Configuring Active Directory to support HCP
If you don’t want to secure communication, skip Step 1.
To create SSL certificates for communication between HCP and AD, you need to create a certificate on every domain controller that communicates with HCP.
To create the SSL certificate, do the following:
Procedure
(Optional) Create the SSL certificate.
On the Windows server, click Start.
In the Search programs and files field, enter: mmc
The Console1 - [Console Root] window opens.On the File menu, select Add/Remove Snap-in.
The Add or Remove Snap-ins window opens.In the Available snap-ins list, select Certificates, then click Add.
The Certificates snap-in window opens.Select Computer account, then click Next.
The Select Computer window opens.Click Finish.
Certificates (Local Computer) appears in the Selected snap-ins list in the Add or Remove Snap-ins window.Click OK.
In the tree view in the left panel of the Console1 - [Console Root] window, expand Certificates (Local Computer) > Personal, then select Certificates.
The middle panel in the window lists information about the CA root certificate.NoteThe CA root certificate is only shown on the Domain Controller where the CA service is installed.On the Action menu, select All Tasks > Request New Certificate.
The Certificate Enrollment window opens.Click Next.
The Select Certificate Enrollment Policy page appears.Click Next.
The Request Certificates page appears.Select Domain Controller. Then click Enroll.
The Certificates Installation Results page appears.Click Finish.
The Certificates list now includes the SSL certificate for LDAP communication.The value in the Issued To column for this certificate is the concatenation of the computer name and the FQDN of the AD domain (for example, WIN-AD-SERVER.example.local).
(Optional) Export the SSL certificate.
If you are securing communication between HCP and AD, you must export the SSL root certificate of the CA that you created in Create the SSL certificate so that you can upload it to HCP. If you did not create an SSL certificate, skip this step.1.On the Windows server running the AD certificate authority, click Start.
In the Search programs and files field, enter: cmd
A Windows command prompt window opens.Change to the directory to which you want to write the file containing the exported certificate.
Enter the following command to export the certificate:
certutil -ca.cert cert-name.cer
In this command,cert-name
is the name (minus the.cer
extension) of the file that will contain the exported certificate.If the export is successful, the window displays the contents of the certificate followed by this message:CertUtil: -ca.cert command complete successfully.
If you don’t see this message, make sure the applicable AD domain has a domain controller that is configured with the certificate authority role and that you ran this command on the domain controller that has the CA role installed.After verifying, try the procedure again, starting from Step 9 in Create the SSL certificate.Copy the file containing the exported certificate to the Windows client from which you plan to access the HCP System Management Console.
(Optonal) Create an AD group.
For Active Directory to work with HCP, the HCP computer account must have certain permissions. The HCP computer account may either inherit its HCP management permissions from an AD group created specifically for this purpose or from the Domain Computers group.If you are creating a new AD group to configure HCP management permissions:On the Windows server from which you can access AD, click the Start button and select Administrative Tools > Active Director Users and Computers.
The Active Directory Users and Computers window opens.On the View menu, select Advanced Features.
Under ad-domain-name, right-click the OU or CN in which you want to create the AD group and select New > Group from the drop-down menu.
The New Object - Group window opens.In the Group name field, type a name for the new group (for example, "HCP Admins").
Then click the OK button.In the left panel of the Active Director Users and Computers window, double-click the OU or CN in which you created the new group.
The middle panel of the Active Director Users and Computers window lists the items in the OU or CN, including the group you just created.Right-click the new group and select Properties from the drop-down menu.
The Properties window opens.Click the Security tab.
With SELF selected in the Group or user names list, select the box for Write in the Allow column under Permissions for SELF.
Then click the OK button.
Give permissions to the new AD group or to the Domain Computers group.
To grant the HCP computer account HCP management permissions, you need to assign the necessary permissions either to the AD group you created or to the Domain Computers group.HCP management permissions allow the HCP computer account to create computer accounts and manage computer account properties for each node in the system.To assign permissions to the AD group or to the Domain Computers group:In the left panel of the Active Director Users and Computers window, right-click the OU or CN in which you want HCP computer accounts to be created and select Properties from the dropdown menu.
The Properties window opens.Click the Security tab.
On the Security tab, click the Advanced button.
The Advanced Security Settings window opens.Click the Add button.
The Permission Entry for HCP window opens.Click the Select a Principle link.
The Select User, Computer, Service Account, or Group window opens.In the Enter object name to select field, type the name of the AD group you created in the previous step, or type Domain Computers if you decided not to create an AD group for HCP management in the previous step.
Then click the OK button.The Permission Entry window opens.In the Permission Entry window:
- In the Apply to field, select Descendant Computer objects.
- Under Permissions, select the boxes in the Allow column for:
- Read all properties
- Write all properties
- Delete
- Change password
- Reset password
Then click the OK button.
Depending on the version of Active Directory that you are using, the Permission Entry page will appear as one of the two following images.
New version of AD Old version of AD
In the Advanced Settings window, click the Add button again.
The Select User, Computer, Service Account, or Group window opens.In the Enter object name to select field, type the name of your AD group, or type Domain Computers if you decided not to create an AD group for HCP management in the previous step.
Then click the OK button.The Permission Entry window opens.In the Permission Entry window:
- In the Apply to field, select This object and all descendant objects.
- Under Permissions, select the boxes in the Allow column for:
- Create Computer objects
- Delete Computer objects
Then click the OK button.
Depending on the version of Active Directory that you are using, the Permission Entry page will appear as one of the two following images.
New version of AD Old version of AD
In the Advanced Security Settings window, click the OK button to close the window.
In the Properties window, click the OK button to close the window.
Grant permissions to an AD user account.
To join HCP with your AD domain, you can either create a new AD user account that inherits permissions from the AD group you created in Create an AD group, or you can use an existing AD user account and assign it permissions in the OU or CN in which you want HCP computer accounts to be created. HCP uses this AD user account only once during the AD join process and then never uses the AD user account again. HCP does not store AD user account credentials.If you are creating a new AD user, follow the Creating a new AD user account and assigning it to your AD group procedure.If you have disabled the Add HCP Computer Account to groups of Domain User check box on the HCP Active Directory page, you must use an existing AD user account. To grant permissions for an existing AD user account, follow the Configuring an existing AD user account for HCP management procedure.To create a new AD user account and assign it to the AD group you created:In the tree view in the left panel of the Active Director Users and Computers window, right-click the OU or CN in which you want to create the AD user account and select New > User from the dropdown menu. The New Object - User window opens.
In the New Object - User window:
- In the First name field type a name for the user account (for example, HCP Admin).
- In the User logon name field, type a username for the user account (for example, hcpadmin).
In the New Object - User window:
- In the Password field, type a password for the user account.
- In the Confirm password field, type the password again.
- Deselect the User must change password at next logon option.
Click the Finish button.
The list in the middle panel of the Server Manager window now includes the user account you just created.Right-click the new user account and select Properties from the drop-down menu.
The Properties window opens.Click the Member Of tab.
On the Member Of tab, click the Add button. The Select Groups window opens.
In the Enter the object names to select field, type the name of the group you created in Create an AD group, then click the OK button.
The AD user account inherits the permissions granted to the AD group you specify.In the Properties window, click the OK button to close the window.
Note You should perform the following step only if you already have an existing AD user account.To grant HCP management permissions to an existing AD user account:In the left panel of the Active Directory Users and Computers window, right-click the OU or CN in which you want computer accounts for the HCP nodes to be created and select Properties from the dropdown menu.
The Properties window opens.Click the Security tab.
On the Security tab, click the Advanced button.
The Advanced Security Settings window opens.Click the Add button.
The Select User, Computer, Service Account, or Group window opens.In the Enter object name to select field, type the name of the AD user that is joining HCP to the AD domain.
Then click the OK button.The Permission Entry window opens.In the Permission Entry window:
- In the Apply to field, select Descendant Computer objects.
- Under Permissions, select the boxes in the Allow column for:
- Read all properties
- Write all properties
- Delete
- Change password
- Reset password
New version of AD Old version of AD Then click the OK button.Depending on the version of Active Directory that you are using, the Permission Entry page will appear as one of the two following images.
In the Advanced Settings window, click the Add button again.
The Select User, Computer, Service Account, or Group window opens.In the Enter object name to select field, type the name of the AD user that is joining HCP to the AD domain.
Then click the OK button.The Permission Entry window opens.New version of Permission Entry window Old version of Permission Entry window In the Permission Entry window:
- In the Apply to field, select This object and all descendant objects.
- Under Permissions, select the boxes in the Allow column for:
- Create Computer objects
- Delete Computer objects
Then click the OK button.
Depending on the version of Active Directory that you are using, the Permission Entry page will appear as one of the two following images.
New version of AD Old version of AD
In the Advanced Security Settings window, click the OK button to close the window.
In the Properties window, click the OK button to close the window.
(Optional) Create the reverse lookup zone for the AD domain.
If your AD domain does not already have a reverse lookup zone, you can create one for the applicable AD domain in your DNS.On a Windows server from which you can configure your DNS, click the Start button and select Administrative Tools > Active Director Users and Computers.
Under Roles in the tree view in the left panel of the Active Director Users and Computers window, expand DNS Server > DNS > ad-domain-name > Reverse Lookup Zones.
Right-click Reverse Lookup Zones and select New Zone from the drop-down menu.
The New Zone Wizard window opens.In the New Zone Wizard window, click the Next button.
The Zone Type page appears.Select the Primary zone option. Then click the Next button.
The Active Directory Zone Replication Scope pageappears.
Click the Next button.
The Reverse Lookup Zone Name page appears.Click the Next button.
The Reverse Lookup Zone Name page display changes.In the Network ID field, type the first three octets of the subnet for the applicable AD domain.
Then click the Next button.The Dynamic Update page appears.Click the Next button.
The Completing New Zone Wizard page appears.Click the Finish button.
To see the reverse lookup you just created, expand Reverse Lookup Zones in the tree view in the left panel of the Active Director Users and Computers window. The name of the reverse lookup zone, which appears under Reverse Lookup Zones, consists of the first three octets that you specified in Step 8 above in reverse order, followed byin-addr.arpa.
, as in this sample Active Director Users and Computers window.
Configure support for AD in HCP
Now that you’ve completed the steps for preparing AD for communication with HCP, you need to use the HCP System Management Console to configure support for AD in HCP.