You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: azure-local/deploy/deployment-prep-active-directory.md
+8-7Lines changed: 8 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,7 @@ title: Prepare Active Directory for Azure Local, version 23H2 deployment
3
3
description: Learn how to prepare Active Directory before you deploy Azure Local, version 23H2.
4
4
author: alkohli
5
5
ms.topic: how-to
6
-
ms.date: 02/20/2025
6
+
ms.date: 03/03/2025
7
7
ms.author: alkohli
8
8
ms.reviewer: alkohli
9
9
ms.service: azure-local
@@ -88,7 +88,7 @@ To create a dedicated OU, follow these steps:
88
88
89
89
1. Verify that the OU is created. If using a Windows Server client, go to **Server Manager > Tools > Active Directory Users and Computers**.
90
90
91
-
1. An OU with the specified name is created. This OU contains the new LCM deployment user account.
91
+
1. An OU with the specified name is created. This OU contains the new Lifecycle Manager (LCM) deployment user account.
92
92
93
93
:::image type="content" source="media/deployment-prep-active-directory/active-directory-11.png" alt-text="Screenshot of Active Directory Computers and Users window." lightbox="media/deployment-prep-active-directory/active-directory-11.png":::
94
94
@@ -97,18 +97,19 @@ To create a dedicated OU, follow these steps:
97
97
98
98
## Considerations for large scale deployments
99
99
100
-
The Lifecycle Manager (LCM) user account is utilized during Azure Local instance deployments that use Active Directory (AD), or for any add-node/repair operations for existing instances. The LCM user account is responsible for performing domain join actions, which necessitates the LCM user identity having delegated permissions to add computer accounts to the target Organizational Unit (OU) in the on-premises domain. During the deployment of Azure Local, the LCM user account is added to the local administrators' group of the physical machines.
100
+
The LCM user account is used during servicing operations, such as applying updates via PowerShell. This account is also used when performing domain join actions against your AD, such as [repairing a node](../manage/repair-server.md) or [adding a node](../manage/add-server.md). This requires the LCM user identity having delegated permissions to add computer accounts to the target OU in the on-premises domain.
101
101
102
-
To mitigate the risk of a compromised LCM user account credential, we advise that for each Azure Local instance, you have a dedicated LCM user account with a unique password.
102
+
During the cloud deployment of Azure Local, the LCM user account is added to the local administrators group of the physical nodes. To mitigate the risk of a compromised LCM user account, **we recommend having a dedicated LCM user account with a unique password for each Azure Local instance.** This recommendation limits the scope and impact of a compromised LCM account to a single instance.
103
103
104
-
We recommend that you follow these best practices for OU creation:
104
+
We recommend that you follow these best practices for OU creation. These recommendations are automated when you use the `New-HciAdObjectsPreCreation` cmdlet to [Prepare Active Directory](#active-directory-preparation-module).
105
105
106
106
- For each Azure Local instance, create an individual OU within Active Directory. This approach helps manage computer account, CNO, LCM user account, and physical machine computer accounts within the scope of a single OU for each instance.
107
107
- When deploying multiple instances at-scale, for easier management:
108
108
- Create an OU under a single parent OU for each instance.
109
-
- Disable GPO inheritance at the parent OU level.
109
+
- Enable the **Block Inheritance** option at both the parent OU and sub OU levels.
110
+
- To apply a GPO to all Azure Local instances, such as for nesting a domain group in the local administrators group, link the GPO to the parent OU and enable the **Enforced** option. By doing this, you apply the configuration to all sub OUs, even with **Block Inheritance** enabled.
110
111
111
-
The preceding recommendationsare automated, when you use the `New-HciAdObjectsPreCreation` cmdlet to [Prepare Active Directory](#active-directory-preparation-module).
112
+
If your organization's processes and procedures require deviations from these recommendations, they are allowed. However, it's important to consider the security and manageability implications of your design taking these factors into consideration.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments