Date: Thu, 28 Mar 2024 12:36:13 -0500 (CDT) Message-ID: <1931191431.27503.1711647373521@bmc1-rhel-confprod1.managed.contegix.com> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_27502_1408462883.1711647373520" ------=_Part_27502_1408462883.1711647373520 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
To install RSCD agents in a Windows replicated domain controller= environment, you set Domain Controller Security Policies on one domain con= troller and then install RSCD agents in the correct sequence on all domain = controllers. This topic contains the following sections:
The RSCD installer will create a user named BladeLogicRSCDDC (a= s of 8.5.01.005) instead of the default BladeLogicRSCD when instal= ling on a domain controller. This is to avoid the possibility that member s= ervers could cause a lockout of the Domain level BladeLogicRSCD account. Th= is is a known issue with certain utilities that run through the RSCD agent,= as the utility first tries to authenticate to the domain with the credenti= als of the user that is running the utility, which in this case is the memb= er server's BladeLogicRSCD account.
The password for the BladeLogicRSCD user or an alternate user of non-dom= ain controller machines is generated at run time. However in the case of a = domain controller, the BladeLogicRSCD user or alternate user is assigned a = password from a fixed set of passwords. Contact BMC Support for your defaul= t password. BMC recommends that you change the default password as per your= company's password policies. For steps on changing the password, see = Changing the BladeLogicRSCDDC account password o= n domain controllers.
If you want to create a single account for each domain controller (inste= ad of the default single account for all domain controllers), or if you wan= t to use an alternate account name that differs from the default B= ladeLogicRSCDDC, you can perform the procedure described in this topic= .
During RSCD agent installation, you map a client user to a local user on= the target server. Make sure that the local user to which you are mapping = is a direct member of the Builtin\Administrators group a= nd you do not map to the BladeLogicRSCD account.
When creating an alternate user name for the RSCD agent, limit the = length of the user name to a maximum of 20 characters. By design, the agent= fails to create the account if you use more than 20 characters.
On a domain controller, per= form the following steps to set Domain Controller Security Policies for the= BladeLogicRSCD user account (or any other equiv= alent account that you use for running the agent in the domain):
In the details pane, double-click Deny logon locally.
Ensure that the Define these policy settings&n= bsp;check box is selected, and then click Add User or Group.
Type the name of the account that you want to deny the ability to lo= g on locally (BladeLogicRSCD or any other equivalent account that you use f= or running the agent in the domain). As an alternative, click = Browse to locate the account with the Select Users, Computers= , or Groups dialog box, and then click OK.
After you have the account name entered, click OK in the Add User or Group dialog box, and then click O= K in the Deny Log on Locally Properties dialog box.
Repeat for User Right Log on as a batch job.
Note
If Domain Controller Security Policies are not set to defined, as descri= bed in step 1, the RSCD agent creates Local Security Policies inst= ead. In this situation, you must manually set the Domain Controller Securit= y Policies to continue.
If you use a unique account name per domain controller, each account= name must be present in the above policies.
Install the RSCD agent on the PDC emulator.
If the RSCD agent is already installed and runnin= g on the target Domain controller(s), stop the RSCD service (see Starting and stopping the RSCD agent).
On the PDC emulator in the domain, add (if this is a fresh installat=
ion) or modify (pre-existing installation) the registry value
Notes
agentctl
utility to set the password on the new=
domain controller. For more information, see Ch=
anging the BladeLogicRSCDDC account password on domain controllers.