AAA, NAC, Guest Access & BYOD

How to join CPPM to a Active Directory domain to a specific OU

Aruba Employee

In earlier CPPM versions <6.3, we did not have the capability to enforce the CPPM to create a computer account in a specified OU.
It will create an account in default "Computers" OU and the domain Administrator has to move this object to specific OU as desired
.

 

From CPPM version 6.3, we can join CPPM to the Active directory domain and it can create a computer account in the specified OU using CLI.

 

Environment : A typical environment would require CPPM to join to the domain to accomplish domain users authentication using PEAP-EAP-MSCHAPv2 

 

Network Topology : 

 

Any CPPM server version greater than 6.2 with a Windows Domain Controller. I have used CPPM version 6.3.4 and a 2008 Windows Domain Controller(standalone).

FQDN of Domain Controller : windc2k8.ns-lab.com
Hostname of CPPM : TESTCPPM77

 

 

1. Create a OU Aruba-2 within Aruba-1 which inturn is within Aruba. Please find the dsquery output below:

 

rtaImage.png

 

2. Create a security group called Aruba2-OU-admin_group. Delegate the control of the OU to this group and a user called “sam” in the OU:

 

rtaImage (1).png

 

3. While, delegating the control for this OU, choose “Create a custom task to delegate” and in the next screen, “Only the following objects in folder” with Computer Objects selected with Read/Write the Computer Objects:

rtaImage (2).png

 

rtaImage (3).png

 

4. Try joining the Clearpass to the domain with the the OU admin “sam” account in the CLI using ad netjoin command. It should create a machine account in the specified OU. 

CLI command:

1. ad netjoin <FQDN of the Domain Controller> ou=Aruba+Aruba-1+Aruba-2 
2. Type the OU administrator password when it is required.

 

rtaImage (4).png

 

This will eliminate the need to move the computer object from the default "Computers" OU to another OU, once the computer account has created in the Domain Controller.

 

We can check the specific OU in the Domain Controller to ensure whether the CPPM has created a machine account in the desired OU.

 

rtaImage (5).png

 

We need to ensure the OU order while joining the server to the domain. With respect to "dsquery" output that we got from Domain Controller, OU order that needs to used is from Right to Left.

Version history
Revision #:
1 of 1
Last update:
‎04-09-2015 05:17 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: