You can’t add a server w/o UPM because there is no way to determine if the server is windows and the AP would apply to it. after the server is added you can use chapw –d to remove the bladelogicrscd acct.
Have you looked into changing the name of the UPM user on the DCs instead? We went down the route of trying to use APs only as well but it was going to be very cumbersome to maintain an AP for each domain. Renaming the user from 'BladelogicRSCD' to anything else for the domain controller agents seems to work well. This avoids the member servers trying to access the domain account.
i get the feeling we need to re-evaluate the solution here again, as indeed it is very painful.
So you just rename the BladeLogicRSCD account and map to "Administrator" ?
There is a registry key you add on the DCs that changes the default name of the UPM account the agent attempts to create. So when the agent starts up for the first time after you modify the registry key instead of checking for a user named 'BladelogicRSCD' and creating the user if it does not already exist, it does the same process for whatever name you provide in the regkey. Afterwards, any UPM on the agent makes use of the account name you provided in the registry key instead of 'BladelogicRSCD'.
so you want to add a new DC w/ the rscd on it? in that case you can't avoid having the bladelogicRSCD created in the domain, but assuming the other DCs have already been set to not use UPM (chapw -d) then you can delete that account after you get the new dc added into bsa.
This problem came up, as i wanted to add a DC to our BL-DEV environment in order to test the issue with the Automation Principal not working from Linux-AppServers.
Normally, this problem does not happen.
But i found a little workaround to this.
I used another (existing) Windows-Server in DEV and renamed it to the server that i wanted to add.
This way BL "knew" it needs to talk to Windows and uses the configured AP straight away.