In order to manage access to a host using Safeguard Authentication Services for Active Directory, you must join the host to an Active Directory domain. Joining a host to a domain creates a computer account for that host. Once you have deployed and installed the Safeguard Authentication Services Agent software on a host, use the Join to Active Directory command on the All Hosts view's Join menu to join the host to an Active Directory domain.
To join hosts to Active Directory
- Select one or more hosts from the list on the All Hosts view, open the Join or Configure menu tool bar button, and select Join to Active Directory.
Note: The Join to Active Directory tool bar menu is enabled when you select hosts that have the Safeguard Authentication Services Agent installed and are not joined to Active Directory.
The tool bar button will not be active if:
- You have not selected any hosts.
- You have selected multiple hosts with different states (joined, not joined).
- In the Join Host to Active Directory dialog, enter the following information to define how and where you want to join the host to Active Directory:
- Select the Active Directory domain to use for the join operation or enter the FQDN of the Active Directory domain.
Use the same domain you entered when you performed the Check for AD Readiness.
- Optionally, enter a name for the computer account for the host.
Leave this field blank to generate a name based on the host's DNS name.
- Click the button to locate and select a container in which to create the host computer account.
- Enter the optional join commands to use.
See Optional Join Commands in the mangement console online help for a list of commands available.
- Enter the user name and password to log onto Active Directory.
The user account you enter must have elevated privileges in Active Directory with rights to create a computer account for the host.
- In the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.
Note: This task requires elevated credentials. The mangement console pre-populates this information.
The Task Progress pane on the All Hosts view displays a progress bar and the final status of the tasks, including any failures or advisories encountered.
You can either check the health status of Safeguard Authentication Services agents manually, or you can configure the mangement console to automatically check the SAS Agent Status and report any warnings or failures to the console.
Note: Running the Check SAS Agent Status commands requires:
- You are logged on as an Active Directory account in the Manage Hosts role.
- The hosts have Safeguard Authentication Services 4.0.3.78 (or later) Agent software installed.
See Check SAS Agent Status Commands Not Available in the mangement console online help for more information.
To check SAS agent status
- Select one or more hosts on the All Hosts view, open the Check menu from the Prepare panel of the tool bar and choose Check SAS agent status.
- In the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.
A progress bar displays in the Task Progress pane and the Host Notifications tab indicates the number of hosts with warnings or failures detected.
Note: This task requires elevated credentials.
If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.
- If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected hosts and click OK.
- If you selected multiple hosts and the Enter different credentials for each selected host option, a grid displays allowing you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.
- Select the Host Notifications tab to view the reported warnings or failures.
See View the SAS Agent Status in the mangement console online help for details.
To have updated information about the status of Safeguard Authentication Services agents, you can configure the mangement console to periodically check the SAS Agent Status automatically. If it detects a status change on the host, it reports the following warnings or failures to the Host Notifications tab:
- Critical Failure
- Failure
- Warning
To configure the console to automatically check the SAS agent status
- Select one or more hosts on the All Hosts view, open the Check menu from the Prepare panel of the tool bar, and choose Check SAS Agent Status automatically.
Note: This option is only available for multiple hosts if all hosts are in the same "Check SAS Agent Status" state; that is, they all have automatic status checking turned on, or they all have automatic status checking turned off.
- Select the Check status automatically option, set the frequency for the health status check, and click OK.
Note: Use standard crontab syntax when entering Advanced schedule settings.
- In the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.
Note: This task requires elevated credentials.
When configured for automatic checking, the Authentication Services state column on the All Hosts view displays the icon. Then, if the server does not receive a heartbeat in over four hours (by default), it displays the icon. No icon in the Authentication Services state column indicates the host is not configured to check the SAS agent status automatically.
If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.
- If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected hosts and click OK.
- If you selected multiple hosts and the Enter different credentials for each selected host option, a grid displays allowing you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.
Note: If you receive a GID conflict error, see UID or GID Conflicts in the online help.
- View the SAS Agent Status for each host on the Host Notification tab.
See View the Safeguard Authentication Services Status Errors in online help for details.
When you configure a host to check the SAS agent status automatically, the mangement console,
- Creates "questusr" (the service account user), if it does not already exist, and, a corresponding "questgrp" group on the host that the mangement console uses for automatic SAS agent status checking.
- Adds questusr as an implicit member of questgrp.
- Adds the auto-check SSH key to questusr's authorized_keys, /var/opt/quest/home/questusr/.ssh/authorized_keys.
- Verifies the service account user can log in to the host.
- Creates a cron job that runs SAS agent status according to the specified interval.
Note: If you receive an error message saying you could not log in with the user service account, please refer to Service Account Login Fails in online help to troubleshooting this issue.
The questusr account is a non-privileged account that does not require root-level permissions. This account is used by the console to gather information about existing users and groups in a read-only fashion; however, the mangement console does not use the questusr account to make changes to any configuration files.
Note: If questusr is inadvertently deleted from the console, the console will not be updated. To recreate the "questusr" account, re-configure the host for automatic SAS agent status checking.
To disable automatic status checking
- Select one or more hosts on the All Hosts view and choose Check SAS Agent Status automatically.
- Clear the Check status automatically option in the Check SAS Agent Status Automatically dialog and click OK.
- In the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.
When you disable auto-status checking for a host, the mangement console
- Leaves the "questusr" and the corresponding "questgrp" accounts on the host.
- Leaves questusr as an implicit member of questgrp.
- Removes the auto-check SSH key from that user's authorized_keys file.
- Removes the cron job on the host.