Integrating with Windows Active Directory

When you deploy a Windows image using Lenovo XClarity Administrator, you are able to join an Active Directory domain as part of the operating-system deployment.

Before you begin

To join an Active Directory domain as part of a Windows image deployment, you must configure both the management server and the Windows Server that is running the affected Active Directory domain controller. To perform this configuration, you need the following access:
  • An administrator account with the authority to authenticate and join the Active Directory servers domain. This account must have privileges similar to those of the default Domain Administrators group, and you can use an account in this group for this configuration.

  • Access to a domain name system (DNS) that resolves to the Active Directory server that is running the domain controller. This DNS must be specified in the Network Settings > DNS option for the server to which you are deploying the operating system.

  • The Active Directory server administrator must create the required computer name on the domain server before you deploy the operating system. The join attempt does not create computer name. If no name is specified, the join fails.

  • The Active Directory server administrator must specify the hostname of the server to which the image is being deployed as a computer name under the target organizational unit by clicking the Network Settings > Hostname field.

    The specified hostname (computer name) must be unique. Specifying a name that is already in use by another Windows installation causes the join the fail.

You can join the Active Directory domain using one of the following methods:
  • Use an Active Directory domain

    You can choose to use a specific Active Directory domain from a list of predefined domains. Complete the following steps to define an Active Directory domain in XClarity Administrator. If you intend to use multiple domains, repeat these steps for each domain name.

    1. From the XClarity Administrator menu bar, click Provisioning > Deploy OS images to display the Deploy OS Images page.

    2. Click the Global Settings icon (Global settings icon) to display the Global Settings: Deploy Operating Systems dialog.

    3. Click The Active Directory tab.

    4. Click the Create icon (Create icon) to display the Add New Active Directory Domain dialog.

    5. Specify the domain name and organizational unit.

      Operating-system deployment supports joining a domain and creating nested organizational units within a domain. If you are specifying organizational units, it is not necessary to specify the OU as part of the join explicitly. Active Directory is able to derive the correct OU using the domain name and computer name.

    6. Click OK.

  • Use the default Active Directory domain

    You can choose to use the default Active Directory domain that is defined in global settings. Complete the following steps to set the default Active Directory domain in XClarity Administrator.

    1. From the XClarity Administrator menu bar, click Provisioning > Deploy OS images to display the Deploy OS Images page.

    2. Click the Global Settings icon (Global settings icon) to display the Global Settings: Deploy Operating Systems dialog.

    3. Click The Active Directory tab.


      Illustrates the Active Directory tab on the Global Settings page.
    4. From the Apply this domain as default selection drop-down menu, select the Active Directory domain to be used by default for every Windows deployment.

    5. Click OK.

  • Use metadata blob data

    You can use Active Directory Computer Account Metadata (in Base-64 encoded blob format) to join the Active Directory domain for any server. Complete the following steps to generate metadata blob data.

    1. Use an administrator account to log in to the computer. The computer must be part of the Active Directory domain to which you are joining.

    2. Click Start > Programs > Accessories. Right-click Command Prompt, and then click Run as administrator.

    3. Change to the C:\windows\system32 directory.

    4. Run the djoin command using the following format to perform an offline domain join:

      djoin /provision /domain <AD_domain_name> /machine <hostname> /savefile blob
      where:
      • <AD_domain_name> is the name of the Active Directory domain.

      • <hostname> is the hostname of the server to which the image is being deployed as a computer name under the target organizational unit by clicking the Network Settings > Hostname field.

      This command creates a file named blob that contains the metadata blob data. The content of this file is used by the operating-system deployment process to specify the Active Directory join details, so keep this data close by.

      The metadata blob data is sensitive data.

For detailed information about deploying an operating-system image, see Deploying an operating-system image.

Procedure

To join an Active Directory domain, complete the following steps.

  1. Import the Windows operating-system image in to the OS images repository (see Importing operating-system images).
  2. Select one or more servers to which the operating system is to be deployed. You can deploy an operating system on up to 28 servers at one time.
    Tip: You can choose multiple compute nodes from multiple chassis if you intend to deploy the same operating system to all compute nodes.

    Illustrates the fields on the Deploy OS Images page.
  3. Click Change Selected > Network Settings to configure network settings.
    1. Click Change All Rows > Domain Name System (DNS), and specify at a minimum a DNS that resolves to the Active Directory domain.
    2. For each server, specify a hostname that matches an existing computer name in the domain and organizational unit that you are joining.

    For more information about setting network settings, see Configuring network settings for managed servers.

  4. For each server, select the Windows operating-system image to be deployed in the Image to Deploy column. A folder and license key icons is displayed next to the image name.
  5. For each server, click the License Key icon (License key icon), and specify the license key to use to active the operating system after it is installed:
  6. For each server, click the Folder icon (Folder icon), and specify the Active Directory domain. You can choose one of the following values:
    • Use the Active Directory defined in Global Settings to use the default domain.

    • Use the following Active Directory to select a specific domain.

    • Use metadata block data to specify the contents of the blob file.

      The metadata blob data contains sensitive information and is not displayed in the field. This information is available only until the deployment operation is complete. It is not persistent.

  7. For each server, select the preferred storage location where you want to deploy the operating-system image from the Storage column.
    • Local Disk Drive
    • Embedded Hypervisor
    • M.2 Drive
    • SAN Storage

    If the selected storage location is not compatible with the server, XClarity Administrator attempts to deploy the operating system to the next storage location in the priority.

    For more information about how to configure the storage location, see Choosing the storage location for managed servers.

    Note: To ensure that operating- system deployments are successful, detach all storage from the managed server except the storage chosen for the operating-system deployment.
  8. Verify that the deployment status for all selected servers is Ready.

    If the status of a server is Not Ready, you cannot deploy an operating-system image to that server. Click the Not Ready link to get information to help resolve the problem. If the network settings are not valid, click Changed Selected > Network Settings to configure the network settings.

  9. Click the Deploy images icon (Deploy image icon) to initiate the operating-system deployment.

    The Deploy Confirmation dialog prompts you for the credentials to use for authenticating to the Active Directory server and joining the domain. For security reasons, these credentials are not stored in XClarity Administrator. You must supply the credential for every Windows deployment that joins the domain.

    You can monitor the status of the deployment process from the jobs log. From the XClarity Administrator menu, click Monitoring > Jobs. For more information about the job log, see Monitoring jobs.

Results

When the operating-system deployment is complete, open a web browser to the IP address that you specified on the Edit Network Settings page, and log on to continue with the configuration process.