activedirectory create

  • Updated on Jan 31, 2026
  • Published on Jan 28, 2026
  • 13 minute(s) read
Prev Next

This command creates an Active Directory (AD) configuration record. After running this command, run activedirectory list to obtain the ID of the configuration record, and then run activedirectory modify to make the cluster join the Active Directory domain using the Active Directory configuration record ID you obtained.

Important

Ensure that your installation meets the prerequisites and requirements listed in Active Directory Overview.Active Directory Overview

You can create multiple Active Directory configurations. Note that VAST Cluster does not allow adding two different Active Directory configuration records that have:

  • The same domain name but different settings for multi-forest authentication and/or auto-discovery.

  • The same domain name and the same machine account name.

Usage

activedirectory create --machine-account-name MACHINE_NAME
                       --port PORT
                       --bindpw BIND_PASSWORD
                       --method anonymous|simple|sasl
                       [--organizational-unit OU]
                       [--allow-smb|--disallow-smb]
                       [--enable-ntlm|--disable-ntlm]
                       [--abac-read-only-value-name KEYWORD]
                       [--abac-read-write-value-name KEYWORD]
                       [--enable-scheduled-ma-pwd-change|--disable-scheduled-ma-pwd-change]
                       [--ma-pwd-change-frequency FREQUENCY]
                       [--ma-pwd-update_time TIME]
                       [--urls URI_LIST]
                       [--basedn BASE_DN]
                       [--domain-name DOMAIN_NAME]
                       [--binddn BIND_DN]
                       [--group-basedn GROUP_BASE_DN]
                       [--query-groups-mode COMPATIBLE|RFC2307BIS_ONLY|RFC2307_ONLY|NONE]
                       [--use-tls|--no-tls]
                       [--vms-auth|--no-vms-auth]
                       [--reverse-lookup|--no-reverse-lookup]
                       [--gid-number ATTRIBUTE_NAME]
                       [--uid ATTRIBUTE_NAME]
                       [--uid-number ATTRIBUTE_NAME]
                       [--member-uid ATTRIBUTE_NAME]
                       [--posix-account ATTRIBUTE_NAME]
                       [--posix-group ATTRIBUTE_NAME]
                       [--match-user ATTRIBUTE_NAME]
                       [--username-property-name ATTRIBUTE_NAME]
                       [--user-login-name ATTRIBUTE_NAME]
                       [--group-login-name ATTRIBUTE_NAME]
                       [--mail-property-name ATTRIBUTE_NAME]
                       [--uid-member-value-property-name ATTRIBUTE_NAME]
                       [--enable-auto-discovery|--disable-auto-discovery]
                       [--enable-use-ldaps|--disable-use-ldaps]
                       [--posix-attributes-source JOINED_DOMAIN|ALL_DOMAINS|SPECIFIC_DOMAINS|GC]
                       [--domains-with-posix-attributes DOMAINS]
                       [--enable-multi-forest|--disable-multi-forest]
                       [--super-admin-groups GROUPS]
                       [--monitor-action PING|BIND]

Required Parameters

--machine-account-name MACHINE_NAME

Specifies a name for the machine object that will be created for the cluster within Active Directory, inside the Organizational Unit (see --organizational unit). It is recommended to name the machine name the same as the cluster name for simplicity.

--port PORT

Sets the port of the remote LDAP server. Recommended values: 389 for LDAP (with or without TLS), 636 for LDAPS.

--bindpw BIND_PASSWORD (required if --method simple or --method sasl is specified)

Sets the password used with the bind DN to authenticate to the LDAP server.

--method anonymous|simple|sasl

The authentication method the LDAP server uses to authenticate VAST Cluster as a client querying the LDAP database.

When multi-forest authentication is enabled, VAST Cluster uses SASL for the LDAP bind to domain controllers in other trusted forests, and this setting is only honored for the LDAP bind to domain controllers in the forest of the cluster's joined domain. Active Directory Overview

Set the method according to how the LDAP server is configured to authenticate clients:

  • anonymous. The LDAP server accepts queries without any authentication.

  • simple. The LDAP server attempts to bind a specified user name to a matching LDAP user. If the LDAP bind succeeds, VAST Cluster is allowed to perform the query. If this method is specified, you have to set the bind DN on --binddn and  password on --bindpw.

