If joining the domain is restricted to privileged users, or if you know that you will need to specify computer‑level overrides, you can prepare computer accounts in advance for the Linux and UNIX computers you want to add to the domain.
There are several advantages to preparing computer accounts before joining the domain. For example, preparing a computer account enables you to accomplish the following:
- Specify the user, group, or computer account with permission to join the computer to the domain.
- Define the organizational structure you want to use for computers in Active Directory.
- Delegate administrative tasks for managing the computer account.
- Specify the user or group with permission to manage computer-level overrides for the computer.
By preparing the computer account in advance, you can minimize the changes or configuration steps you might otherwise have to perform after joining the domain. For example, by identifying the account to use when a computer joins the domain you can ensure users can add their own workstations without being assigned any special rights. By selecting the appropriate organizational unit for the computer account ahead of time, you minimize the need to move the computer account after joining the domain.
To prepare a computer account using Access Manager:
- Open Access Manager.
- Expand Zones and any parent or child zones required to select the zone name to which you want to add the computer account.
- Right-click, then click Prepare UNIX Computer.
Select the type of preparation you want to perform, then click Next.
In most cases, you should select both options to ensure the appropriate user or group has the permissions required to join the domain and set computer-level overrides.
Choose whether to create a new computer object or select an existing computer object, then click Next.
If the computer account exists, but you want to add a zone profile and delegate permission to join the domain and manage computer overrides for the computer, click Browse to search for and select the existing computer object. After selecting an existing computer account, click Next to continue to Step 7.
Type the computer name to use for the new computer account and specify a location for the computer account object in Active Directory, then click Next.
- For Computer name, type the host name to use for the computer account in Active Directory.
- For Domain. verify the domain name displayed is the appropriate domain for the computer account to join. Click Browse to navigate to a different Active Directory domain.
- For DNS name, verify the DNS name for the computer account. You can modify the DNS name for the computer, if needed. For example, if computer names in DNS use a different suffix than the Active Directory domain, you might need to modify the default value displayed.
- Select Create the computer object in the container to specify the parent container for the new computer account in Active Directory. In most cases, you should use the default parent container object. Click Change to navigate to a different container object for the computer account.
Select the Allow this computer to join the domain using a read-only domain controller option if you want the computer to join itself to the domain using a read-only domain controller and select the type of license to use, then click Next.
If you click Next without selecting Allow this computer to join the domain using a read-only domain controller, the computer must join the domain by connecting to a writable domain controller.
Review the default list of service types and service principal names for the specified computer, then click Next to accept the default set of service principal names.
If you want to make changes to the default services or service principal names, you can do the following:
- Click Add to add a service type or add a new service name to an existing service type.
- Select a service principal name and click Edit to change the name.
- Select a service principal name and click Remove to delete the name.
- Click Default SPN to restore the default list of service principal names.
If you are in an environment where multiple instances of the same SPN are possible, as a user with administrator privileges, use the -d or --forceDeleteObjWithDupSpn parameter with the adjoin command to ensure duplicate SPNs are removed.
Select whether to allow a specific user or group to join the computer to the domain or use the computer account and automatically-generate password to join the domain, then click Next.
In most cases, select Allow the computer to join itself to the zone to allow the computer account to perform a “self-service” join. This option is selected by default because it allows you to automate the join operation so that a user name and password are not required.
If you want a specific user, group, or computer account to be used to join the domain, select Allow this user, group, or computer to join the computer to the zone then click Browse to search for the user, group, or computer that you want to give permission to join the computer to the domain.
Select the user, group, or computer account with permission to set computer-level overrides, then click Next.
By default, the permissions required to manage computer-level overrides are granted to members of the Domain Admins group. You can click Browse to search for and select another user, group, or computer account.
You can choose to skip permission delegation, if desired.
If you select this option, the service does not set the security descriptor for the computer; you'll need to go in and set that attribute yourself. Some organizations prefer to set security descriptors manually. Security descriptors include security information such as the object owner, who has access rights to the object, and so forth.
- Review your configuration settings, then click Next.
Review the confirmation of the operation performed, then click Finish.
The computer account is created in Active Directory and a zone profile for the computer is added to Access Manager in the zone’s Computers container. The user or group you have designated as the trustee can now join this computer to the domain using the adjoin ‑‑selfserve command line option, and the group you designated for computer‑level overrides can add users and role assignments to the computer.