You must add one enrollment server for each domain. You can also add a second enrollment server and later designate that server to be used as a backup.

For readability, the options shown in the following table do not represent the complete command you would enter. Only the options specific to the particular task are included. For example, one row shows the --environment --list --enrollmentServers options, but the vdmUtil command you would actually enter also contains options for authentication and for specifying that you are configuring True SSO:

vdmUtil --authAs admin-role-user --authDomain netbios-name --authPassword admin-user-password --truesso --environment --list --enrollmentServers

For more information about the authentication options, see Command-line Reference for Configuring True SSO.

Table 1. vdmutil truesso Command Options for Managing Enrollment Servers

Command and Options

Description

--environment --add --enrollmentServer enroll-server-fqdn

Adds the specified enrollment server to the environment, where enroll-server-fqdn is the FQDN of the enrollment server. If the enrollment server has already been added, when you run this command, nothing happens.

--environment --remove --enrollmentServer enroll-server-fqdn

Removes the specified enrollment server from the environment, where enroll-server-fqdn is the FQDN of the enrollment server. If the enrollment server has already been removed, when you run this command, nothing happens.

--environment --list --enrollmentServers

Lists the FQDNs of all enrollment servers in the environment.

--environment --list --enrollmentServer enroll-server-fqdn

List s the FQDNs of the domains and forests that are trusted by the domains and forests to which the enrollment server belongs, and the state of the enrollment certificate, which can be VALID or INVALID. VALID means the enrollment server has an Enrollment Agent certificate installed. The state might be INVALID for any of several reasons:

  • The certificate has not been installed.

  • The certificate Is not yet valid, or has expired.

  • The certificate was not issued by a trusted Enterprise CA.

  • The private key is not available.

  • The certificate has been corrupted.

The log file on the enrollment server can provide the reason for the INVALID state.

--environment --list --enrollmentServer enroll-server-fqdn --domain domain-fqdn

For the enrollment server in the specified domain, lists the CNs (common names) of the available certificate authorities, and provides the following information about each certificate template that can be used for True SSO: name, minimum key length, and hash algorithm.