Post to Twitter |
Comments (2) |
Views (16162) |
Provisioning Server offers you the ability maintain Active Directory machine account password synchronization for target devices. This ability is enabled on the Provisioning Server and is configured on a per virtual disk basis.
Private virtual disks do not need to maintain Active Directory machine account password synchronization, as they are a read write virtual disk, and have the ability to retain changes and store them to the virtual disk.
Standard virtual disks do need to maintain Active Directory machine account password synchronization, as they are read only, and do not have the ability to retain changes on the virtual disk.
There are some things to take into consideration when dealing with Provisioning Server and Active Directory Machine Account Password Synchronization for a successful implementation of this feature. The following are some guidelines and best practices to follow:
If the virtual disk image that is going to created is to be used by multiple target devices, in Standard Image mode, it is best practice, that before creating a virtual disk image, to run the Device Optimizer utility on the target device and apply the "Disable Machine Account Password Changes" setting If the virtual disk image that is going to created is to be only be used in Private Image mode and never Standard Image mode, the "Disable Machine Account Password Changes" setting does not need to be applied
When creating virtual disks that will ever be used as Standard virtual disks, it is best practice, to never create a target device that will have a device name of an existing machine account in Active Directory that is, has, or will ever be running off of local disks, and is ever going to be provisioned as a Standard Virtual Disk
When creating virtual disks, it is best practice, to ensure that the Active Directory setting for "Enable automatic password support" is configured on the Provisioning Servers
When creating virtual disks, it is best practice, to ensure that the "Enable Active Directory Machine Account Password Management" setting is configured on Standard Virtual Disks
Also, it is best practice to use an Active Directory Organizational Unit to manage machine accounts for target devices that will be provisioned, and that the Group Policy Object or Security Policy setting for the Organizational Unit is set to enable the "Disable Machine Account Password Changes" setting to disable Windows Active Directory automatic password re-negotiation.
And lastly, it is best practice to ensure that the Group Policy Object or Security policy setting for that Organizational Units "Maximum machine account password age" setting is compared to the Provisioning Server Active Directory setting for "Enable automatic password support" setting. The Provisioning Server Active Directory setting for "Enable automatic password support" number of days must be less than the Group Policy Object or Security policy setting for that Organizational Units "Maximum machine account password age" setting or you could end up in a scenario where the machine accounts would not able to log on to the domain due to this restriction being in place.
If you should ever encounter a situation where the active directoy machine passwords are out of sync, in provisioning server 4.x and below there is a command line utility for reseting machine accounts. In provisioning server 5.x this has been incorporated into the management console.
Following these best practices will help you keep synchronization between Active Directory Machine Accoutns and Provisioned Target Devices that are using a Standard Virtual Disk. With the use of Provisioning Server with XenServer and XenDesktop, these best practices are also applicable, as those technologies are also used to delivery devices that may need Active Directory Machine Account Password Synchronication.
Comments (2)
Aug 26, 2008
DAVE FINCH says:
Rich, You seem to be saying that a vDisk that will be used to support Standard ...Rich,
You seem to be saying that a vDisk that will be used to support Standard Image clients should never be joined to the domain. ..
"When creating virtual disks that will ever be used as Standard virtual disks, it is best practice, to never create a target device that will have a device name of an existing machine account in Active Directory that is, has, or will ever be running off of local disks, and is ever going to be provisioned as a Standard Virtual Disk"
When updating the vDisk, is it OK to join it to the domain and then remove it and delete the computer account from AD?
Thanks,
Dave Finch
Aug 26, 2008
Rich Crusco says:
Hi Dave I guess, im going to have re-word that one, ok so here goes If you had...Hi Dave
I guess, im going to have re-word that one, ok so here goes
If you had a desktop/server that you wanted to image
and it was currently on the domain as "myserver"
I would have to create a target device on the provisioning server
to assocaite it with the mac address of desktop/server i wanted to provision
The device name i choose when creating this target device on the provisioning server
should "not" be the name that is currently being used by the desktop/server i want to image
it should be different, in this example it should not be "myserver"
you would want to use a new name such as "newserver"
you would also have to create a machine account for "newserver"
if you didnt do that, and created the target device as "myserver"
you could/would end up un-syncing with the domain
you really want to keep the names seperated, if you know your going to be useing a "shared disk"
if you know you are "only" going to use this disk as a "private disk"
then it wont matter
Thanks
Rich
Add Comment