  • sasl. The LDAP server performs the Simple Authentication and Security Layer (SASL) authentication process. If the SASL bind succeeds, VAST Cluster is allowed to perform the query. If this method is specified, you have to set the bind DN on --binddn and  password on --bindpw, with the bind DN in the username@domain or DOMAIN\username format.

Options

--organizational-unit OU

The organizational unit (OU) in the Active Directory domain in which to create the machine object. The name of an organizational unit (OU) in the Active Directory domain.

If unspecified, the machine object is created in the Computers OU.

Specify as a Distinguished Name (DN).

For example: OU=Computers,DC=company-ad,DC=com

--allow-smb

When this option is specified, VAST Cluster can use this Active Directory provider to authenticate and authorize clients accessing the cluster via the SMB storage protocol. (Enabled by default).

--disallow-smb

Disables use of this Active Directory provider for SMB client access.

--enable-ntlm

When this option is specified, SMB clients accessing the cluster are allowed to use NTLM authentication to get authenticated via this Active Directory provider. This is the default behavior.

Note

NTLM authentication is not FIPS-compliant.

--disable-ntlm

Prohibits use of NTLM authentication on this Active Directory provider. SMB clients are expected to use Kerberos authentication, which requires an SPN to be configured for each virtual IP pool. Workflow for Enabling Client Protocol Access

--abac-read-only-value-name KEYWORD

Sets the ABAC attribute value that grants read-only access to a view tagged with this ABAC attribute.Attribute-Based Access Control (ABAC)

The default is ro.

--abac-read-write-value-name KEYWORD

Sets the ABAC attribute value that grants read/write access to a view tagged with this ABAC attribute.Attribute-Based Access Control (ABAC)

The default is rw.

--enable-scheduled-ma-pwd-change

Enables scheduled password change for the cluster's machine account on Active Directory. (Disabled by default).

--disable-scheduled-ma-pwd-change

Disables scheduled password change for the cluster's machine account on Active Directory.  (Disabled by default).

--ma-pwd-change-frequency FREQUENCY

Sets the frequency, in days, for scheduled password change for the cluster's machine account on Active Directory. Default: 90

--ma-pwd-update_time TIME

The time of day at which scheduled password change for the cluster's Active Directory machine account should take place.

Specify TIME in the format HH:mm where HH is the number of hours and mm is the number of minutes.

Default: 20:00

--use-tls

Enables TLS (StartTLS) to secure communication between VAST Cluster and the LDAP server.

When enabled,  VAST Cluster connects to the standard port (port 389 for the domain controller, port 3268 for the Global Catalog) and performs a StartTLS operation as defined in RFC 4513.

Important

Use VAST Web UI to provide a TLS certificate.Joining Active Directory from the VAST Web UI

--no-tls

Disables TLS (STARTTLS) secure communication between VAST Cluster and the LDAP server.

--vms-auth

If this option is specified, the LDAP configuration being created will be the one used for VMS authentication.

--no-vms-auth

If this option is specified, the LDAP configuration being created will not be used for VMS authentication. This is the default setting.

--reverse-lookup

Enables use of DNS reverse lookup for the translation of a client IP address to a host name. When this option is specified, the server compares the host name to host names in netgroup entries. If not specified, the server queries DNS for each host name found in the netgroup entries.

--no-reverse-lookup

Disables use of reverse DNS lookup. This is the default setting.

--enable-auto-discovery

Enables Active Directory domain auto-discovery. (Enabled by default).Active Directory Overview

When auto-discovery is enabled, VAST Cluster automatically discovers and queries all domains and domain controllers in the forest of the cluster's joined domain and, if multi-forest authentication is enabled by the --enable-multi-forest flag, in other trusted forests.Active Directory Overview

--disable-auto-discovery

Disables Active Directory domain auto-discovery.Active Directory Overview

When auto-discovery is disabled, the LDAP URI (--urls) and search base DN (--basedn) must be specified manually. VAST Cluster contacts only the domain controller configured using the --urls option and does not process requests from users in other domains, neither in the forest of the cluster's joined domain nor in other trusted forests.

