Dell Compellent Storage

Center
Active Directory Integration
Best Practices Guide

Dell Compellent Technical Solutions Group

January, 2013

THIS BEST PRACTICES GUIDE IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN
TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS,
WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND.
2013 Dell Inc. All rights reserved. Reproduction of this material in any manner whatsoever
without the express written permission of Dell Inc. is strictly forbidden. For more information,
contact Dell.
Dell, the DELL logo, and the DELL badge are trademarks of Dell Inc. Microsoft and Windows are
either trademarks or registered trademarks of Microsoft Corporation in the United States and/or
other countries. Other trademarks and trade names may be used in this document to refer to either
the entities claiming the marks and names or their products. Dell disclaims any proprietary interest in

the marks and names of others.

ii

Table of Contents
1

Preface ................................................................................................................................................. 1
1.1

Audience ..................................................................................................................................... 1

1.2

Purpose........................................................................................................................................ 1

1.3

Customer Support ..................................................................................................................... 1

Introduction to Storage Center Active Directory Integration .................................................... 2

2.1

Overview ..................................................................................................................................... 2

2.1.1

Authentication Method......................................................................................................... 2

2.1.2

Single Sign-On ....................................................................................................................... 2

2.1.3

Active Directory Functional Levels ..................................................................................... 2

2.1.4

Read-Only Domain Controllers (RODC) ........................................................................... 3

2.1.5

Trusts and Child Domains .................................................................................................... 3

2.2
2.2.1

Prerequisites ............................................................................................................................... 3
DNS Settings/Domain Settings ........................................................................................... 3

2.2.2 Creating a Host (A) record ................................................................................................... 3

2.2.3 Reverse Lookup Zones and Pointer (PTR) records ..........................................................6
2.2.4 Creating a Pointer (PTR) record ........................................................................................ 11
2.2.5 Storage Center Network Settings ..................................................................................... 13
3

Setup and Configuration ................................................................................................................. 17

3.1

Configure Directory Services Authentication ..................................................................... 17

Active Directory User and Group Access .................................................................................... 24

4.1

Storage Center Permissions ..................................................................................................25

4.2

Active Directory Account Maintenance ..............................................................................25

4.2.1

Granting Access to User and Group Objects in a Child or Trusted Domain ............25

4.2.2 Account and Group Deletion ........................................................................................... 26

4.2.3 Disabled/Locked Out Accounts ....................................................................................... 26
5

Changing Domains ......................................................................................................................... 26

Troubleshooting ............................................................................................................................... 27

Additional Resources ....................................................................................................................... 27

iii

Document Revisions
Date

Revision

Author

Comments

01/10/2013

1.0

Kris Piepho

Initial Release

iv

1 Preface
1.1 Audience
The audience for this document is system administrators who are responsible for the setup
and maintenance of Active Directory, Windows servers and associated storage. Readers
should have a working knowledge of Active Directory, Windows and the Dell Compellent
Storage Center.

1.2 Purpose
This document provides an overview of Storage Center Active Directory integration, and
introduces best practice guidelines for configuring Storage Center Active Directory
integration for use with Windows Server Active Directory Domain Services. Active Directory
integration is included as part of Storage Center release 6.3.1. For installation procedures,
please refer to the Storage Center 6.3 System Manager Administrators Guide located on Dell
Compellent Knowledge Center.

1.3 Customer Support

Dell Compellent provides live support 1-866-EZSTORE (866.397.8673), 24 hours a day, 7
days a week, 365 days a year. For additional support, email Dell Compellent at
support@compellent.com. Dell Compellent responds to emails during normal business
hours.

January 2013

Storage Center Active Directory Integration Best Practices

2 Introduction to Storage Center Active

Directory Integration
2.1 Overview
Enterprises of all sizes consolidate user management and authentication into services such
as Active Directory (AD). The Microsoft Active Directory service allows organizations to
efficiently organize, manage, and control resources. Active Directory is implemented as a
distributed, scalable database managed by Windows Server 2012, 2008 R2, 2003 R2, or 2003
SP1 domain controllers. It is now possible in these environments to manage administrator
accounts in the Dell Compellent Storage Center SAN from Active Directory.
Storage Center Active Directory integration provides a scalable solution for authentication
that enables administrators to manage a potentially large number of accounts across many
Storage Center systems from a central location. In addition, Storage Center Active Directory
integration simplifies account management for administrators by enabling them to leverage
their existing native Active Directory infrastructure.

2.1.1 Authentication Method

Storage Center AD integration requires Kerberos v5 authentication. NTLMv2 authentication
is not supported. Kerberos v5 authentication is available with Windows Server 2003 SP1 and
later.

2.1.2 Single Sign-On

As of the 6.3.1 release of Storage Center, Single Sign-On (SSO) is not supported between
Active Directory and Storage Center. Active Directory users will need to enter their
credentials each time they access Storage Center. SSO will be supported in a future release
of Storage Center.

2.1.3 Active Directory Functional Levels

Storage Center AD integration supports Windows Server 2012, 2008 R2, 2008, and 2003
native Active Directory functional levels, and will function in environments with domain
controllers running a combination of any of the aforementioned server operating systems.
The functional level of a domain or forest controls which advanced features are available in
the domain or forest.
Note: The functional level of a domain or forest is limited (but not determined by) the
domain controller running the oldest version of Windows Server in the domain or forest. For
example, in an environment where the domain controllers were upgraded from Windows
Server 2008 R2 to Server 2012, the functional level will remain at 2008 R2 until Active
Directory is upgraded.
January 2013

Storage Center Active Directory Integration Best Practices

2.1.4 Read-Only Domain Controllers (RODC)

Storage Center AD integration supports the use of a combination of traditional domain
controllers and read-only domain controllers for authentication. Storage Center AD
Integration will work when only a single read-only domain controller is functional.
Note: A primary or backup domain controller must be online during intial setup and
configuration of Storage Center AD integration. During setup an Active Directory object for
Storage Center is created and joined to the domain. This process can only be completed on
a writeable domain controller.

2.1.5 Trusts and Child Domains

Storage Center AD integration allows the joining of Storage Center to one AD domain. When
joined to the domain, Storage Center can authenticate users and groups in the local domain,
as well as users and groups from child and trusted domains. A two-way transitive trust must
exist between the local forest and any external forests in order for Storage Center to
authenticate trusted users. For more information about Active Directory trusts, please refer
to Microsoft TechNet.
Detailed information about configuring Storage Center AD integration with child domains
and forest trusts can be found in Chapter 4 of this document.

2.2 Prerequisites
Storage Center AD Integration requires Active Directory Domain Services (ADDS) to be
running and properly configured. As with any AD installation, the Domain Name Service
(DNS) must be running in a healthy state, and properly configured.

2.2.1 DNS Settings/Domain Settings

Storage Center AD integration is heavily dependent upon a properly configured DNS
environment. Storage Center and the domain controller(s) must be able to communicate
with each other using Fully Qualified Domain Names (FQDN). In order to facilitate
communication via FQDN between Storage Center and the domain controller(s), a Host (A)
record as well as a Pointer (PTR) record must exist for each Storage Center in DNS.

2.2.2 Creating a Host (A) record

To create a Host (A) record for a Storage Center on Windows Server 2012, perform the
following steps:
1. Open a RDP session to the primary DNS server and login as an administrator.
2. Open DNS Manager (Start Administrative Tools DNS)
January 2013

Storage Center Active Directory Integration Best Practices

Figure 1: Administrative Tools

3. In DNS Manager, expand the domain controller, expand Forward Lookup Zones,
right-click the domain, and select New Host (A or AAAA).

Figure 2: Context Menu

January 2013

Storage Center Active Directory Integration Best Practices

4. The New Host window appears:

Figure 3: New Host window

5. Enter the name of the Storage Center in the Name field, and provide the IP address of
the Storage Center. For a single-controller Storage Center system, enter the
controller IP address. For a dual-controller Storage Center system, enter the
management IP address. Leave the Create associate pointer (PTR) record box
checked. Click Add Host.

Figure 4: Host Information

January 2013

Storage Center Active Directory Integration Best Practices

Note: Creating a pointer (PTR) record will fail if a Reverse Lookup Zone has not yet
been configured for the subnet the Storage Center resides on. Click OK to close the
error message. The Host (A) record will still be created.

Figure 5: DNS warning message

To create a Reverse lookup zone and pointer (PTR) record, refer to section 2.2.3 of
this document.
6. Once the Host (A) record has been created, it will reflect in the right hand screen of
DNS Manager.

Figure 6: New Host (A) Record

2.2.3 Reverse Lookup Zones and Pointer (PTR) records

A Reverse Lookup Zone enables clients to use a known IP address during a name query and
look up a computer name based on its address. Pointer records map an IP to a hostname,
whereas a Host record maps a hostname to an IP. Reverse Lookup Zones are not
automatically created with the install of DNS and need to be manually created.
Note: Without Host and Pointer records for Storage Center, the domain join operation
performed while configuring Storage Center Directory Services will fail.
To create a Reverse Lookup Zone:
1. Open a RDP session to the primary DNS server and login as an administrator.
2. Open DNS Manager (Start Administrative Tools DNS)

January 2013

Storage Center Active Directory Integration Best Practices

Figure 7: Administrative Tools

3. In DNS Manager, expand the domain controller, right-click on Reverse Lookup

Zones and select New Zone.

