Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Dell Compellent Storage Center

Dell Compellent Storage
Center
Active Directory Integration
Best Practices Guide
Dell Compellent Technical Solutions Group
January, 2013
THIS BEST PRACTICES GUIDE IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN
TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS,
WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND.
© 2013 Dell Inc. All rights reserved. Reproduction of this material in any manner whatsoever
without the express written permission of Dell Inc. is strictly forbidden. For more information,
contact Dell.
Dell, the DELL logo, and the DELL badge are trademarks of Dell Inc. Microsoft® and Windows® are
either trademarks or registered trademarks of Microsoft Corporation in the United States and/or
other countries. Other trademarks and trade names may be used in this document to refer to either
the entities claiming the marks and names or their products. Dell disclaims any proprietary interest in
the marks and names of others.
ii
Table of Contents
1
2
Preface ................................................................................................................................................. 1
1.1
Audience ..................................................................................................................................... 1
1.2
Purpose........................................................................................................................................ 1
1.3
Customer Support ..................................................................................................................... 1
Introduction to Storage Center Active Directory Integration .................................................... 2
2.1
Overview ..................................................................................................................................... 2
2.1.1
Authentication Method......................................................................................................... 2
2.1.2
Single Sign-On ....................................................................................................................... 2
2.1.3
Active Directory Functional Levels ..................................................................................... 2
2.1.4
Read-Only Domain Controllers (RODC) ........................................................................... 3
2.1.5
Trusts and Child Domains .................................................................................................... 3
2.2
2.2.1
Prerequisites ............................................................................................................................... 3
DNS Settings/Domain Settings ........................................................................................... 3
2.2.2 Creating a Host (A) record ................................................................................................... 3
2.2.3 Reverse Lookup Zones and Pointer (PTR) records ..........................................................6
2.2.4 Creating a Pointer (PTR) record ........................................................................................ 11
2.2.5 Storage Center Network Settings ..................................................................................... 13
3
Setup and Configuration ................................................................................................................. 17
3.1
4
Configure Directory Services Authentication ..................................................................... 17
Active Directory User and Group Access .................................................................................... 24
4.1
Storage Center Permissions ..................................................................................................25
4.2
Active Directory Account Maintenance ..............................................................................25
4.2.1
Granting Access to User and Group Objects in a Child or Trusted Domain ............25
4.2.2 Account and Group Deletion ........................................................................................... 26
4.2.3 Disabled/Locked Out Accounts ....................................................................................... 26
5
Changing Domains ......................................................................................................................... 26
6
Troubleshooting ............................................................................................................................... 27
7
Additional Resources ....................................................................................................................... 27
iii
Document Revisions
Date
Revision
Author
Comments
01/10/2013
1.0
Kris Piepho
Initial Release
iv
1 Preface
1.1 Audience
The audience for this document is system administrators who are responsible for the setup
and maintenance of Active Directory, Windows servers and associated storage. Readers
should have a working knowledge of Active Directory, Windows and the Dell Compellent
Storage Center.
1.2 Purpose
This document provides an overview of Storage Center Active Directory integration, and
introduces best practice guidelines for configuring Storage Center Active Directory
integration for use with Windows Server Active Directory Domain Services. Active Directory
integration is included as part of Storage Center release 6.3.1. For installation procedures,
please refer to the Storage Center 6.3 System Manager Administrator’s Guide located on Dell
Compellent Knowledge Center.
1.3 Customer Support
Dell Compellent provides live support 1-866-EZSTORE (866.397.8673), 24 hours a day, 7
days a week, 365 days a year. For additional support, email Dell Compellent at
support@compellent.com. Dell Compellent responds to emails during normal business
hours.
January 2013
Storage Center Active Directory Integration Best Practices
1
2 Introduction to Storage Center Active
Directory Integration
2.1 Overview
Enterprises of all sizes consolidate user management and authentication into services such
as Active Directory (AD). The Microsoft Active Directory service allows organizations to
efficiently organize, manage, and control resources. Active Directory is implemented as a
distributed, scalable database managed by Windows Server 2012, 2008 R2, 2003 R2, or 2003
SP1 domain controllers. It is now possible in these environments to manage administrator
accounts in the Dell Compellent Storage Center SAN from Active Directory.
