Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Center
Active Directory Integration
Best Practices Guide
THIS BEST PRACTICES GUIDE IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN
TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS,
WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND.
2013 Dell Inc. All rights reserved. Reproduction of this material in any manner whatsoever
without the express written permission of Dell Inc. is strictly forbidden. For more information,
contact Dell.
Dell, the DELL logo, and the DELL badge are trademarks of Dell Inc. Microsoft and Windows are
either trademarks or registered trademarks of Microsoft Corporation in the United States and/or
other countries. Other trademarks and trade names may be used in this document to refer to either
the entities claiming the marks and names or their products. Dell disclaims any proprietary interest in
Table of Contents
1
Preface ................................................................................................................................................. 1
1.1
Audience ..................................................................................................................................... 1
1.2
Purpose........................................................................................................................................ 1
1.3
Overview ..................................................................................................................................... 2
2.1.1
Authentication Method......................................................................................................... 2
2.1.2
2.1.3
2.1.4
2.1.5
2.2
2.2.1
Prerequisites ............................................................................................................................... 3
DNS Settings/Domain Settings ........................................................................................... 3
4.2
4.2.1
Granting Access to User and Group Objects in a Child or Trusted Domain ............25
Troubleshooting ............................................................................................................................... 27
iii
Document Revisions
Date
Revision
Author
Comments
01/10/2013
1.0
Kris Piepho
Initial Release
iv
1 Preface
1.1 Audience
The audience for this document is system administrators who are responsible for the setup
and maintenance of Active Directory, Windows servers and associated storage. Readers
should have a working knowledge of Active Directory, Windows and the Dell Compellent
Storage Center.
1.2 Purpose
This document provides an overview of Storage Center Active Directory integration, and
introduces best practice guidelines for configuring Storage Center Active Directory
integration for use with Windows Server Active Directory Domain Services. Active Directory
integration is included as part of Storage Center release 6.3.1. For installation procedures,
please refer to the Storage Center 6.3 System Manager Administrators Guide located on Dell
Compellent Knowledge Center.
January 2013
2.2 Prerequisites
Storage Center AD Integration requires Active Directory Domain Services (ADDS) to be
running and properly configured. As with any AD installation, the Domain Name Service
(DNS) must be running in a healthy state, and properly configured.
3. In DNS Manager, expand the domain controller, expand Forward Lookup Zones,
right-click the domain, and select New Host (A or AAAA).
January 2013
5. Enter the name of the Storage Center in the Name field, and provide the IP address of
the Storage Center. For a single-controller Storage Center system, enter the
controller IP address. For a dual-controller Storage Center system, enter the
management IP address. Leave the Create associate pointer (PTR) record box
checked. Click Add Host.
January 2013
Note: Creating a pointer (PTR) record will fail if a Reverse Lookup Zone has not yet
been configured for the subnet the Storage Center resides on. Click OK to close the
error message. The Host (A) record will still be created.
To create a Reverse lookup zone and pointer (PTR) record, refer to section 2.2.3 of
this document.
6. Once the Host (A) record has been created, it will reflect in the right hand screen of
DNS Manager.
January 2013
January 2013
January 2013
January 2013
8. Enter the first three octets of the Storage Centers IP address. For example, if the
Storage Centers IP address is 172.16.22.122, enter 172.16.22. Click Next.
January 2013
10
January 2013
11
3. In DNS Manager, expand the domain controller, expand Reverse Lookup Zones,
right-click the proper reverse lookup zone, and select New Pointer (PTR).
5. Enter the IP address for the Storage Center that matches what was entered for the
Host (A) record, and the Fully Qualified Domain Name of the Storage Center followed
by a period. Leave the Allow any authenticated user to update box unchecked.
January 2013
12
Click OK.
11. Once the Pointer (PTR) record has been created, it will be reflected in the right hand
screen of DNS Manager.
January 2013
13
January 2013
14
January 2013
15
6. Enter the IP Address of the Primary DNS Server, the Secondary DNS Server (if
applicable), and the Domain Name.
16
January 2013
17
4. Make sure the Enable External Directory Services box is checked, and enter the
name(s) of the AD Domain Controller(s), separated by spaces. Click Start.
