OSIM Boot Server › Multiple Boot Servers › Boot Server on Windows Domain Controller

Boot Server on Windows Domain Controller

A Boot Server offering Share Access regularly changes the password of the user account canonprv. As canonprv refers to the same user account on all Domain Controllers inside a domain, changing the password on a Domain Controller would affect the share access of OSIM target machines to all other Boot Servers running on Domain Controllers in the same domain.

Therefore the automatic password update will be disabled when a Boot Server is installed on a Windows Domain Controller.

For security reasons the password of canonprv should be changed regularly when using share access. You can achieve this in one of two ways depending on your network environment:

• If you are running a Boot Server on only one Domain Controller inside a domain, you can enable automatic password changing by applying a configuration policy to the Boot Server with "Password change at Windows DC" set to True (1). The parameter is located under the DSM, Scalability Server, osim, ManagedPC,Server node.
• If you are running a Boot Server on more than one Domain Controller inside the same domain, you can configure the Boot Servers to use a password that has been manually set by the user.
  1. Create a separate configuration policy for each domain.
  2. Go to parameter section under the DSM, Scalability Server, osim, ManagedPC, Server node.
  3. Change the setting of the parameter "Canonprv's password" to "Centrally Managed" via its context menu.
  4. Set the value of the parameter "Canonprv's password" to the password you set for the domain account canonprv.
  5. Set the value of the parameter "Password change interval" to 0.
  6. Seal the policy and apply it to all Boot Servers in the domain.

  Note: The policy must be updated each time you manually update canonprv's password.

Note: When using DOS-based boot images to access shares at a Windows 2003 Active Directory domain controller, digital SMB signing must be disabled.

Open the Default Domain Controller Security Settings and set ‘Local Policies/Security Options/Microsoft network server: Digitally sign communications (always)’ to ‘Disabled’.