Storage Center Active Directory integration provides a scalable solution for authentication
that enables administrators to manage a potentially large number of accounts across many
Storage Center systems from a central location. In addition, Storage Center Active Directory
integration simplifies account management for administrators by enabling them to leverage
their existing native Active Directory infrastructure.
2.1.1 Authentication Method
Storage Center AD integration requires Kerberos v5 authentication. NTLMv2 authentication
is not supported. Kerberos v5 authentication is available with Windows Server 2003 SP1 and
later.
2.1.2 Single Sign-On
As of the 6.3.1 release of Storage Center, Single Sign-On (SSO) is not supported between
Active Directory and Storage Center. Active Directory users will need to enter their
credentials each time they access Storage Center. SSO will be supported in a future release
of Storage Center.
2.1.3 Active Directory Functional Levels
Storage Center AD integration supports Windows Server 2012, 2008 R2, 2008, and 2003
native Active Directory functional levels, and will function in environments with domain
controllers running a combination of any of the aforementioned server operating systems.
The functional level of a domain or forest controls which advanced features are available in
the domain or forest.
Note: The functional level of a domain or forest is limited (but not determined by) the
domain controller running the oldest version of Windows Server in the domain or forest. For
example, in an environment where the domain controllers were upgraded from Windows
Server 2008 R2 to Server 2012, the functional level will remain at 2008 R2 until Active
Directory is upgraded.
January 2013
Storage Center Active Directory Integration Best Practices
2
2.1.4 Read-Only Domain Controllers (RODC)
Storage Center AD integration supports the use of a combination of traditional domain
controllers and read-only domain controllers for authentication. Storage Center AD
Integration will work when only a single read-only domain controller is functional.
Note: A primary or backup domain controller must be online during intial setup and
configuration of Storage Center AD integration. During setup an Active Directory object for
Storage Center is created and joined to the domain. This process can only be completed on
a writeable domain controller.
2.1.5 Trusts and Child Domains
Storage Center AD integration allows the joining of Storage Center to one AD domain. When
joined to the domain, Storage Center can authenticate users and groups in the local domain,
as well as users and groups from child and trusted domains. A two-way transitive trust must
exist between the local forest and any external forests in order for Storage Center to
authenticate trusted users. For more information about Active Directory trusts, please refer
to Microsoft TechNet.
Detailed information about configuring Storage Center AD integration with child domains
and forest trusts can be found in Chapter 4 of this document.
2.2 Prerequisites
Storage Center AD Integration requires Active Directory Domain Services (ADDS) to be
running and properly configured. As with any AD installation, the Domain Name Service
(DNS) must be running in a healthy state, and properly configured.
2.2.1 DNS Settings/Domain Settings
Storage Center AD integration is heavily dependent upon a properly configured DNS
environment. Storage Center and the domain controller(s) must be able to communicate
with each other using Fully Qualified Domain Names (FQDN). In order to facilitate
communication via FQDN between Storage Center and the domain controller(s), a Host (A)
record as well as a Pointer (PTR) record must exist for each Storage Center in DNS.
2.2.2 Creating a Host (A) record
To create a Host (A) record for a Storage Center on Windows Server 2012, perform the
following steps:
1. Open a RDP session to the primary DNS server and login as an administrator.
2. Open DNS Manager (Start  Administrative Tools  DNS)
January 2013
Storage Center Active Directory Integration Best Practices
3
Figure 1: Administrative Tools
3. In DNS Manager, expand the domain controller, expand Forward Lookup Zones,
right-click the domain, and select New Host (A or AAAA).
Figure 2: Context Menu
January 2013
Storage Center Active Directory Integration Best Practices
4
4. The New Host window appears:
Figure 3: New Host window
5. Enter the name of the Storage Center in the Name field, and provide the IP address of
the Storage Center. For a single-controller Storage Center system, enter the
controller IP address. For a dual-controller Storage Center system, enter the
management IP address. Leave the Create associate pointer (PTR) record box
checked. Click Add Host.
