precreate_computer

Use the precreate_computer command to create a zone profile for a computer in Active Directory before using the adjoin command to join the domain. The zone profile—a serviceConnectionPoint (scp) object—is usually created by the adjoin command when a computer joins the domain. In some cases, however, creating the zone profile before joining is useful. For example, preparing the computer object before joining enables you to check that you have user profiles and role assignments correctly defined before you join UNIX computers to zones. Verifying this information before the join operation helps to ensure a smooth migration without disrupting users’ access to files or applications.

The zone profile is part of an Active Directory computer object. If an Active Directory computer object doesn’t exist, precreate_computer can create one and then add the zone profile to the new Active Directory computer object. The zone profile is created in ADEdit’s currently selected zone. You can also use the precreate_computer command to specify a container where Active Directory will store the new Active Directory computer object.

You can use the precreate_computer command to create a service connection point for a new or existing Active Directory computer object. You can also use the command to create a computer-specific zone for machine-level zone overrides (in essence a one-computer zone) for the precreated computer. You should note that performing these tasks requires access to the global catalog by default. You can intentionally skip the global catalog search if you know the service connection point you are creating is unique in the forest. However, skipping the global catalog search might prevent you from joining the computer to the domain if there is a conflict.

The precreate_computer command also sets the Active Directory computer object’s password and permissions when creating a zone profile. The password is the computer’s host name in lower case. The permissions the computer object has are:

  • Read and Write permissions to the operatingSystemServicePack, operatingSystem, and operatingVersion attributes of the computer object.
  • Read permission for the userAccountControl attribute of the computer object.
  • Validate write to the servicePrincipalName and dNSHostName attributes.

You can use precreate_computer to specify a DNS name for the precreated computer and one or more trustees for the precreated computer. Each trustee can be either a user or a group, and has the rights needed to join the computer to the precreated computer account using adjoin.

Use the precreate_computer command option, enctype, to specify encryption types.

The precreate_computer command is similar to using adjoin -precreate, but provides more options and flexibility. You can also precreate computer accounts using Access Manager. For more information about precreating computer accounts, See the Administrator’s Guide for Linux and UNIX.

Syntax

precreate_computer samaccount@domain[-ad] [-scp] [-czone] [-all] [-container rdn] 
[-dnsname dnsname] [licensetype type] [-trustee upn[-trustee upn] ...] [‑nogc] 
[‑stype spn [-stype spn] ...] [-enctype type [-enctype type] ...] 
[-notdelegateanyright]

Options

This command takes the following options:

Option Description

-ad

Creates an Active Directory computer object. precreate_computer won’t create an Active Directory computer object if it already exists for the computer specified by the argument upn. Note that if no options specify Active Directory computer object creation and no Active Directory computer object already exists, precreate_computer will fail.

-all

Creates an Active Directory computer object (if one doesn’t exist already), a service connection point for the computer object, and a computer zone for the computer object: in essence all of the previous three options combined.

-container

Stores the new Active Directory computer object (if created) in the Active Directory container specified by rdn, which is the relative distinguished name (RDN) of the container. The root of the specified Active Directory container is the distinguished name (DN) of the current domain. precreate_computer appends the RDN to the root DN to come up with the container DN.

-czone

Creates a computer zone for the computer object.

-dnsname

Sets the DNS name for the computer account to the provided DNS name.

If this option isn’t present, the precreate_computer command automatically sets the DNS name for the computer account. It derives the DNS name from the computer’s sAMAccount name and the domain name.

-enctype

Set the msDS encryption types permitted in precreate _computer command. Default is 31. Options are:

  • aes256-cts-hmac-sha1-96, aes256-cts
  • aes128-cts-hmac-sha1-96, aes128-cts
  • arcfour-hmac, rc4-hmac, arcfour-hmac-md5
  • des-cbc-md5, des
  • des-cbc-crc

-licensetype

Specifies the type of license a computer uses. The valid values are

  • server
  • workstation

-nogc

Allows you to create the computer account without binding to a global catalog domain controller. You should only use this option if you know the computer scp object does not exist in the domain.

-notdelegateanyright

Allows you to create the computer account without delegating any rights.

If you specify this option, note that the -trustee option has no effect.

-scp

Creates a service connection point for the Active Directory computer object.

-stype

Specifies the service principal types to create for a precreated computer account. You can specify multiple -stype options, with each specifying a different service principal type.

If you don’t specify this option, the precreate_computer command automatically creates the several default service principal names for the following service principal types:

  • ipp
  • afpserver
  • nfs
  • cifs
  • ftp
  • http
  • host

For each type of service, the precreate_computer command specifies two service principal names in the form of serviceName/computerName and serviceName/computerName.domain.com. For example:

ftp/rhel6

ftp/rhel6.acme.com

If you specify one or more -stype options, only the service principal names for those service types are created for the precreated computer account.

-trustee

Gives the user or group specified by the upn argument permission to join a computer to the precreated computer account. You can specify multiple -trustee options, with each specifying a different user or group, to give multiple users and groups permission to join a precreated computer to a zone.

Arguments

This command takes the following argument:

Argument Type Description

samaccount@domain

string

Required. Specifies the name of the computer account and the domain to join. The computer name is the sAMAccountName for the account in the form of computer$.

For example:

engserv$@acme.com

Return value

This command returns nothing if it runs successfully.

Examples

precreate_computer redhat$@acme.com -trustee adam.avery@acme.com
-trustee martin.moore@acme.com -enctype arcfour-hmac

This example precreates a zone profile in the currently selected zone for the computer “redhat$@acme.com”, and specifies as trustees the Active Directory users Adam Avery and Martin Moore.

Because the example does not include the -stype option, this example also automatically creates the following default service principal names for services on the computer:

  • ipp/redhat and ipp/redhat.acme.com
  • afpserver/redhat and afpserver/redhat.acme.com
  • nfs/redhat and nfs/redhat.acme.com
  • cifs/redhat and cifs/redhat.acme.com
  • ftp/redhat and ftp/redhat.acme.com
  • http/redhat and http/redhat.acme.com
  • host/redhat and host/redhat.acme.com

Related Tcl library commands

The following commands perform actions related to this command:

  • list_zones returns a list of zones in a specified domain to stdout.
  • create_assignment creates a new role assignment and saves it to Active Directory.