Figure 8: Context menu

January 2013

Storage Center Active Directory Integration Best Practices

4. The New Zone Wizard window appears. Click Next.

Figure 9: New Zone Wizard

5. Select Primary Zone. Click Next.

Figure 10: Select zone type

January 2013

Storage Center Active Directory Integration Best Practices

6. Select the Zone Replication Scope. Click Next.

Figure 11: Zone Replication Scope

7. Select IPv4 Reverse Lookup Zone. Click Next.

Figure 12: Zone name selection

January 2013

Storage Center Active Directory Integration Best Practices

8. Enter the first three octets of the Storage Centers IP address. For example, if the
Storage Centers IP address is 172.16.22.122, enter 172.16.22. Click Next.

Figure 13: Network ID

9. Select Dynamic Update Type. Click Next.

Figure 14: Dynamic Update settings

January 2013

Storage Center Active Directory Integration Best Practices

10

10. Click Finish to complete the New Zone Wizard.

Figure 15: Complete the New Zone Wizard

2.2.4 Creating a Pointer (PTR) record

To create a Pointer (PTR) record:
1. Open a RDP session to the primary DNS server and login as an administrator.
2. Open DNS Manager (Start Administrative Tools DNS)

Figure 16: Administrative Tools

January 2013

Storage Center Active Directory Integration Best Practices

11

3. In DNS Manager, expand the domain controller, expand Reverse Lookup Zones,
right-click the proper reverse lookup zone, and select New Pointer (PTR).

Figure 17: Context menu

4. The New Resource Record window appears.

Figure 18: New Resource Record window

5. Enter the IP address for the Storage Center that matches what was entered for the
Host (A) record, and the Fully Qualified Domain Name of the Storage Center followed
by a period. Leave the Allow any authenticated user to update box unchecked.
January 2013

Storage Center Active Directory Integration Best Practices

12

Click OK.

Figure 19: Host information

11. Once the Pointer (PTR) record has been created, it will be reflected in the right hand
screen of DNS Manager.

Figure 20: New Pointer (PTR) record

2.2.5 Storage Center Network Settings

On the Storage Center, each controllers primary DNS server must be set to a DNS server
used by Active Directory. If a secondary DNS server also exists, each controller should be
configured to point to it. Each controller must also reflect the domain name in which the
Storage Center will exist and authenticate with. To modify a controllers DNS/Domain
settings, perform the following steps:
1. Connect to the Storage Center using Compellent System Manager, or the web GUI.
Login as a user with administrator rights.

January 2013

Storage Center Active Directory Integration Best Practices

13

Figure 21: Storage Center System Manager

2. In the left navigation window, expand Controllers.

Figure 22: Controllers

January 2013

Storage Center Active Directory Integration Best Practices

14

3. Right-click on the first controller, and select Properties.

Figure 23: Controller properties

4. Click the IP button at the top of the window.

Figure 24: Controller IP settings

January 2013

Storage Center Active Directory Integration Best Practices

15

5. Scroll down to the Primary DNS Server setting.

Figure 25: Controller DNS settings

6. Enter the IP Address of the Primary DNS Server, the Secondary DNS Server (if
applicable), and the Domain Name.

Figure 26: Updated Controller DNS settings

7. Click OK to save settings

8. For a dual-controller Storage Center sytem, repeat this process on the other
controller.
January 2013

Storage Center Active Directory Integration Best Practices

16

3 Setup and Configuration

Refer to chapter 9 of the Storage Center 6.3 System Manager Administators Guide for more
information about enabling Active Directory integration.
Note: All existing Storage Center users and groups will remain after Directory Services
Authentication is configured.
Note: It is recommended that an Active Directory service account be created prior to
configuring Storage Center directory services authentication. The service account will need
to be assigned or delegated rights to query the directory. This account will be used by
Storage Center to process all directory query requests.

3.1 Configure Directory Services Authentication

1. Connect to the Storage Center using Compellent System Manager, or the web GUI.
Login as an administrator user.
2. Click Storage Management, select System, select Access, and choose Configure
Authentication.

