You must add one enrollment server for each domain. You can also add a second enrollment server and later designate that server to be used as a backup.
For readability, the options shown in the following table do not represent the complete command you would enter. Only the options specific to the particular task are included. For example, one row shows the --environment --list --enrollmentServers options, but the vdmUtil command you would actually enter also contains options for authentication and for specifying that you are configuring True SSO:
vdmUtil --authAs admin-role-user --authDomain netbios-name --authPassword admin-user-password --truesso --environment --list --enrollmentServers
For more information about the authentication options, see Command-line Reference for Configuring True SSO.
|Command and Options||Description|
|--environment --add --enrollmentServer enroll-server-fqdn||Adds the specified enrollment server to the environment, where enroll-server-fqdn is the FQDN of the enrollment server. If the enrollment server has already been added, when you run this command, nothing happens.|
|--environment --remove --enrollmentServer enroll-server-fqdn||Removes the specified enrollment server from the environment, where enroll-server-fqdn is the FQDN of the enrollment server. If the enrollment server has already been removed, when you run this command, nothing happens.|
|--environment --list --enrollmentServers||Lists the FQDNs of all enrollment servers in the environment.|
|--environment --list --enrollmentServer enroll-server-fqdn|| List s the FQDNs of the domains and forests that are trusted by the domains and forests to which the enrollment server belongs, and the state of the enrollment certificate, which can be VALID or INVALID. VALID means the enrollment server has an Enrollment Agent certificate installed. The state might be INVALID for any of several reasons:
The log file on the enrollment server can provide the reason for the INVALID state.
|--environment --list --enrollmentServer enroll-server-fqdn --domain domain-fqdn||For the enrollment server in the specified domain, lists the CNs (common names) of the available certificate authorities, and provides the following information about each certificate template that can be used for True SSO: name, minimum key length, and hash algorithm.|