what do you mean by 'enroll member services' -> how is this happening?
if you are adding a new server to bsa, the first communication will be via UPM - the AP communication is only triggered after we know it's windows. so you will need an initial mapping for the server registration into bsa. after that the AP will be used.
additionally - yes - as the docs note, the AP account needs to be granted 'logon as batch job' on the target.
If you are looking to register servers to the domain from the command-line using BSA, you won't be able to use an automation principal. The automation principal needs to be able to connect to the server (so the server needs to know the account and be on the domain for it to work). Your only option if you really want to do this, is to map to a local admin account on the server, and then pass the domain admin's username/password to the netdom command, which means it would need to be in clear-text somewhere...
it's for enrolling member servers - a non-dc server. As we are adding the service account to local admin account of the target server , why we need to add explicitly service account to "log on as a batch job" as administrators group is already added to "log on as a batch job".
Thanks Bill for the reply.
Because that’s how it works. administrators in not granted that right, and that’s the type of login that is used.
Did you check my answer? How can you use automation principals to register a member server if the server is not connected to the domain to authenticate the AP? Did I miss something?
yeah - i'm not clear what 'enroll' means here. but regardless of what it means:
-> enroll = add to bsa. you can't use the AP here because the AP is only triggered after we know it's windows. so the first contact must be done via upm. after that it can be all AP.
-> enroll = add to domain. what you said.
He means adding the server to the domain, so the action of registering the member server with the domain using a domain admin username/password and the netdom command (or other command-line method). That command requires the username to be passed as a commandline argument, and you can't run it "as" the domain admin user since it's not on the domain yet to authenticate it. That's why I said I don't think the AP will work here...
yeah, but he said "added the service account to the local administrators group" which makes no sense if it's not in the domain. but yeah - if it's not in the domain, you can't use the ap. so i dunno what he's trying to do
Hi Bill / Yanick,
Here enroll means that adding server to bsa.member servers are already added to domain.
I tried with AP to add the member servers in bsa using service account , but it was unsuccessful.
- Service account is added to "builtin-administrators" group in domain.
- Service account is added to local admin group on the target server.
I'm sorry, but what you're explaining or the way you're explaining it doesn't make sense to me. I really don't know what you're trying to do.
- What do you mean by "Service Account"?
- What do you mean by "unsuccessful" ? (what is the error?, what happened?)
- If you're trying to add a server in the BSA console, all you need is an account with a RBAC Role that has the authorizations to create servers. If that is what you're trying to do, and it's not working, then please provide the full error message and more details.
- If you are trying to INSTALL an agent on a new server using an Agent Installer job, and it's failing, then please provide the full log of the Agent Installer Job so we can tell which part didn't work.
- If it's none of the above, please clarify and give concrete details (logs, screenshots, error messages, etc...)
Let me try to explain here what I am trying to do:
- I have a domain service account which is present in "builtin Administrators" group and it is already used to add a DC server in to bsa server without AP.
- Can I use the same above domain service account to add a non-DC target server (present in the domain) with or without AP ? If yes, what configurations I need to perform on the target server
- Do I need to add the domain service account in "log on as a batch Job" on target server ?
- Any other configuration required ?
Hope, its clear now. Thanks.
Sorry, still not clear. I just don't understand what you mean by "add a DC server in to bsa server without AP". Please define what you mean by the action of adding a server to BSA by detailing the steps you take (click by click), and use the exact phrasing that you see in the console to avoid confusion.
- is the target server a domain member ?
- if the target server is not a domain member, i don't see how a 'domain service account' will do anything here
- are you trying to add the target server to a domain ?
- if so, i don't see how this is possible w/o a local account setup for the rscd connection so that we can connect and run the domain join
- are you trying to add the target server to bsa ?
- if so, then as mentioned, the first connection from bsa will happen as UPM to determine the OS, after that, then all communication can happen as the domain account/ AP.
- as the docs note, the AD account used in the AP must have the 'logon as batch job' right on each target server you intend to connect to w/ the AP.
"I have a domain service account which is present in "builtin Administrators" group and it is already used to add a DC server in to bsa server without AP."
-> that means you are using UPM on the domain controller.
"Can I use the same above domain service account to add a non-DC target server (present in the domain) with or without AP ?"
-> No. the first communication to the target will happen as UPM and look for a local mapping. after the server is determined to be windows the AP can be used.
- is the target server a domain member ?