Add the Hadoop Kerberos realm and KDC host to the DC:

ksetup /addkdc $hadoop.realm $KDC-host

Establish one-way trust between the AD domain and the Hadoop realm:

netdom trust $hadoop.realm /Domain:$AD.domain /add /realm /passwordt:$trust_password

(Optional) If Windows clients within the AD domain need to access Hadoop Services, and the domain does not have a search route to find the services in Hadoop realm, run the following command to create a hostmap for Hadoop service host:

ksetup /addhosttorealmmap $hadoop-service-host $hadoop.realm

	Note
	Run the above for each $hadoop-host that provides services that need to be accessed by Windows clients. For example, Oozie host, WebHCat host, etc.

(Optional) Define the encryption type:

ksetup /SetEncTypeAttr $hadoop.realm $encryption_type

Set encryption types based on your security requirements. Mismatched encryption types cause problems.

	Note
	Run ksetup /GetEncTypeAttr $krb_realm to list the available encryption types. Verify that the encryption type is configured for the Hadoop realm in the krb5.conf.