6.4 Removing the Cluster Resource from an Active Directory Domain

Executing the ./novell-ad-util --leave-domain --cluster-resource <resource_FDN_eDir_format> --domain-name <DOMAIN_NAME> command will disjoin the cluster resource from the Active Directory domain.


./novell-ad-util --leave-domain --cluster-resource .cn=CLUSTER-OES2015-POOL-SERVER.o=novell.t=NSSAD_CLUSTER. --domain-name EXAMPLE.COM

How do I remove stale entries of keytab for unjoined cluster resources on all cluster nodes in the cluster?

When you disjoin a cluster resource from an Active Directory domain, novell-ad-util removes the keytab entries of that resource from the default keytab file, /etc/krb5.keytab, and deletes the volume keytab file. For example, /media/nss/vol1/._NETWARE/vol.keytab on the node where the resource is running.

Before disjoining the resource, if you have migrated it to other cluster nodes, all the cluster nodes where the resource is migrated will have the default keytab entries.

When you disjoin the cluster resource, the default keytab entries for that specific cluster node and the volume keytab entries will be removed. However, the default keytab entries will still be seen on those nodes where the resource was migrated.

To remove the stale entries, execute the following command respectively all nodes other than the node that you used for the resource disjoin:

./novell-ad-util --purge 0 --cluster-resource <cluster dn> --domain-name <domain name>

This command removes the keytab entries of the cluster resource <cluster dn> specified; it will not remove the volume keytab file.

How do I migrate resources in a Mixed-Mode (nodes joined to the AD domain and nodes not joined to the AD domain) environment?

In a mixed-mode state, if you migrate a resource from a node joined to an AD domain to a node that is not, AD users provisioned to that resource will lose access to their data. However, eDirectory users will continue to have access without any hindrance.

At a later point in time, if you join the other node (not joined to AD domain) to the AD domain, AD users will still not have access to their data, even though the resource is up and running. To enable AD users access to their data, offline the resource and bring it back online.