Hi @SteveMT09,

There are no official steps to do this as generally Commvault is not reliant on a windows domain to function. However, as noted - there are caveats you may need to keep in mind, but its all going to depend on how your environment is configured. Honestly there is very little to go wrong - but here are the obvious ones:

1. Are you using SSO to login to the Commvault UI? If so you should migrate those account to local commcell users
2. Are your clients using a FQDN to communicate? will those FQDN names still be resolvable after removal from the domain?
3. Are you sharing local mount paths via UNC/SMB on your media agent to other MA’s? if so, make sure its using a local account rather than domain account

Hi Damian… 

Is this really needed? Using an AD as an authentication provider doesn’t require the CS itself to be joined to an AD does it?  

Kind regards

Rubeck

No, this is not required. Our shared environment doesn't run stand-alone, but leverages a dedicated AD domain because we rely on clustering which requires an AD. However for stand-alone/smaller environments we always try to isolate it as much as possible. So or a dedicated domain or a standalone CommCell, but in both cases we use dual factor authentication. Customers use SAML/OKTA and platform admins use an specific personalized AD account for administration purposes and leverage Commvault 2FA. Access as admin requires the use of a steppingstone. 

Thank you for verifying, Onno….  Was afraid I might have missed something.  Anyway, what you write makes perfectly sense… 

Have a great day.. 

/Rubeck

How did this go please?

I have new media agent hardware and this is an ideal opportunity to do this in our environment.

We’re not using SSO or AD integration on the Commcell so I don’t believe there are any domain dependences there.

The FQDNs would be handled by DNS so even though it isn’t domain joined commcell.domain.com could ping ma.domain.com and client.domain.com and vice versa.

Hi guys, 

I have a few customers that has removed both CS and MA’s from AD. Some has done Name Change to use shortname instead of fqdn and some has continued with the fqdn name in DNS. This was a few minutes work and all communication worked afterwards. 

I think I have seen this as a recommendation somewhere as a step to isolate the backup system, but I cannot find it anymore. I guess the main reason to do this would be that the system should be harder to find in the domain and through Active Directory. 

If you still want to use AD accounts you still need to make sure the permissions are set correctly of course.  Instead of using AD Groups I usually use Commvault Local User Groups and associate the AD user accounts to these. In that way a Domain Admin cannot put users (deliberately or by accident) in a CV-Admin AD group to gain high credentials in Commvault.  

@SteveMT09 And don’t forget: The DC is the NTP server for it’s members. If CS and MAs aren’t domain members any longer you have to configure a NTP service manually.