Figure 4: Host Information
January 2013
Storage Center Active Directory Integration Best Practices
5
Note: Creating a pointer (PTR) record will fail if a Reverse Lookup Zone has not yet
been configured for the subnet the Storage Center resides on. Click OK to close the
error message. The Host (A) record will still be created.
Figure 5: DNS warning message
To create a Reverse lookup zone and pointer (PTR) record, refer to section 2.2.3 of
this document.
6. Once the Host (A) record has been created, it will reflect in the right hand screen of
DNS Manager.
Figure 6: New Host (A) Record
2.2.3 Reverse Lookup Zones and Pointer (PTR) records
A Reverse Lookup Zone enables clients to use a known IP address during a name query and
look up a computer name based on its address. Pointer records map an IP to a hostname,
whereas a Host record maps a hostname to an IP. Reverse Lookup Zones are not
automatically created with the install of DNS and need to be manually created.
Note: Without Host and Pointer records for Storage Center, the domain join operation
performed while configuring Storage Center Directory Services will fail.
To create a Reverse Lookup Zone:
1. Open a RDP session to the primary DNS server and login as an administrator.
2. Open DNS Manager (Start  Administrative Tools  DNS)
January 2013
Storage Center Active Directory Integration Best Practices
6
Figure 7: Administrative Tools
3. In DNS Manager, expand the domain controller, right-click on Reverse Lookup
Zones and select New Zone.
Figure 8: Context menu
January 2013
Storage Center Active Directory Integration Best Practices
7
4. The New Zone Wizard window appears. Click Next.
Figure 9: New Zone Wizard
5. Select Primary Zone. Click Next.
Figure 10: Select zone type
January 2013
Storage Center Active Directory Integration Best Practices
8
6. Select the Zone Replication Scope. Click Next.
Figure 11: Zone Replication Scope
7. Select IPv4 Reverse Lookup Zone. Click Next.
Figure 12: Zone name selection
January 2013
Storage Center Active Directory Integration Best Practices
9
8. Enter the first three octets of the Storage Center’s IP address. For example, if the
Storage Center’s IP address is 172.16.22.122, enter 172.16.22. Click Next.
Figure 13: Network ID
9. Select Dynamic Update Type. Click Next.
Figure 14: Dynamic Update settings
January 2013
Storage Center Active Directory Integration Best Practices
10
10. Click Finish to complete the New Zone Wizard.
Figure 15: Complete the New Zone Wizard
2.2.4 Creating a Pointer (PTR) record
To create a Pointer (PTR) record:
1. Open a RDP session to the primary DNS server and login as an administrator.
2. Open DNS Manager (Start  Administrative Tools  DNS)
Figure 16: Administrative Tools
January 2013
Storage Center Active Directory Integration Best Practices
11
3. In DNS Manager, expand the domain controller, expand Reverse Lookup Zones,
right-click the proper reverse lookup zone, and select New Pointer (PTR).
Figure 17: Context menu
4. The New Resource Record window appears.
Figure 18: New Resource Record window
5. Enter the IP address for the Storage Center that matches what was entered for the
Host (A) record, and the Fully Qualified Domain Name of the Storage Center followed
by a period. Leave the Allow any authenticated user to update… box unchecked.
January 2013
Storage Center Active Directory Integration Best Practices
12
Click OK.
Figure 19: Host information
11. Once the Pointer (PTR) record has been created, it will be reflected in the right hand
screen of DNS Manager.
Figure 20: New Pointer (PTR) record
2.2.5 Storage Center Network Settings
On the Storage Center, each controller’s primary DNS server must be set to a DNS server
used by Active Directory. If a secondary DNS server also exists, each controller should be
configured to point to it. Each controller must also reflect the domain name in which the
Storage Center will exist and authenticate with. To modify a controller’s DNS/Domain
settings, perform the following steps:
1. Connect to the Storage Center using Compellent System Manager, or the web GUI.
Login as a user with administrator rights.
