How does the appliance interact with AD and LDAP?

  • The appliance joins the domain as a computer. This is typically done using a domain admin's credentials, but may be delegated to some other kind of account, possibly one dedicated to joining new computers to the domain, for example.
    • When joining the domain, we use Samba's net ads join command.
  • Once joined, the appliance adds an SPN to its computer object to identify itself as an Eversync appliance. We are aware that adding the SPN requires more and different privileges than simply joining a computer to the domain. However, we do not store the credentials used when joining, so that a Domain Administrator account can be used for both steps. The SPN assignment could be done manually if required (using setspn, for example, see below). The SPN's required, where "appliance" is the hostname and "domain.lan" is the domain, are:
    • HOST/appliance
    • HOST/appliance.domain.lan
    • EVERSYNC_BACKUP/appliance.domain.lan
  • After joining and SPN assignment, the appliance uses only its Computer credentials to browse the Computer objects. The Computer objects display in the Clients > Active Directory tree to allow the automatic creation of appliance-side backup client configurations from them.
  • Clients find the appliance address with LDAP querying for the SPN when RvxBRAgent (Eversync Backup and Restore Agent service) is started. This is similar to MSSQL server discovery, for example.
    • Thereafter, clients contact the Eversync appliance using web services built into .NET, using their Computer credentials for secure Kerberos authentication. The clients request their configuration from the appliance and save it locally. While the agent is running, AD is not used again.

What permissions will be required in order to pre-stage any service accounts needed within the new domain?

  • Only joining the appliance to the domain, and the assignment of the SPN are required. No service accounts beyond the Computer object are necessary.


Below is a session on a domain controller as the Administrator user listing the SPN's associated with the appliance's computer account after joining to the domain. Then the EVERSYNC_BACKUP SPN is deleted (-D) from the computer account, and the SPN's listed again. Finally, the command to add (-A) the EVERSYNC_BACKUP SPN to the appliance's computer account is shown, which can be used by customers if joining the domain from the appliance fails to create the SPN.

User is not able to add the appliance to a domain


User is not able to add the appliance to a domain


Incorrect permissions exist in the environment


To resolve the issue in which users cannot join a computer to the domain, follow these steps:

  1.  Click Start, click Run, type dsa.msc, and then click OK.
  2. In the task pane, expand the domain node.
  3. Locate and right-click the OU that you want to modify, and then click Delegate Control.
  4. In the Delegation of Control Wizard, click Next.
  5. Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.
  6. In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
  7. Add permissions appropriate to join a PC to the domain.  Click next, and then click Finish.
  8. Close the "Active Directory"