--enable-multi-forest

When this option is specified, VAST Cluster automatically discovers all domains in other trusted forests, in addition to domains in the forest of the cluster's joined domain. For more information, see Active Directory Overview.Active Directory Overview

This option can only be specified when  Active Directory domain auto-discovery. is enabled (--enable-auto-discovery.Active Directory Overview

--disable-multi-forest

Disables multi-forest authentication on the cluster.

--enable-use-ldaps

Enables use of LDAPS for Active Directory domain auto-discovery.

When enabled, VAST Cluster connects to an alternative port (port 636 for the domain controller, port 3269 for the Global Catalog) and initiates a TLS handshake immediately afterwards.

--disable-use-ldaps

Disables use of LDAPS for Active Directory domain auto-discovery.

--posix-attributes-source JOINED_DOMAIN|ALL_DOMAINS| SPECIFIC_DOMAINS|GC

Determines domains from which VAST Cluster queries POSIX attributes. Options include:

  • JOINED_DOMAIN. The domain which  VAST Cluster has joined.

  • ALL_DOMAINS. All domains in the Active Directory forest of the cluster's joined domain and, if multi-forest authentication is enabled, from other trusted forests.Active Directory Overview

  • SPECIFIC_DOMAINS. One or more domains specified on the --domains-with-posix-attributes option.

  • GC. All domains included in the Active Directory global catalog of the cluster's joined domain forest. When this option is specified, the global catalog must be configured with POSIX attributes.

--domains-with-posix-attributes DOMAINS

Provides a comma-separated list of the specific domains when --posix-attributes-source SPECIFIC_DOMAINS is specified. The domains can be in the forest of the cluster's joined domain, or in other trusted forests.

For example: ad.example.com,domain.com

--urls URI_LIST

Enter URIs of LDAP servers (domain controllers in the Active Directory joined domain). The order of listing defines the priority order. The URI with highest priority that has a good health status is used.

If you are going to use Active Directory domain auto-discovery, specify URI_LIST as a single URI and then run ldap modify to enable Active Directory domain auto-discovery. For a detailed procedure, see Creating Active Directory Configuration and Joining Active Directory in VAST CLI. Active Directory OverviewCreating Active Directory Configuration and Joining Active Directory from the VAST CLI

Otherwise, specify URI_LIST as a comma-separated list of URIs in the format <scheme>://<address>.

The domain controllers should all be in the same Active Directory domain which  VAST Cluster joins.

Examples:

  • --urls ldap://company-ad.com

  • --urls ldaps://company-ad.com

  • --urls ldap://company-ad.com,ldap://company-ad2.com

  • --urls ldap://192.0.2.0,ldap://192.0.2.1,ldap://192.0.2.2

--binddn BIND_DN (required if --method simple or --method sasl is specified)

Sets the bind DN for authenticating to the LDAP server. The bind DN specifies the user with which VAST Cluster authenticates to the LDAP directory.

Enter the bind DN for authenticating to the LDAP domain. The bind DN specifies the user with which VAST Cluster authenticates to the LDAP directory. You can specify any user account that has read access to the domain.

The format is a comma separated list of components. Each component is an attribute=value pair defining an object in the directory tree. The first component is a cn attribute component specifying the user object, the next component is its container and so on up the tree, with the last component representing the top level domain.

The following attributes can be specified:

  • cn: common name

  • ou: organizational unit

  • o: organization

  • c: country

  • dc: domain

For example, cn=admin,ou=users,dc=mydomain,dc=local specifies user 'admin' located in the 'users' container under the domain 'mydomain.local'.

If  multi-forest authentication is enabled and/or SASL authentication method is used, specify the bind DN in one of the following formats:Active Directory Overview

  • username@domain

  • DOMAIN\username

--group-basedn GROUP_BASE_DN

Sets the entry in the LDAP directory tree to use as a starting point for group queries. If not specified, the base DN is used.

--query-groups-mode COMPATIBLE|RFC2307BIS_ONLY|RFC2307_ONLY|NONE

The mode for querying a user's auxiliary group memberships, when the auth provider is set as the source for group membership in the view policy:

  • COMPATIBLE (default). Groups are queried using an aggregate of the RFC2307BIS and RFC2307 compliant group membership queries (see the other options).  You can use this default option unless you are using an authentication provider which is incompatible with this aggregated query mode.  

