commvault.com commvault.com
Solved

Remove Commserve and MediaAgent from Windows Domain. Has anyone actually done this?

  • 17 October 2022
  • 7 replies
  • 307 views
S
Rank
Badge

We are needing to remove Commserve and MediaAgents from the Windows Domain.

I found the below post in the community. I was wondering if anyone had actually done it and what was your experience? I can not find anymore documentation than just this one post. Does anyone have a more detailed step by step instruction and any pitfalls to lookout for? What was your experience like?

 

Remove Commserve and MediaAgent from Windows Domain

F

Rank

Userlevel 1

Badge+5

Hi,

I have a customer who wants to remove his Commserve and MediaAgent from the existing Windows domain. 

Is it enough to do the steps in this Documentation Article?

Changing the CommServe Computer Name (commvault.com)

The Hostname itself should be the same as beforce but without being in the ActiveDirectory and the DNS Entries should be untouched.

 

Kind Regards

Florian

icon

Best answer by JBuratti

Hi @flokaiser,

There should be no major issues when removing the Commserve form the domain.  You do need to follow some specific steps though and you already seem to know them as the link you referenced is what needs to be performed.  As it is likely that most of your clients are communicating to the Commserve via FQDN, once this its removed from the domain this FQDN the clients are trying to reach will no longer be valid. You would need to perform a name change operation to update the clients like in the link you referenced.

Let us know if you have any additional follow up questions.

 

Regards,

Joe

icon

Best answer by Onno van den Berg 18 October 2022, 11:00

View original

7 replies

Damian Andre
Rank
Userlevel 7
Badge +23

Hi @SteveMT09,

There are no official steps to do this as generally Commvault is not reliant on a windows domain to function. However, as noted - there are caveats you may need to keep in mind, but its all going to depend on how your environment is configured. Honestly there is very little to go wrong - but here are the obvious ones:

  1. Are you using SSO to login to the Commvault UI? If so you should migrate those account to local commcell users
  2. Are your clients using a FQDN to communicate? will those FQDN names still be resolvable after removal from the domain?
  3. Are you sharing local mount paths via UNC/SMB on your media agent to other MA’s? if so, make sure its using a local account rather than domain account
RubeckDK
Rank
Userlevel 3
Badge +10

 

  1. Are you using SSO to login to the Commvault UI? If so you should migrate those account to local commcell users

Hi Damian… 

 

Is this really needed? Using an AD as an authentication provider doesn’t require the CS itself to be joined to an AD does it?  

 

Kind regards

Rubeck

Onno van den Berg
Rank
Userlevel 7
Badge +19

 

  1. Are you using SSO to login to the Commvault UI? If so you should migrate those account to local commcell users

Hi Damian… 

 

Is this really needed? Using an AD as an authentication provider doesn’t require the CS itself to be joined to an AD does it?  

 

Kind regards

Rubeck

No, this is not required. Our shared environment doesn't run stand-alone, but leverages a dedicated AD domain because we rely on clustering which requires an AD. However for stand-alone/smaller environments we always try to isolate it as much as possible. So or a dedicated domain or a standalone CommCell, but in both cases we use dual factor authentication. Customers use SAML/OKTA and platform admins use an specific personalized AD account for administration purposes and leverage Commvault 2FA. Access as admin requires the use of a steppingstone. 

RubeckDK
Rank
Userlevel 3
Badge +10

Thank you for verifying, Onno….  Was afraid I might have missed something.  Anyway, what you write makes perfectly sense… 

 

Have a great day.. 

 

/Rubeck

P
Rank
Userlevel 1
Badge +5

How did this go please?

I have new media agent hardware and this is an ideal opportunity to do this in our environment.

We’re not using SSO or AD integration on the Commcell so I don’t believe there are any domain dependences there.

The FQDNs would be handled by DNS so even though it isn’t domain joined commcell.domain.com could ping ma.domain.com and client.domain.com and vice versa.

P
Rank
Userlevel 3
Badge +8

Hi guys, 

I have a few customers that has removed both CS and MA’s from AD. Some has done Name Change to use shortname instead of fqdn and some has continued with the fqdn name in DNS. This was a few minutes work and all communication worked afterwards. 

I think I have seen this as a recommendation somewhere as a step to isolate the backup system, but I cannot find it anymore. I guess the main reason to do this would be that the system should be harder to find in the domain and through Active Directory. 

If you still want to use AD accounts you still need to make sure the permissions are set correctly of course.  Instead of using AD Groups I usually use Commvault Local User Groups and associate the AD user accounts to these. In that way a Domain Admin cannot put users (deliberately or by accident) in a CV-Admin AD group to gain high credentials in Commvault.  

Ralph
Rank
Userlevel 1
Badge +5

@SteveMT09 And don’t forget: The DC is the NTP server for it’s members. If CS and MAs aren’t domain members any longer you have to configure a NTP service manually.

Reply


Terms & ConditionsCookie settings