of the Active Director Users and Computers window, double-click the OU or CN in which you created the new group.

      The middle panel of the Active Director Users and Computers window lists the items in the OU or CN, including the group you just created.
    6. Right-click the new group and select Properties from the drop-down menu.

      The Properties window opens.
    7. Click the Security tab.

    8. With SELF selected in the Group or user names list, select the box for Write in the Allow column under Permissions for SELF.

      Then click the OK button. Group or user names list
  4. Give permissions to the new AD group or to the Domain Computers group.

    To grant the HCP computer account HCP management permissions, you need to assign the necessary permissions either to the AD group you created or to the Domain Computers group.HCP management permissions allow the HCP computer account to create computer accounts and manage computer account properties for each node in the system.To assign permissions to the AD group or to the Domain Computers group:
    1. In the left panel of the Active Director Users and Computers window, right-click the OU or CN in which you want HCP computer accounts to be created and select Properties from the dropdown menu.

      The Properties window opens.
    2. Click the Security tab.

    3. On the Security tab, click the Advanced button.

      The Advanced Security Settings window opens.
    4. Click the Add button.

      The Permission Entry for HCP window opens.
    5. Click the Select a Principle link.

      The Select User, Computer, Service Account, or Group window opens. Select User, Computer, Service Account, or Group window
    6. In the Enter object name to select field, type the name of the AD group you created in the previous step, or type Domain Computers if you decided not to create an AD group for HCP management in the previous step.

      Then click the OK button.The Permission Entry window opens.
    7. In the Permission Entry window:

      1. In the Apply to field, select Descendant Computer objects.
      2. Under Permissions, select the boxes in the Allow column for:
        • Read all properties
        • Write all properties
        • Delete
        • Change password
        • Reset password

        Then click the OK button.

        Depending on the version of Active Directory that you are using, the Permission Entry page will appear as one of the two following images.

        New version of AD
        New version of AD

        Old version of AD
        Old version of AD (1)

        Old version of AD 2
    8. In the Advanced Settings window, click the Add button again.

      The Select User, Computer, Service Account, or Group window opens.
    9. In the Enter object name to select field, type the name of your AD group, or type Domain Computers if you decided not to create an AD group for HCP management in the previous step.

      Then click the OK button.The Permission Entry window opens.
    10. In the Permission Entry window:

      1. In the Apply to field, select This object and all descendant objects.
      2. Under Permissions, select the boxes in the Allow column for:
        • Create Computer objects
        • Delete Computer objects

        Then click the OK button.

        Depending on the version of Active Directory that you are using, the Permission Entry page will appear as one of the two following images.

        New version of AD
        New version of AD

        Old version of AD
        Old version of AD

    11. In the Advanced Security Settings window, click the OK button to close the window.

    12. In the Properties window, click the OK button to close the window.

  5. Grant permissions to an AD user account.

    To join HCP with your AD domain, you can either create a new AD user account that inherits permissions from the AD group you created in Create an AD group, or you can use an existing AD user account and assign it permissions in the OU or CN in which you want HCP computer accounts to be created. HCP uses this AD user account only once during the AD join process and then never uses the AD user account again. HCP does not store AD user account credentials.If you are creating a new AD user, follow the Creating a new AD user account and assigning it to your AD group procedure.If you have disabled the Add HCP Computer Account to groups of Domain User check box on the HCP Active Directory page, you must use an existing AD user account. To grant permissions for an existing AD user account, follow the Configuring an existing AD user account for HCP management procedure.To create a new AD user account and assign it to the AD group you created:
    1. In the tree view in the left panel of the Active Director Users and Computers window, right-click the OU or CN in which you want to create the AD user account and select New > User from the dropdown menu. The New Object - User window opens.

    2. In the New Object - User window:

      New Object - User window
      • In the First name field type a name for the user account (for example, HCP Admin).
      • In the User logon name field, type a username for the user account (for example, hcpadmin).
      Then click the Next button.The display in the New Object - User window changes.
    3. In the New Object - User window:

      New Object - User login
      1. In the Password field, type a password for the user account.
      2. In the Confirm password field, type the password again.
      3. Deselect the User must change password at next logon option.
      Then click the Next button.The display in the New Object - User window changes.
    4. Click the Finish button.

      The list in the middle panel of the Server Manager window now includes the user account you just created.
    5. Right-click the new user account and select Properties from the drop-down menu.

