You can join your Unix host to Active Directory with the vastool join command directly from the command line.
Before you join the Safeguard Authentication Services agent to the Active Directory domain, collect the following information:
- The DNS name of the Active Directory domain of which you want the Safeguard Authentication Services agent to be a member.
- The user name and password of a user that has sufficient administrative privileges to create computer objects in Active Directory.
To join Active Directory using vastool join
- Run the following command as the root user at a shell prompt:
# /opt/quest/bin/vastool -u <user> join <domain-name>
- Enter the user’s password when prompted.
The vastool join results are shown on the shell’s standard output.
Note: vastool join supports many options that allow you to customize the way the computer is joined to the domain. You can specify the name of the computer object. You can join to a specific organizational unit or use a pre-created computer object. For a list of all vastool join options, refer to the vastool man page.
Rather than using the vastool join command from the command line, you can join your Unix host to Active Directory using the interactive join script, vasjoin.sh. The script walks you through the domain join process, calling the vastool join command.
The vasjoin.sh script is in /opt/quest/libexec/vas/scripts/ directory. You can use most of the standard vastool join command options when running it. However, you can run the join script with no options; it only requires that you supply the domain name and the name of a user with sufficient Active Directory privileges to perform the join.
Table 14: Common vasjoin script options
|Help; displays options including how to pass vastool join options.
|Unattended or "quiet" mode; displays less verbose: no explanations, asks no questions.
|Interactive mode; prompts for common options.
|Simple mode; installs vasclnt and vasgp with options to add license and join domain.
To join Active Directory using the vasjoin script
Run the script as the root user at a shell prompt, as follows:
The script ensures that your local host's time is synchronized with that of the controller in the domain you want to join (in order to satisfy Kerberos), then performs the join for you by running vastool join as follows:
vastool -u <username> join <domain-name>
Follow the prompts to complete the join process.
Note: Run the script in interactive mode as follows:
In interactive mode, it prompts you for specific information and allows you to either save the resulting vastool join command in a script or execute the command immediately.
The script presents defaults as part of the prompting and, if you accept them all, the result is identical to running the script in simple mode.
The information gathered by the full, interactive mode of vasjoin.sh includes the following:
- Specific domain controllers to use
- Domain to join
- User, usually administrator, to use in joining
- Keytab file
- Confirm fixing of Kerberos clock skew, if any
- Overwrite your host's existing Active Directory ComputerName object
- Change the name of the AD ComputerName object
- AD container in which to put the ComputerName object
- Site name
- UPM mode (yes or no)
- User search path on which to look for Active Directory users
- Alternate group search path
- Workstation mode (yes or no)
- Alternate domains in which to search if you want cross-domain logins
- Self-enrollment of existing /etc/passwd users (yes or no)
Shows path to lastjoin (/etc/opt/quest/vas/lastjoin)
The lastjoin file contains something similar to:
/opt/quest/bin/vastool -u administrator join -f acme.com
When Safeguard Authentication Services joins a new computer to a domain, it becomes known to the LDAP and Kerberos protocols, but not to DNS. This is because the IP address of the host is not directly under the control of this part of Active Directory.
Although Active Directory comes with a integrated DHCP and DNS servers, some sites run their own DHCP servers. This means that the leased IP addresses must be communicated to Active Directory's DNS server through another (often manual) means.
The One Identity Dynamic DNS Update Tool, dnsupdate, performs this communication. It can automatically and securely inform Active Directory's DNS server of any host IP address changes due to DHCP lease acquisition and renewal.
Because dnsupdate uses Kerberos to authenticate itself to the DNS server, only the computer joined with that name can update its record.
When you run the Safeguard Authentication Services installation script, install.sh, in interactive mode (the -i option), it gives you an option to install the One Identity Dynamic DNS Update Tool. Dynamic DNS automatically integrates into the host's native DHCP client infrastructure to securely update DNS servers when its IP address changes. For more information about running the install.sh script, see Installation script options.
Note: If Pointer Record (PTR) updates are being rejected, it may be because the DHCP server is doing the update already. Refer to the documentation for the DHCP server being used in your environment. The Microsoft DHCP server does updates on behalf of the client and this is controlled by the Fully Qualified Domain Name (FQDN) option. Please refer to the Microsoft Active Directory DNS/DHCP documentation.
Getting started with Safeguard Authentication Services
Once you have successfully installed Safeguard Authentication Services, you will want to learn how to do some basic system administration tasks.