Skip to main content
Skip table of contents

Configure the gateway to join an Active Directory domain

Before the Blue Cedar Connect Gateway can authenticate its users through Active Directory, the gateway must join one and only one domain of an Active Directory. This is a one-time step you must perform after configuring the gateway to point its Domain Name Server to the configured Active Directory server.

Joining the gateway to an AD domain creates an entry in the computers folder of the AD infrastructure so that the entry name is the same as the hostname. Make sure you set the hostname first before you perform this step. Do not change the hostname while you are active in the AD domain.

Joining an Active Directory domain

Use this template to join the AD domain:

Note: This command can only be executed in operational mode.

> request join-active-directory-domain password string provider-id name 
username AD_admin organizational-unit groupname loglevel level

password  string

Value for the password of the administrator's account for the AD domain. The gateway does not store this password.

provider-id  name

Name of the authentication provider that was previously set in the "aaa auth-provider active-directory" configuration. This ID must reference the name of an Active Directory provider configured previously. (For example, ADServ08R2 is a key in the auth-provider section of the gateway configuration.)

For details, see Configuring Active Directory to authenticate gateway users.

username AD_admin

Exact name of the AD administrator's account.

Note: The username can be omitted. If it is not present, the username defaults to "Administrator".

organizational-unit groupname

An organizational group within the Active Directory domain. If the organizational-unit is specified, the username must be a user in the "Domain Admin" group on the AD server.

Default: Computers

loglevel level

Level of logging output.

Values: error, warning, info, verbose. Default: warning.

The gateway can be joined to only one AD domain at a single time. Even if the AD infrastructure has multiple AD domains, the gateway is joined to only one of them. Through a two-way transitive trust among all the AD domains, the gateway can authenticate against a user that is in another AD domain that the gateway is not joined to.


This is an example of a successful request from the gateway to join an Active Directory domain:

> request join-active-directory-domain provider-id ADBonanza password abc123 username Administrator
result "
Joining to AD Domain: ch.acme.local
[Domain Controller (DC) Information]

      DC Name:
      DC Address:
      DC Site: Default-First-Site-Name
[Global Catalog (GC) Information]
      GC Name:
      GC Address:
      GC Site: Default-First-Site-Name
Forest name: ch.acme.local
Domain SID: S-1-5-21-897520681-3725138770-4014864842
Domain GUID: b3375b51-f2c4-354c-b6b5-072a2dc73cfa

After this response is displayed, any users that are configured on the Active Directory server (ADBonanza) can log in using the gateway.

You do not have to join or rejoin the AD domain each time the gateway boots. After joining the gateway to the AD domain for the first time, on each successive reboot of the gateway, it automatically rejoins the AD domain.

Remove the gateway from an Active Directory domain

Use the following template to remove the gateway from an Active Directory domain:

> request leave-active-directory-domain

Note: No other parameters are required for this command because the gateway always is only a member of a single domain at any time.

Upon reboot of the gateway server, the server rejoins the AD domain.

Note: "Leaving" an Active Directory domain is usually done for troubleshooting purposes. After performing this command and rebooting itself, the gateway does not rejoin the Active Directory.


> request leave-active-directory-domain
  result "Leaving AD Domain:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.