Moving Kerberos Principals to Another OU Within Active Directory
If you have a Kerberized cluster configured with an Active Directory KDC, you can use the following steps to move the Kerberos principals from one AD Organizational Unit (OU) to
another.
- Create the new OU on the Active Directory Server.
- Use AD's Delegate Control wizard to set the permissions on the new OU such that the configured Cloudera Manager admin account has the ability to Create, Delete and Manage User Accounts within this OU.
- Stop the cluster.
- Stop the Cloudera Management Service.
- In Active Directory, move all the Cloudera Manager and CDH components' user accounts to the new OU.
- Go to Cloudera Manager and go to .
- Go to the Kerberos Credentials tab and click Configuration.
- Select .
- Select .
- Locate the Active Directory Suffix property and edit the value to reflect the new OU name.
- Click Save Changes to commit the changes.