domain join
Configures a Windows domain.
Syntax
domain join domain-name <name> login <login> password <password> [dc-list <dc-list>] [org-unit <name>] [join-type {workstation | win2k8-mode | win2k3-mode}] [short-name <name>] [netbios-name <name>]
Parameters
domain-name <name> | Specifies the domain of which to make the SteelHead a member of. Typically, this is your company domain name. RiOS supports Windows 2000 or later domains. |
login <login> | Specifies the login for the domain. The login and password are not stored. This account must have domain-join privileges; it does not need to be a domain administrator account. |
password <password> | Specifies the password for the domain. The login and password are not stored. |
dc-list <dc-list> | Optionally, specify the domain controllers (hosts) that provide user login service in the domain. (Typically, with Windows 2000 Active Directory Service domains, given a domain name, the system automatically retrieves the DC name.) Note: Specifying the domain controller name in high-latency situations reduces the time to join the domain significantly. Note: The dc-list parameter is required when the join type is win2k8-mode. The DC list should contain only the names or IP addresses of Windows 2008 and later domain controllers. |
org-unit <name> | Specifies the organization name (for example, the company name). |
join-type | Specifies the join account type in which the server-side SteelHead can join the domain in one of the following roles: • workstation - Joins the server-side SteelHead appliance to the domain with workstation privilege. You can join the domain to this account type using any ordinary user account that has the permission to join a machine to the domain. • win2k8-mode - Specifies Active Directory integrated mode for Windows 2008 and later. • win2k3-mode - Specifies Active Directory integrated mode for Windows 2003. If you do not specify a join type, the system uses the default, which is the workstation join type. The dc-list parameter is required when the join type is win2k8-mode. The DC list should contain only the names or IP addresses of Windows 2008 and higher domain controllers. |
short-name <name> | Specifies a short domain name. Typically, the short domain name is a substring of the realm. In rare situations, this is not the case, and you must explicitly specify the short domain name. Case matters; NBTTECH is not the same as nbttech. The short domain name is required if the NetBIOS domain name does not match the first portion of the Active Directory domain name. |
netbios-name <name> | Specifies a NetBIOS name. The short domain name is required if the NetBIOS domain name does not match the first portion of the Active Directory domain name. |
Usage
A server-side SteelHead can join a Windows domain or local workgroup. You configure the SteelHead to join a Windows domain (typically, the domain of your company) for PFS, SMB signing, and MAPI encrypted traffic optimization authentication.
When you configure the SteelHead to join a Windows domain, you do not have to manage local accounts in the branch office, as you do in local workgroup mode. Domain mode allows a domain controller (DC) to authenticate users.
If the server-side SteelHead is running a version of RiOS between v6.1 and v6.5, it can only join the domain to appear as a Workstation. In RiOS 7.0 and later, the SteelHead appliance can join the domain in one of three different roles: Workstation, Active Directory Integrated (Windows 2003) or Active Directory Integrated (Windows 2008). Domain users are allowed to use the Kerberos delegation trust facility and/or NTLM environments for encrypted MAPI or SMB signing based on the access permission settings provided for each user.
When the SteelHead appliance joins as one of the Active Directory integrated roles, it has very limited functionality. Even though the SteelHead appliance is integrated with Active Directory, it does not provide any Windows domain controller functionality to any other machines in the domain.
When the SteelHead is joined to the domain as part of a proxy file server (PFS) deployment, data volumes at the data center are configured explicitly on the proxy-file server and are served locally by the SteelHead. As part of the configuration, the data volume and ACLs from the origin-file server are copied to the SteelHead.
Before enabling domain mode, make sure that you:
• configure the DNS server correctly. The configured DNS server must be the same DNS server to which all the Windows client computers point. To use SMB signing, the server-side SteelHead must be in the DNS.
• have a fully qualified domain name. This domain name must be the domain name for which all the Windows desktop computers are configured.
• set the owner of all files and folders in all remote paths to a domain account and not a local account.
Note: PFS supports only domain accounts on the origin-file server; PFS does not support local accounts on the origin-file server. During an initial copy from the origin-file server to the PFS SteelHead, if PFS encounters a file or folder with permissions for both domain and local accounts, only the domain account permissions are preserved on the SteelHead.
For details about domains and PFS, see the SteelHead Management Console User’s Guide and the SteelHead Deployment Guide.
Example
amnesiac (config) # domain join domain-name signing.test login admin password mypassword dc-list mytestdc1
Product
SteelHead CX, SteelHead EX, SteelHead-v, SteelHead-c
Related Commands