The following tasks are normally performed in the Active Directory Users and Computers Management Console. However, these actions must now be performed using the Provisioning Server in order to take full advantage of product features.
- Supporting Cross-Forest Scenarios
- Giving Access to Users from Another Domain Provisioning Services Administrator Privileges
- Adding Target Devices to a Domain
- Removing Target Devices From a Domain
- Reset Computer Accounts
Supporting Cross-Forest Scenarios
To support cross-forest scenarios:
- Ensure that DNS is properly set up. (Refer to Microsoft's web site
for information on how to prepare DNS for a Forest Trust.)
- Raise the forest functional level of both forests
to Windows Server 2003.
- Create the forest trust. In order for Provisioning Services and the user from the Provisioning Services domain to create an account in a domain
from another forest, create an Inbound Trust from the external
forest to the forest Provisioning Services is in.
Parent-child domain scenario
A common cross-domain configuration includes the Provisioning Server in a parent domain and users, from one or more child domains, want to administer Provisioning Services and manage Active Directory accounts within their own domains.
To implement this configuration:
Create a Security Group in the child domain. (It can be a Universal, Global, or Local Domain Group). Make a user from the child domain a member of this group.
From the Provisioning Server Console, in the parent domain, make the child domain security group a Provisioning Services Administrator.
- If the child domain user does not have Active Directory privileges, use the Delegation Wizard in the Active Directory Users & Computers Management Console to assign, create, and delete a user's computer account rights for the specified OU.
- Install the Provisioning Services Console in the child domain. No configuration is necessary. Log into the Provisioning Server as the child domain user.
This configuration is similar to the cross-domain scenario, except that the Provisioning Services Console, user, and Provisioning Services administrator group are in a domain that is in a separate forest. The steps are the same as for the parent-child scenario, except that a forest trust must first be established.
Note: Microsoft recommends that administrators do not delegate rights to the default Computers container. The best practice is to create new accounts in the OUs.
Giving Access to Users from Another Domain Provisioning Services Administrator Privileges
There are several methods for giving Provisioning Services Administrator privileges to users that belong to a different domain. However, the following method is recommended:
- Add the user to a Universal Group in their own
domain (not the Provisioning Services Domain).
- Add that Universal Group to a Local Domain Group
in the PVS domain.
- Make that Local Domain Group the PVS Admin
Reset Computer Accounts
Note: An Active Directory machine account can only be reset when the target device is inactive.
To reset computer accounts for target devices in an Active Directory domain:
- Right-click on one or more target devices in the Console window (alternatively, right-click on the device collection itself to add all target devices in this collection to a domain), then select Active Directory Management, then select Reset machine account. The Active Directory Management dialog appears.
- In the Target Device table, highlight those target devices that should be reset, then click the Reset devices button.
Note: This target device should have been added to your domain while preparing the first target device.
- Click Close to exit the dialog.
- Disable Windows Active Directory automatic password re-negotiation. To do this, on your domain controller, enable the following group policy: Domain member: Disable machine account password changes.
Note: To make this security policy change, you must be logged on with sufficient permissions to add and change computer accounts in Active Directory. You have the option of disabling machine account password changes at the domain level or local level. If you disable machine account password changes at the domain level, the change applies to all members of the domain. If you change it at the local level (by changing the local security policy on a target device connected to the vDisk in Private Image mode), the change applies only to the target devices using that vDisk.
- Boot each target device.