January 2013
18
19
g. In the LDAP Domain field enter the name of the domain (i.e. EXLab.local).
h. In the Auth Bind Username field enter the AD service account with rights to
search the directory created prior to setup. The format of this field is
username@domain (i.e. User_SrchOnly@EXLab.local).
i. In the Auth Bind Password field enter service account password.
6. To verify Storage Center connectivity to the domain controller(s), click the Test
Servers button.
January 2013
20
Note: If the test fails, review DNS settings for the Storage Center and domain
controllers.
7. Click Return.
8. Click Continue.
9. The following screen is for configuring Kerberos Authentication. The values
displayedwill be the default values, and in most cases, can be left as is. If the defaults
are modified, all values should be entered in UPPERCASE.
January 2013
21
a. In the Domain Realms field enter the domain name (i.e. EXLAB.LOCAL).
b. In the KDC Hostname field specify a Kerberos server (this is usually a domain
controller).
c. In the Password Renew Rate (Days) field leave the value at 15.
d. Click Continue.
10. Storage Center will attempt to save values and configure authentication.
January 2013
22
12. Enter credentials for a domain user that has rights to join objects to the domain. This
one-time operation does not require a service account.
January 2013
23
14. Click Finish Now to close the window and complete setup.
In cases where a directory user has been given access to the Storage Center directly
and also belongs to a directory group that has been granted access, the local user
permissions will override the mapped group permissions.
A directory group mapped to the Storage Center with Volume Manager or Reporter
privileges must be mapped to a local Storage Center group. The local Storage Center
group determines what folders the users in the mapped directory group have access
to. A directory group mapped to the Storage Center with Administrator priveleges
does not require mapping to a local group as Administrators have access to all folders
in Storage Center.
January 2013
24
25
A Domain Local Group can contain users, computers, global groups and universal groups
from any domain in the forest and any trusted domain, and domain local groups from the
same domain. Domain local groups can be a member of any domain local group in the
same domain.
A user in a child domain can gain access to Storage Center by being a member of a parent
domain group that has access, or by being a member of a local child domain group that is a
member of a parent domain group that has access. In this configuration, the parent domain
group should be set to domain local because a global group cannot contain domain local or
global groups from a child domain.
A user in a trusted domain can gain access to Storage Center by being a member of a local
domain group that has access, or by being a member of group on the trusted domain that is
a member of the local domain group that has access. In this configuration, the local domain
group should be set to domain local. The local domain group cannot be a global group
because global groups cannot contain cross-domain members. Groups on the trusted
domain should be created as global.
5 Changing Domains
At any time Storage Center AD integration can be configured to point to a different domain
and domain controllers. DNS settings and Storage Center networking settings must be
updated to reflect the new domain information. The Authentication Configuration wizard
will need to be re-run to enter new settings and join the Storage Center to the new domain.
January 2013
26
All previous user and group mappings from Active Directory will no longer be functional and
can be removed. Please note that if the Storage Center is returned to the original domain,
any user mappings that were deleted that are to be used again must be restored by a Storage
Center administrative user.
Note: Domain changes require a restart of Storage Center. Refer to chapter 8 of the
Storage Center 6.3 System Manager Administrators Guide for instructions on how to restart
Storage Center.
6 Troubleshooting
As mentioned earlier in this document, Storage Center AD integration is heavily dependant
upon DNS properly configured and running in a healthy state. Verifying DNS settings and
connectivity is a good place to start when troubleshooting problems with Storage Center AD
integration.
At least one domain controller listed in Directory Services Configuration must be online in
order for Storage Center to authenticate directory users and groups. If all domain controllers
are offline, access to Storage Center is restricted to local users only.
7 Additional Resources
In addition to the hyperlinks in this document, please refer to the following sites for more
information:
Dell Compellent Home Page: http://www.compellent.com
Dell Compellent Knowledge Center: http://kc.compellent.com
Microsoft DNS Overview: http://technet.microsoft.com/en-us/library/hh831667.aspx
Microsoft Active Directory Domain Services Overview: http://technet.microsoft.com/enus/library/hh831484.aspx
January 2013
27