Active Directory Integration HP ThinPro - Technical white paper
4
• You cannot perform a domain join using only a profile.
A domain join requires a real domain credential to complete the join. Because this credential is not stored in a profile, a
domain join cannot be completed using a profile alone. If a device that is not associated with a domain receives a profile
that requests a domain join (that is, root/domain/domain is not empty and root/domain/domainJoined is
set to 1), the device is treated as if only an association with the domain was requested. The keys relevant to domain join
support (domainJoined, OU, ddns) are returned to their values from before the profile was applied.
Similarly, a domain unjoin cannot be performed using only a profile. In that situation, all root/domain registry keys are
returned to their values from before the profile was applied.
• Domain authentication can be enabled (or disabled) using a profile.
To enable authentication against a domain database using a profile, the root/domain/domain key must point to the
correct, long-form domain. The root/domain/workgroup key value is retrieved from the domain controller,
although the value can be supplied manually if necessary.
To disable authentication against a domain database, use a profile where the root/domain/domain key is an empty
string.
• Certain keys cannot be changed or can be changed only in certain conditions using a profile.
There are three keys that can never be changed via profile:
• root/domain/domainJoined
• root/domain/OU
• root/domain/ddns
Then, there are three keys that can only be changed via profile when enabling or disabling authentication against a
domain database:
• root/domain/domain
• root/domain/workgroup
• root/domain/domainControllers
All other registry keys can be changed in any situation.
Scripting domain operations using HPDM
Active Directory Manager provides a user interface to execute command-line functions to add or remove domains.
Administrators can also script domain operations using HPDM or other tools that permit arbitrary command execution. This
is a more advanced configuration method.
Enabling domain authentication
1. Make all registry key changes. At a minimum, you must set a custom value for root/domain/domain.
2. Enter the following command, where <my.domain.com> represents the domain value:
domain-add-remove --associate --domain=<my.domain.com>
3. After the command is completed successfully, reboot the device.
Establishing a domain join
1. Make all registry key changes. At a minimum, you must set a custom value for root/domain/domain.
2. Enter the following command, where <my.domain.com>, <myuser>, and <password> represents the domain value,
your username, and your password, respectively:
echo <password> | domain-add-remove --add --domain=<my.domain.com>
--username=<myuser>
3. After the command is completed successfully, set root/domain/domainJoined to 1.
4. Reboot the device.
For more information on how to use commands to add or remove domains, open an X terminal and execute the domain-
add-remove –help command.