January 2013
Storage Center Active Directory Integration Best Practices
13
Figure 21: Storage Center System Manager
2. In the left navigation window, expand Controllers.
Figure 22: Controllers
January 2013
Storage Center Active Directory Integration Best Practices
14
3. Right-click on the first controller, and select Properties.
Figure 23: Controller properties
4. Click the IP button at the top of the window.
Figure 24: Controller IP settings
January 2013
Storage Center Active Directory Integration Best Practices
15
5. Scroll down to the Primary DNS Server setting.
Figure 25: Controller DNS settings
6. Enter the IP Address of the Primary DNS Server, the Secondary DNS Server (if
applicable), and the Domain Name.
Figure 26: Updated Controller DNS settings
7. Click OK to save settings
8. For a dual-controller Storage Center sytem, repeat this process on the other
controller.
January 2013
Storage Center Active Directory Integration Best Practices
16
3 Setup and Configuration
Refer to chapter 9 of the Storage Center 6.3 System Manager Administator’s Guide for more
information about enabling Active Directory integration.
Note: All existing Storage Center users and groups will remain after Directory Services
Authentication is configured.
Note: It is recommended that an Active Directory service account be created prior to
configuring Storage Center directory services authentication. The service account will need
to be assigned or delegated rights to query the directory. This account will be used by
Storage Center to process all directory query requests.
3.1 Configure Directory Services Authentication
1. Connect to the Storage Center using Compellent System Manager, or the web GUI.
Login as an administrator user.
2. Click Storage Management, select System, select Access, and choose Configure
Authentication.
Figure 27: Storage Center context menu
3. The Configure Authentication window will appear:
January 2013
Storage Center Active Directory Integration Best Practices
17
Figure 28: Configure Authentication window
4. Make sure the Enable External Directory Services box is checked, and enter the
name(s) of the AD Domain Controller(s), separated by spaces. Click Start.
Figure 29: Enable External Directory Services
January 2013
Storage Center Active Directory Integration Best Practices
18
5. The following screen appears:
Figure 30: Configure Authentication
Note: fields in this screen are case sensitive.
a. In the Directory Type dropdown, choose Active Directory.
b. In the URI field, make sure the FQDN name of the AD Domain Server(s) are
entered. Each FQDN should be prefaced by “ldap://” and names should be
separated by spaces. i.e.: “ldap://JS24.EXLab.local ldap://JS25.EXLab.local”
Note: Storage Center AD Integration is not site aware, meaning it cannot
automatically detect a domain and associated domain controllers To use a
specific domain controller it must be defined in the URI field. Storage Center
will try to authenticate to domain controllers in the order they are defined in
this field. If a domain controller becomes inaccessible, Storage Center will try
the next domain controller in the list.
Note: Storage Center AD Integration supports authentication against a ReadOnly Domain Controller (RODC).
c. In the Server Connection Timeout field enter 30.
d. In the Base DN field enter the canonical name of the domain. For example, if
your domain is EXLab.local, the canonical name is “dc=EXLab,dc=local”.
e. (Optional) In the Relative Base field enter the canonical location of where the
Storage Center Active Directory object should be created. Default is
CN=Computers.
f. In the Storage Center Hostname field enter the Storage Center name
followed by the domain name. This will be the FQDN of the Storage Center
(i.e. SC22.EXLab.local).
January 2013
Storage Center Active Directory Integration Best Practices
19
g. In the LDAP Domain field enter the name of the domain (i.e. EXLab.local).
h. In the Auth Bind Username field enter the AD service account with rights to
search the directory created prior to setup. The format of this field is
username@domain (i.e. User_SrchOnly@EXLab.local).
i. In the Auth Bind Password field enter service account password.
Figure 31: Configure Authentication settings
6. To verify Storage Center connectivity to the domain controller(s), click the Test
Servers button.
Figure 32: Verify connectivity
January 2013
Storage Center Active Directory Integration Best Practices
20
Note: If the test fails, review DNS settings for the Storage Center and domain
controllers.
