Product Documentation

Join a domain and add users

Nov 27, 2012

Before you can assign a user or group account an RBAC role, you must add the account to XenServer through RBAC. This requires two tasks:

  1. Join the pool or server to the domain. The domain can be either the domain in which the user or group belongs or a domain that is in the same Active Directory forest or that has a trust relationship with the user's domain.
  2. Add the user's Active Directory account or group to XenServer.

After adding the user's Active Directory account or group to XenServer, in both the free XenServer product and in XenServer Advanced, the user is automatically assigned a fixed role of Pool Admin. In XenServer Enterprise and higher, you must assign a role to the user or group manually.

To change domains, leave the current domain and then join the new domain.

To join the XenServer or pool to a domain

  1. In the Resources Pane, select the pool or server for which you want to grant somebody permissions.
  2. Click the Users tab.
  3. Click Join Domain.
  4. Enter Active Directory credentials with sufficient privileges to add servers to the domain you want to join. The domain to be joined must be specified as a fully qualified domain name (FQDN) rather than a NetBIOS name. For example, enter your_domain.net instead of your_domain.

To add an Active Directory user or group to a pool

  1. After joining the user's domain, in the Users tab, click Add.
  2. In the Add Users dialog box, enter one or more user or group names. Separate multiple names by commas. To specify a user in a different, trusted domain (other than the one currently joined), supply the domain name with the user name (for example, other_domain\jsmith) or enter a fully qualified domain name (FQDN) (for example, jsmith@other_domain.com).
  3. Click Grant Access.
  4. Follow Assign roles to users and groups to assign the account a role and give it access in XenServer Enterprise and higher.

To leave the domain

Note: When you leave the domain (that is, disable Active Directory authentication and disconnect a pool or server from its domain), any users who authenticated to the pool or server with Active Directory credentials are disconnected.
  1. In the Resources Pane, select the pool or server that you want to disconnect from its Active Directory domain.
  2. Click Leave Domain and select Yes to continue.
  3. Enter Active Directory credentials with sufficient privileges to disable servers in the domain you want to leave.
  4. Decide whether to disable the computer accounts in the Active Directory server, and then click one of the following:
    • Disable. Removes the pool or server from the domain and disables the computer account for the server or pool master in the Active Directory database.
    • Ignore. Select this option if you did not fill the username/password or you do not know an account with sufficient privileges to remove the server or pool master's computer account from the Active Directory database. (This option removes the pool or server from the domain, but leaves the computer account for the server or pool master in the Active Directory.)