  • RFC2307BIS_ONLY. Auxiliary group memberships are queried according to the RFC2307BIS standard, in which the group has a members attribute that contains the Distinguished Name (DN) of the member user and the user has a memberOf attribute which contains the DNs of the groups to which the user belongs.  This standard is used by Active Directory and may be used with other LDAP-based authorization providers with LDAP schema extensions.  

  • RFC2307_ONLY. Auxiliary group memberships are queried according to the RFC2307 standard, in which the group object has a memberUid attribute for each user object that is a member of the group, specifying the name of the user object. This standard may be used by openLDAP, freeIPA and other LDAP-based authorization providers.

  • NONE. If this option is selected, auxiliary group memberships are not queried at all. In the event that the relevant view's view policy cites the authorization provider as the group membership source and the user tries to access a file or directory within that view to which the user only has permission as a member of a the owning user's group, permission will not be granted.

--super-admin-groups GROUPS

Grants members of specified groups on the provider cluster admin manager access to VMS. Users in these groups can log into VMS. To grant permissions to these users, add the group name to roles. By default, they are assigned a read-only role.  

--monitor-action PING|BIND

Determines the type of periodic health check that VAST cluster performs for an Active Directory provider configured for the cluster:

  • PING (default): Ping the provider. This option creates less overhead and reduces impact on the provider.

  • BIND: Bind to the provider.

Attribute Mapping Options

If your Active Directory server uses attributes that differ from the default RFC2307BIS attribute set that is used for LDAP queries, these options map those attributes to the attribute names used on the server you are connecting the cluster to.

Example: uid=cn --posix-account user --posix-group group

--gid-number ATTRIBUTE_NAME

The attribute of a group entry that contains the GID number of a group.

Default: gidNumber

--uid ATTRIBUTE_NAME

The attribute of a user entry that contains the user name.

Default: uid

--uid-number ATTRIBUTE_NAME

The attribute of a user entry that contains the UID number.

Default: uidNumber

--member-uid ATTRIBUTE_NAME

The attribute of the group entry that contains names of group members.

Default: member

--posix-account ATTRIBUTE_NAME

The object class that defines a user entry.

Default: user

--posix-group ATTRIBUTE_NAME

The object class that defines a group entry.

Default: group

--match-user ATTRIBUTE_NAME

Use this option to specify which attribute to use for matching users across providers during user refresh and user authentication. When querying a provider for a user that matches a user that was already retrieved from another provider, a user entry that contains a matching value in this attribute will be considered the same user as the user previously retrieved.

Default: sAMAccountName

--username-property-name ATTRIBUTE_NAME

Overrides 'name' as the attribute to use for querying users in VMS user-initiated user queries.

Default: name

--user-login-name ATTRIBUTE_NAME

Specifies the attribute used to query Active Directory for the user login name in NFS ID mapping. Applicable only with Active Directory and NFSv4.1.

Default: sAMAccountName

--group-login-name ATTRIBUTE_NAME

Specifies the attribute used to query Active Directory for the group login name in NFS ID mapping. Applicable only with Active Directory and NFSv4.1.

Default: sAMAccountName

--mail-property-name ATTRIBUTE_NAME

Specifies the attribute to use for the user's email address.

Default: mail

--uid-member-value-property-name ATTRIBUTE_NAME

Specifies the attribute which represents the value of the LDAP group's member property.

Default: sAMAccountName

Example

vcli: admin> activedirectory create --machine-account-name cluster1 --organizational-unit OU=Computers,DC=company,DC=com --port 389 --binddn admin@mydomain.local --bindpw !@WE56yt --method simple --domain-name company-ad.com --uid=distinguishedName --member-uid member --posix-account user --posix-group group --use-tls

Related articles
  • activedirectory create
    VAST Cluster > Version 5.3 > VAST Cluster 5.3 CLI Command Reference > activedirectory commands
  • activedirectory create
    VAST Cluster > Version 5.2 > VAST Cluster 5.2 CLI Command Reference > activedirectory commands
  • activedirectory create
    VAST Cluster > Version 5.1 > VAST Cluster 5.1 CLI Command Reference > activedirectory commands