Figure 27: Storage Center context menu

3. The Configure Authentication window will appear:

January 2013

Storage Center Active Directory Integration Best Practices

17

Figure 28: Configure Authentication window

4. Make sure the Enable External Directory Services box is checked, and enter the
name(s) of the AD Domain Controller(s), separated by spaces. Click Start.

Figure 29: Enable External Directory Services

January 2013

Storage Center Active Directory Integration Best Practices

18

5. The following screen appears:

Figure 30: Configure Authentication

Note: fields in this screen are case sensitive.

a. In the Directory Type dropdown, choose Active Directory.
b. In the URI field, make sure the FQDN name of the AD Domain Server(s) are
entered. Each FQDN should be prefaced by ldap:// and names should be
separated by spaces. i.e.: ldap://JS24.EXLab.local ldap://JS25.EXLab.local
Note: Storage Center AD Integration is not site aware, meaning it cannot
automatically detect a domain and associated domain controllers To use a
specific domain controller it must be defined in the URI field. Storage Center
will try to authenticate to domain controllers in the order they are defined in
this field. If a domain controller becomes inaccessible, Storage Center will try
the next domain controller in the list.
Note: Storage Center AD Integration supports authentication against a ReadOnly Domain Controller (RODC).
c. In the Server Connection Timeout field enter 30.
d. In the Base DN field enter the canonical name of the domain. For example, if
your domain is EXLab.local, the canonical name is dc=EXLab,dc=local.
e. (Optional) In the Relative Base field enter the canonical location of where the
Storage Center Active Directory object should be created. Default is
CN=Computers.
f. In the Storage Center Hostname field enter the Storage Center name
followed by the domain name. This will be the FQDN of the Storage Center
(i.e. SC22.EXLab.local).
January 2013

Storage Center Active Directory Integration Best Practices

19

g. In the LDAP Domain field enter the name of the domain (i.e. EXLab.local).
h. In the Auth Bind Username field enter the AD service account with rights to
search the directory created prior to setup. The format of this field is
username@domain (i.e. User_SrchOnly@EXLab.local).
i. In the Auth Bind Password field enter service account password.

Figure 31: Configure Authentication settings

6. To verify Storage Center connectivity to the domain controller(s), click the Test
Servers button.

Figure 32: Verify connectivity

January 2013

Storage Center Active Directory Integration Best Practices

20

Note: If the test fails, review DNS settings for the Storage Center and domain
controllers.
7. Click Return.

Figure 33: Configure Authentication

8. Click Continue.
9. The following screen is for configuring Kerberos Authentication. The values
displayedwill be the default values, and in most cases, can be left as is. If the defaults
are modified, all values should be entered in UPPERCASE.

January 2013

Storage Center Active Directory Integration Best Practices

21

Figure 34: Kerberos information

a. In the Domain Realms field enter the domain name (i.e. EXLAB.LOCAL).
b. In the KDC Hostname field specify a Kerberos server (this is usually a domain
controller).
c. In the Password Renew Rate (Days) field leave the value at 15.
d. Click Continue.
10. Storage Center will attempt to save values and configure authentication.

Figure 35: Successful configuration

January 2013

Storage Center Active Directory Integration Best Practices

22

11. Click Join.

Figure 36: Join domain

12. Enter credentials for a domain user that has rights to join objects to the domain. This
one-time operation does not require a service account.

Figure 37: Domain user info

January 2013

Storage Center Active Directory Integration Best Practices

23

13. Click Join Now.

Figure 38: Successful domain join

14. Click Finish Now to close the window and complete setup.

4 Active Directory User and Group Access

Detailed information on how to grant access to directory users and groups can be found in
the Storage Center 6.3 System Manager Administrators Guide.
There are a few things to keep in mind when granting access to a Directory user:

In cases where a directory user has been given access to the Storage Center directly
and also belongs to a directory group that has been granted access, the local user
permissions will override the mapped group permissions.

A directory group mapped to the Storage Center with Volume Manager or Reporter
privileges must be mapped to a local Storage Center group. The local Storage Center
group determines what folders the users in the mapped directory group have access
to. A directory group mapped to the Storage Center with Administrator priveleges
does not require mapping to a local group as Administrators have access to all folders
in Storage Center.

January 2013

Storage Center Active Directory Integration Best Practices

24

Storage Center supports authentication of a user in up to 16 nested groups.

