These considerations apply to the information you need to supply when configuring HCP support for AD:
•Before configuring AD support in HCP:
oCreate an AD group in the target domain. Give the group permission to add members to itself. Then give the group these permissions in the specified OU:
–Read all properties on descendant computer objects
–Write all properties on descendant computer objects
–Change password on descendant computer objects
–Reset password on descendant computer objects
–Delete on descendant computer objects
–Create computer objects in this object and all descendant objects
–Delete computer objects in this object and all descendant objects
oCreate an AD user account and add it to only that group. This is the user to specify as the domain user in the AD configuration in HCP.
oIf HCP is not joined to AD, you can still prepopulate the domain controller filter list.
![]() |
Note: In version 8.0 of HCP, a temporary filter will be used at join time to ensure finding and communicating with an optimal domain controller. The temporary filter will be removed after the join completes and any user-defined domain controller filter list will not affect this process. |
•Allow a new computer account for use in querying AD for groups to be created automatically. Do not create this account ahead of time.
•If you have more than one HCP system for which you are enabling support for AD, specify a computer account name that’s unique among those systems.
By default, for the OU in which computer accounts will be created, HCP uses CN=Computers. For the computer account, HCP uses HCPSrv-hcp-name (for example, HCPSrv-hcp), where hcp-name is the first segment of the domain name associated with the [hcp_system] network.
© 2017 Hitachi Data Systems Corporation. All rights reserved.