      The Properties window opens.
    6. Click the Member Of tab.

    7. On the Member Of tab, click the Add button. The Select Groups window opens.

    8. In the Enter the object names to select field, type the name of the group you created in Create an AD group, then click the OK button.

      The AD user account inherits the permissions granted to the AD group you specify.
    9. In the Properties window, click the OK button to close the window.

    Note You should perform the following step only if you already have an existing AD user account.
    To grant HCP management permissions to an existing AD user account:
    1. In the left panel of the Active Directory Users and Computers window, right-click the OU or CN in which you want computer accounts for the HCP nodes to be created and select Properties from the dropdown menu.

      The Properties window opens.
    2. Click the Security tab.

    3. On the Security tab, click the Advanced button.

      The Advanced Security Settings window opens.
    4. Click the Add button.

      The Select User, Computer, Service Account, or Group window opens. Select User, Computer, Service Account, or Group window
    5. In the Enter object name to select field, type the name of the AD user that is joining HCP to the AD domain.

      Then click the OK button.The Permission Entry window opens.
    6. In the Permission Entry window:

      1. In the Apply to field, select Descendant Computer objects.
      2. Under Permissions, select the boxes in the Allow column for:
        • Read all properties
        • Write all properties
        • Delete
        • Change password
        • Reset password
      New version of AD
      New version of AD
      Old version of AD
      Old version of AD
      Old version of AD 2 Then click the OK button.Depending on the version of Active Directory that you are using, the Permission Entry page will appear as one of the two following images.
    7. In the Advanced Settings window, click the Add button again.

      The Select User, Computer, Service Account, or Group window opens.
    8. In the Enter object name to select field, type the name of the AD user that is joining HCP to the AD domain.

      Then click the OK button.The Permission Entry window opens.
      New version of Permission Entry window
      New version of Permission Entry window
      Old version of Permission Entry window
      Old version of Permission Entry window
    9. In the Permission Entry window:

      1. In the Apply to field, select This object and all descendant objects.
      2. Under Permissions, select the boxes in the Allow column for:
        • Create Computer objects
        • Delete Computer objects

        Then click the OK button.

        Depending on the version of Active Directory that you are using, the Permission Entry page will appear as one of the two following images.

        New version of AD
        New version of AD

        Old version of AD
        Old version of AD

    10. In the Advanced Security Settings window, click the OK button to close the window.

    11. In the Properties window, click the OK button to close the window.

  6. (Optional) Create the reverse lookup zone for the AD domain.

    If your AD domain does not already have a reverse lookup zone, you can create one for the applicable AD domain in your DNS.
    1. On a Windows server from which you can configure your DNS, click the Start button and select Administrative Tools > Active Director Users and Computers.

    2. Under Roles in the tree view in the left panel of the Active Director Users and Computers window, expand DNS Server > DNS > ad-domain-name > Reverse Lookup Zones.

    3. Right-click Reverse Lookup Zones and select New Zone from the drop-down menu.

      The New Zone Wizard window opens. New Zone Wizard window
    4. In the New Zone Wizard window, click the Next button.

      The Zone Type page appears. Zone Type window
    5. Select the Primary zone option. Then click the Next button.

      The Active Directory Zone Replication Scope pageActive Directory Zone Replication Scope page appears.
    6. Click the Next button.

      The Reverse Lookup Zone Name page appears. Reverse Lookup Zone Name page
    7. Click the Next button.

      The Reverse Lookup Zone Name page display changes. Reverse Lookup Zone Name Changes
    8. In the Network ID field, type the first three octets of the subnet for the applicable AD domain.

      Then click the Next button.The Dynamic Update page appears. Dynamic Update page
    9. Click the Next button.

      The Completing New Zone Wizard page appears.
    10. Click the Finish button.

      To see the reverse lookup you just created, expand Reverse Lookup Zones in the tree view in the left panel of the Active Director Users and Computers window. The name of the reverse lookup zone, which appears under Reverse Lookup Zones, consists of the first three octets that you specified in Step 8 above in reverse order, followed by in-addr.arpa., as in this sample Active Director Users and Computers window. Finish page
  7. Configure support for AD in HCP

    Now that you’ve completed the steps for preparing AD for communication with HCP, you need to use the HCP System Management Console to configure support for AD in HCP.

 

  • Was this article helpful?