Before the Blue Cedar Connect Gateway can authenticate its users through Active Directory, the gateway must join one and only one domain of an Active Directory. This is a one-time step you must perform after configuring the gateway to point its Domain Name Server to the configured Active Directory server.
Joining the gateway to an AD domain creates an entry in the computers folder of the AD infrastructure so that the entry name is the same as the hostname. Make sure you set the hostname first before you perform this step. Do not change the hostname while you are active in the AD domain.
Joining an Active Directory domain
Use this template to join the AD domain:
Note: This command can only be executed in operational mode.
> request join-active-directory-domain password string provider-id name username AD_admin organizational-unit groupname loglevel level
Value for the password of the administrator's account for the AD domain. The gateway does not store this password.
Name of the authentication provider that was previously set in the "aaa auth-provider active-directory" configuration. This ID must reference the name of an Active Directory provider configured previously. (For example, ADServ08R2 is a key in the auth-provider section of the gateway configuration.)
For details, see Configuring Active Directory to authenticate gateway users.
Exact name of the AD administrator's account.
Note: The username can be omitted. If it is not present, the username defaults to "Administrator".
An organizational group within the Active Directory domain. If the organizational-unit is specified, the username must be a user in the "Domain Admin" group on the AD server.
Level of logging output.
Values: error, warning, info, verbose. Default: warning.
The gateway can be joined to only one AD domain at a single time. Even if the AD infrastructure has multiple AD domains, the gateway is joined to only one of them. Through a two-way transitive trust among all the AD domains, the gateway can authenticate against a user that is in another AD domain that the gateway is not joined to.
This is an example of a successful request from the gateway to join an Active Directory domain:
> request join-active-directory-domain provider-id ADBonanza password abc123 username Administrator result " Joining to AD Domain: ch.acme.local [Domain Controller (DC) Information] DC Name: bonanza.ch.acme.local DC Address: 10.42.32.12 DC Site: Default-First-Site-Name [Global Catalog (GC) Information] GC Name: bonanza.ch.acme.local GC Address: 10.42.32.12 GC Site: Default-First-Site-Name Forest name: ch.acme.local Domain SID: S-1-5-21-897520681-3725138770-4014864842 Domain GUID: b3375b51-f2c4-354c-b6b5-072a2dc73cfa SUCCESS ";
After this response is displayed, any users that are configured on the Active Directory server (ADBonanza) can log in using the gateway.
You do not have to join or rejoin the AD domain each time the gateway boots. After joining the gateway to the AD domain for the first time, on each successive reboot of the gateway, it automatically rejoins the AD domain.
Remove the gateway from an Active Directory domain
Use the following template to remove the gateway from an Active Directory domain:
> request leave-active-directory-domain
Note: No other parameters are required for this command because the gateway always is only a member of a single domain at any time.
Upon reboot of the gateway server, the server rejoins the AD domain.
Note: "Leaving" an Active Directory domain is usually done for troubleshooting purposes. After performing this command and rebooting itself, the gateway does not rejoin the Active Directory.
> request leave-active-directory-domain result "Leaving AD Domain: example.com SUCCESS";