64 Active Directory groups can be mapped to a single Storage Center group.

4.1 Storage Center Permissions

If a directory user has been given Administrator privileges to Storage Center, that users
privilege level cannot be changed to Volume Manager or Reporter. However, user privileges
can be changed from Volume Manager to Reporter and vice versa.
Like directory users, directory groups that have been given Administrator privileges to
Storage Center cannot be changed to Volume Manager or Reporter.
Privileges can be changed on a directly mapped directory user, but cannot be changed on a
user that is allowed access through a group.
When a directory user is a member of more than one directory group that has been granted
access to Storage Center, that user will receive the least restrictive permissions of the group
he/she belongs to. For example, a user is a member of the Accounting directory group
which has been granted Reporter access in Storage Center. The user is also a member of the
Storage directory group which has been granted Volume Manager access in Storage Center.
When the directory user logs into Storage Center, their effective permissions will be Volume
Manager.

4.2 Active Directory Account Maintenance

4.2.1 Granting Access to User and Group Objects in a Child or Trusted Domain
To allow access to users and groups from child or trusted domains, it is important to
understand the three types of groups (Universal, Global and Domain Local) within Active
Directory.
A Universal Group can contain users and groups (global and universal) from any domain in
the forest. Universal groups do not care about trust. Universal groups can be a member of
domain local groups but not global groups. Because Storage Center requires a two-way
trust in order to grant access to non-local users, using universal groups for Storage Center
access is not recommended.
A Global Group can contain users, computers and groups from the same domain, but not
universal groups. A global group can be a member of global groups of the same domain,
domain local groups or universal groups of any domain in the forest or trusted domains.
January 2013

Storage Center Active Directory Integration Best Practices

25

A Domain Local Group can contain users, computers, global groups and universal groups
from any domain in the forest and any trusted domain, and domain local groups from the
same domain. Domain local groups can be a member of any domain local group in the
same domain.
A user in a child domain can gain access to Storage Center by being a member of a parent
domain group that has access, or by being a member of a local child domain group that is a
member of a parent domain group that has access. In this configuration, the parent domain
group should be set to domain local because a global group cannot contain domain local or
global groups from a child domain.
A user in a trusted domain can gain access to Storage Center by being a member of a local
domain group that has access, or by being a member of group on the trusted domain that is
a member of the local domain group that has access. In this configuration, the local domain
group should be set to domain local. The local domain group cannot be a global group
because global groups cannot contain cross-domain members. Groups on the trusted
domain should be created as global.

4.2.2 Account and Group Deletion

When an Active Directory user account that has been granted access to Storage Center
either directly or via group membership is deleted, that user no longer has access to Storage
Center. The corresponding Storage Center user account must be manually deleted.
When an Active Directory Group that has been granted access to Storage Center is deleted
from AD, all members of that group will no longer have access to Storage Center (unless
they were directly granted access). The group mapping and all user accounts that were part
of that group must be manually deleted from Storage Center.

4.2.3 Disabled/Locked Out Accounts

Active Directory user accounts that have been granted access to Storage Center either
directly or via group membership will be unable to login to Storage Center if the user
account is disabled or locked out in Active Directory. Access to Storage Center is regained
when the account is enabled.

5 Changing Domains
At any time Storage Center AD integration can be configured to point to a different domain
and domain controllers. DNS settings and Storage Center networking settings must be
updated to reflect the new domain information. The Authentication Configuration wizard
will need to be re-run to enter new settings and join the Storage Center to the new domain.
January 2013

Storage Center Active Directory Integration Best Practices

26

All previous user and group mappings from Active Directory will no longer be functional and
can be removed. Please note that if the Storage Center is returned to the original domain,
any user mappings that were deleted that are to be used again must be restored by a Storage
Center administrative user.
Note: Domain changes require a restart of Storage Center. Refer to chapter 8 of the
Storage Center 6.3 System Manager Administrators Guide for instructions on how to restart
Storage Center.

6 Troubleshooting
As mentioned earlier in this document, Storage Center AD integration is heavily dependant
upon DNS properly configured and running in a healthy state. Verifying DNS settings and
connectivity is a good place to start when troubleshooting problems with Storage Center AD
integration.
At least one domain controller listed in Directory Services Configuration must be online in
order for Storage Center to authenticate directory users and groups. If all domain controllers
are offline, access to Storage Center is restricted to local users only.

7 Additional Resources
In addition to the hyperlinks in this document, please refer to the following sites for more
information:
Dell Compellent Home Page: http://www.compellent.com
Dell Compellent Knowledge Center: http://kc.compellent.com
Microsoft DNS Overview: http://technet.microsoft.com/en-us/library/hh831667.aspx
Microsoft Active Directory Domain Services Overview: http://technet.microsoft.com/enus/library/hh831484.aspx

January 2013

Storage Center Active Directory Integration Best Practices

27