In order to manage access to a host using Authentication Services for Active Directory, you must join the host to an Active Directory domain. Joining a host to a domain creates a computer account for that host. Once you have deployed and installed the Authentication Services Agent software on a host, use the Join to Active Directory command on the All Hosts view's Join menu to join the host to an Active Directory domain.
To join hosts to Active Directory
|
Note: The Join to Active Directory tool bar menu is enabled when you select hosts that have the Authentication Services Agent installed and are not joined Active Directory. The tool bar button will not be active if:
|
Use the same domain you entered when you performed the Check for AD Readiness.
Leave this field blank to generate a name based on the host's DNS name.
See Optional Join Commands in the mangement console online Help for a list of commands available.
The user account you enter must have elevated privileges in Active Directory with rights to create a computer account for the host.
|
Note: This task requires elevated credentials. The mangement console pre-populates this information. |
The Task Progress pane on the All Hosts view displays a progress bar and the final status of the tasks, including any failures or advisories encountered.
You can either check the health status of Authentication Services agents manually, or you can configure the mangement console to automatically check the QAS Agent Status and report any warnings or failures to the console.
|
Note: Running the Check QAS Agent Status commands requires:
See Check QAS Agent Status Commands Not Available in the mangement console online Help for more information. |
To check QAS agent status
A progress bar displays in the Task Progress pane and the Host Notifications tab indicates the number of hosts with warnings or failures detected.
|
Note: This task requires elevated credentials. |
If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.
(See View the QAS Agent Status in the mangement console online Help for details.)
To have updated information about the status of Authentication Services agents, you can configure the mangement console to periodically check the QAS Agent Status automatically. If it detects a status change on the host, it reports the following warnings or failures to the Host Notifications tab:
To configure the console to automatically check the QAS agent status
|
Note: This option is only available for multiple hosts if all hosts are in the same "Check QAS Agent Status" state; that is, they all have automatic status checking turned on, or they all have automatic status checking turned off. |
|
Note: Use standard crontab syntax when entering Advanced schedule settings. |
|
Note: This task requires elevated credentials. |
When configured for automatic checking, the Authentication Services state column on the All Hosts view displays the icon. Then, if the server does not receive a heartbeat in over 4 hours (by default), it displays the
icon. No icon in the Authentication Services state column indicates the host is not configured to check the QAS agent status automatically.
If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.
|
Note: If you receive a GID conflict error, see UID or GID Conflicts in online Help. |
(See View the Authentication Services Status Errors in online Help for details.)
When you configure a host to check the QAS agent status automatically, the mangement console,
|
Note: If you receive an error message saying you could not log in with the user service account, please refer to Service Account Login Fails in online Help to troubleshooting this issue. |
The questusr account is a non-privileged account that does not require root-level permissions. This account is used by the console to gather information about existing users and groups in a read-only fashion, however, the mangement console does not use the questusr account to make changes to any configuration files.
|
Note: If questusr is inadvertently deleted from the console, the console will not be updated. To recreate the "questusr" account, re-configure the host for automatic QAS agent status checking. |
To disable automatic status checking
When you disable auto-status checking for a host, the mangement console
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy