You can add new managed domains and computers through the Delegation and Configuration client after you install the Administration server. You can also add subtrees and trusted domains, and configure domain and Exchange access accounts for them. To add managed domains and computers, you must have the appropriate powers, such as those included in the built-in Configure Servers and Domains role.
NOTE:After you finish adding managed domains, ensure that the accounts cache refresh schedules for these domains are correct.
To add managed domains and computers:
Navigate to Configuration Management > New Managed Domain.
Specify the name of the domain or computer you want to manage, and then click Next.
On the Access account tab, specify the account credentials you want DRA to use to access this domain or computer. By default, DRA uses the Administration server service account.
Review the summary, and then click Finish.
To begin managing objects from this domain or computer, refresh the domain configuration.
For each managed domain or subtree, you can specify an account to use instead of the Administration server service account to access that domain. This alternative account is called an access account. To configure an access account, you must have the appropriate powers, such as those included in the built-in Configure Servers and Domains role.
To specify an access account for a member server, you must have permission to manage the domain in which the domain member exists. You can only manage domain members if they exist in a managed domain that you can access through the Administration server.
To specify an access account:
Navigate to Configuration Management > Managed Domains node.
Right-click the domain or subtree for which you want to specify an access account, and click Properties.
On the Domain access account tab, click Use the following account to access this domain.
Specify and confirm the credentials for this account, and click OK.
For information on configuring this least privileged account, see Least Privilege DRA Access Accounts.
For each domain in DRA, you can manage Exchange objects using the DRA domain access account or a separate Exchange access account. To configure an Exchange access account, you must have the appropriate powers, such as those included in the built-in Configure Servers and Domains role.
IMPORTANT:Microsoft Server limits the number of concurrent users connected to the WinRM/WinRS session to five and the number of shells per user to five, so ensure that the same user account is limited to five shell for DRA secondary servers.
To specify an Exchange access account:
Navigate to Configuration Management > Managed Domains node.
Right-click the domain or subtree for which you want to specify an access account, and click Properties.
On the Exchange access account tab, click Use the following account to access all Exchange servers.
Specify and confirm the credentials for this account, and click OK.
For information on configuring this least privileged account, see Least Privilege DRA Access Accounts.
You can add managed and missing subtrees from specific Microsoft Windows domains after you install the Administration server. To add a managed subtree, you must have the appropriate powers, such as those included in the built-in Configure Servers and Domains role.
For information about supported versions of Microsoft Windows, see DRA Administration Server Requirements.
By managing a subtree of a Windows domain, you can use DRA to secure a department or division within a larger corporate domain.
For example, you can specify the Houston subtree in the SOUTHWEST domain, allowing DRA to securely manage only those objects contained in the Houston OU and its child OUs. This flexibility allows you to manage one or more subtrees without requiring administrative permissions for the entire domain.
NOTE:
To ensure the specified account has permissions to manage this subtree and perform incremental accounts cache refreshes, use the Deleted Objects Utility to verify and delegate the appropriate permissions.
After you finish adding managed subtrees, ensure that the accounts cache refresh schedules for the corresponding domains are correct.
To add a managed subtree:
Navigate to Configuration Management. > New Manage Domain.
On the Domain or server tab, click Manage a domain, and specify the domain of the subtree you want to manage.
Specify the domain of the subtree you want to manage.
Select Manage a subtree of this domain, and then click Next.
On the Subtrees tab, click Add to specify the subtree you want to manage. You can specify more than one subtree.
On the Access account tab, specify the account credentials you want DRA to use to access this subtree. By default, DRA uses the Administration server service account.
Review the summary, and then click Finish.
To begin managing objects from this subtree, refresh the domain configuration.
Trusted domains enable user authentication on managed systems throughout your managed environment. Once you add a trusted domain, you can specify domain and Exchange access accounts, schedule cache refreshes, and take other actions in the domain’s properties, the same as a managed domain.
To add a trusted domain:
In the Configuration Management > Managed Domains node, select the managed domain that has an associated trusted domain.
Click Trusted domains in the Details pane. The Details pane must be toggled on in the View menu.
Right-click the trusted domain, and select Properties.
Uncheck Ignore this trusted domain, and apply your changes.
NOTE:Adding a trusted domain will initiate a full accounts cache refresh, but you will notified of this with a confirmation prompt when you click Apply.