In earlier CPPM versions <6.3, we did not have the capability to enforce the CPPM to create a computer account in a specified OU.
It will create an account in default "Computers" OU and the domain Administrator has to move this object to specific OU as desired.
From CPPM version 6.3, we can join CPPM to the Active directory domain and it can create a computer account in the specified OU using CLI.
Environment : A typical environment would require CPPM to join to the domain to accomplish domain users authentication using PEAP-EAP-MSCHAPv2
Network Topology :
Any CPPM server version greater than 6.2 with a Windows Domain Controller. I have used CPPM version 6.3.4 and a 2008 Windows Domain Controller(standalone).
FQDN of Domain Controller : windc2k8.ns-lab.com
Hostname of CPPM : TESTCPPM77
1. Create a OU Aruba-2 within Aruba-1 which inturn is within Aruba. Please find the dsquery output below:
2. Create a security group called Aruba2-OU-admin_group. Delegate the control of the OU to this group and a user called “sam” in the OU:
3. While, delegating the control for this OU, choose “Create a custom task to delegate” and in the next screen, “Only the following objects in folder” with Computer Objects selected with Read/Write the Computer Objects:
4. Try joining the Clearpass to the domain with the the OU admin “sam” account in the CLI using ad netjoin command. It should create a machine account in the specified OU.
1. ad netjoin <FQDN of the Domain Controller> ou=Aruba+Aruba-1+Aruba-2
2. Type the OU administrator password when it is required.
This will eliminate the need to move the computer object from the default "Computers" OU to another OU, once the computer account has created in the Domain Controller.
We can check the specific OU in the Domain Controller to ensure whether the CPPM has created a machine account in the desired OU.
We need to ensure the OU order while joining the server to the domain. With respect to "dsquery" output that we got from Domain Controller, OU order that needs to used is from Right to Left.