To install RSCD agents in a Windows replicated domain controller environment, you set Domain Controller Security Policies on one domain controller and then install RSCD agents in the correct sequence on all domain controllers. This topic contains the following sections:
The RSCD installer will create a user named BladeLogicRSCDDC (as of 8.5.01.005) instead of the default BladeLogicRSCD when installing on a domain controller. This is to avoid the possibility that member servers could cause a lockout of the Domain level BladeLogicRSCD account. This is a known issue with certain utilities that run through the RSCD agent, as the utility first tries to authenticate to the domain with the credentials of the user that is running the utility, which in this case is the member server's BladeLogicRSCD account.
The password for the BladeLogicRSCD user or an alternate user of non-domain controller machines is generated at run time. However in the case of a domain controller, the BladeLogicRSCD user or alternate user is assigned a password from a fixed set of passwords. Contact BMC Support for your default password. BMC recommends that you change the default password as per your company's password policies. For steps on changing the password, see Changing the BladeLogicRSCDDC account password on domain controllers.
If you want to create a single account for each domain controller (instead of the default single account for all domain controllers), or if you want to use an alternate account name that differs from the default BladeLogicRSCDDC, you can perform the procedure described in this topic.
During RSCD agent installation, you map a client user to a local user on the target server. Make sure that the local user to which you are mapping is a direct member of the Builtin\Administrators group and you do not map to the BladeLogicRSCD account.
When creating an alternate user name for the RSCD agent, limit the length of the user name to a maximum of 20 characters. By design, the agent fails to create the account if you use more than 20 characters.
On a domain controller, perform the following steps to set Domain Controller Security Policies for the BladeLogicRSCD user account (or any other equivalent account that you use for running the agent in the domain):
In the details pane, double-click Deny logon locally.
Ensure that the Define these policy settings check box is selected, and then click Add User or Group.
Type the name of the account that you want to deny the ability to log on locally (BladeLogicRSCD or any other equivalent account that you use for running the agent in the domain). As an alternative, click Browse to locate the account with the Select Users, Computers, or Groups dialog box, and then click OK.
After you have the account name entered, click OK in the Add User or Group dialog box, and then click OK in the Deny Log on Locally Properties dialog box.
Repeat for User Right Log on as a batch job.
If Domain Controller Security Policies are not set to defined, as described in step 1, the RSCD agent creates Local Security Policies instead. In this situation, you must manually set the Domain Controller Security Policies to continue.
If you use a unique account name per domain controller, each account name must be present in the above policies.
Install the RSCD agent on the PDC emulator.
If the RSCD agent is already installed and running on the target Domain controller(s), stop the RSCD service (see Starting and stopping the RSCD agent).
On the PDC emulator in the domain, add (if this is a fresh installation) or modify (pre-existing installation) the registry value HKEY_LOCAL_MACHINE\SOFTWARE\BladeLogic\RSCD Agent\BladelogicRSCDUser. The registry value should be of type REG_SZ (string value), and be set to the desired account name.
agentctlutility to set the password on the new domain controller. For more information, see Changing the BladeLogicRSCDDC account password on domain controllers.