Security

Hello,

I need to replace the admin account that I use for LDAP/AD access. The same account is used for the authentication sources as well as to join to the domain. The new account is a clone of the original as far as rights are concerned.

I was planning on just changing the authentication sources first with the new account and then unjoin the domain and rejoin with the new account. Are there any tips or caveats in doing it this way? How about affect on users? While the domain is not joined I know the MSCHAP auths won't work. I'm doing this during a maintenance window so a minimal hit to users would be fine.

Couple of comments:

• You should not be using an administrative account for your AD authentication source, only a standard user with domain user privileges
• The authentication source is completely independent of domain join. You can change the authentication source credentials and you don't have to re-join the domain
• There should be no effect on users except for maybe 3-5 seconds after you change the password for the config to propogate.

Thanks Tim. If the admin domain account that was used to join the domain is going to get removed do I need to rejoin the domain with new credentials or once joined it doesn't matter if the account gets remvoed?

No. The credentials used for domain join are not stored in ClearPass. They're used for the one time operation, just like joining a computer to the domain.

Domain join is completely separate from the AD authentication source.

Hi Tim,

So we can also disable the same admin user after the join is finished ?