How does the CFA interact with AD and LDAP?

The CFA joins the domain as a computer. This is typically done using a domain admin’s credentials, but may be delegated to some other kind of account, possibly one dedicated to joining new computers to the domain, for example.

When joining the domain, we use Samba’s net ads join command.

Once joined, the CFA adds an SPN to its computer object to identify itself as the CFA. We are aware that adding the SPN requires more and different privileges than simply joining a computer to the domain. However, we do not store the credentials used when joining, so that a Domain Administrator account can be used for both steps. The SPN assignment could be done manually if required (using setspn). The SPN’s required, where CFA is the hostname and domain.lan is the domain, are:

  • HOST/CFA
  • HOST/CFA.domain.lan
  • EVERSYNC_BACKUP/CFA.domain.lan

After joining and SPN assignment, the CFA uses only its computer credentials to browse the computer objects. The computer objects display in the Clients > Active Directory tree to allow the automatic creation of CFA-side backup client configurations from them.

Clients find the CFA address with LDAP querying for the SPN when RvxBRAgent (Infrascale Backup and Restore Agent) is started. This is similar to MS SQL server discovery, for example.

Thereafter, clients contact the CFA using web services built into .NET, using their Computer credentials for secure Kerberos authentication. The clients request their configuration from the CFA and save it locally. While the agent is running, AD is not used again.

What permissions will be required in order to pre-stage any service accounts needed within the new domain?

Only joining the CFA to the domain, and the assignment of the SPN are required. No service accounts beyond the Computer object are necessary.

Example
Below is a session on a domain controller as the Administrator user listing the SPN’s associated with the CFA’s computer account after joining to the domain. Then the EVERSYNC_BACKUP SPN is deleted (-D) from the computer account, and the SPN’s listed again. Finally, the command to add (-A) the EVERSYNC_BACKUP SPN to the CFA’s computer account is shown, which can be used by customers if joining the domain from the CFA fails to create the SPN.
Symptoms
User is not able to add the CFA to a domain
Cause
Incorrect permissions exist in the environment SUCCEED
Resolution
  1. Click Start > Run, enter dsa.msc\

  2. In the task pane, expand the domain node.

  3. Locate and right-click the OU that you want to modify, and then click Delegate Control.

  4. In the Delegation of Control Wizard, click Next.

  5. Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.

  6. In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.

  7. Add permissions appropriate to join the computer to the domain.

  8. Click Next, and then click Finish.

  9. Close Active Directory.