7. Click Return.
Figure 33: Configure Authentication
8. Click Continue.
9. The following screen is for configuring Kerberos Authentication. The values
displayedwill be the default values, and in most cases, can be left as is. If the defaults
are modified, all values should be entered in UPPERCASE.
January 2013
Storage Center Active Directory Integration Best Practices
21
Figure 34: Kerberos information
a. In the Domain Realms field enter the domain name (i.e. EXLAB.LOCAL).
b. In the KDC Hostname field specify a Kerberos server (this is usually a domain
controller).
c. In the Password Renew Rate (Days) field leave the value at 15.
d. Click Continue.
10. Storage Center will attempt to save values and configure authentication.
Figure 35: Successful configuration
January 2013
Storage Center Active Directory Integration Best Practices
22
11. Click Join.
Figure 36: Join domain
12. Enter credentials for a domain user that has rights to join objects to the domain. This
one-time operation does not require a service account.
Figure 37: Domain user info
January 2013
Storage Center Active Directory Integration Best Practices
23
13. Click Join Now.
Figure 38: Successful domain join
14. Click Finish Now to close the window and complete setup.
4 Active Directory User and Group Access
Detailed information on how to grant access to directory users and groups can be found in
the Storage Center 6.3 System Manager Administrator’s Guide.
There are a few things to keep in mind when granting access to a Directory user:

In cases where a directory user has been given access to the Storage Center directly
and also belongs to a directory group that has been granted access, the local user
permissions will override the mapped group permissions.

A directory group mapped to the Storage Center with Volume Manager or Reporter
privileges must be mapped to a local Storage Center group. The local Storage Center
group determines what folders the users in the mapped directory group have access
to. A directory group mapped to the Storage Center with Administrator priveleges
does not require mapping to a local group as Administrators have access to all folders
in Storage Center.
January 2013
Storage Center Active Directory Integration Best Practices
24

Storage Center supports authentication of a user in up to 16 nested groups.

64 Active Directory groups can be mapped to a single Storage Center group.
4.1 Storage Center Permissions
If a directory user has been given “Administrator” privileges to Storage Center, that user’s
privilege level cannot be changed to Volume Manager or Reporter. However, user privileges
can be changed from “Volume Manager” to “Reporter” and vice versa.
Like directory users, directory groups that have been given “Administrator” privileges to
Storage Center cannot be changed to “Volume Manager” or “Reporter”.
Privileges can be changed on a directly mapped directory user, but cannot be changed on a
user that is allowed access through a group.
When a directory user is a member of more than one directory group that has been granted
access to Storage Center, that user will receive the least restrictive permissions of the group
he/she belongs to. For example, a user is a member of the Accounting directory group
which has been granted Reporter access in Storage Center. The user is also a member of the
Storage directory group which has been granted Volume Manager access in Storage Center.
When the directory user logs into Storage Center, their effective permissions will be Volume
Manager.
4.2 Active Directory Account Maintenance
4.2.1 Granting Access to User and Group Objects in a Child or Trusted Domain
To allow access to users and groups from child or trusted domains, it is important to
understand the three types of groups (Universal, Global and Domain Local) within Active
Directory.
A Universal Group can contain users and groups (global and universal) from any domain in
the forest. Universal groups do not care about trust. Universal groups can be a member of
domain local groups but not global groups. Because Storage Center requires a two-way
trust in order to grant access to non-local users, using universal groups for Storage Center
access is not recommended.
A Global Group can contain users, computers and groups from the same domain, but not
universal groups. A global group can be a member of global groups of the same domain,
domain local groups or universal groups of any domain in the forest or trusted domains.
January 2013
Storage Center Active Directory Integration Best Practices
25
A Domain Local Group can contain users, computers, global groups and universal groups
from any domain in the forest and any trusted domain, and domain local groups from the
same domain. Domain local groups can be a member of any domain local group in the
same domain.
A user in a child domain can gain access to Storage Center by being a member of a parent
domain group that has access, or by being a member of a local child domain group that is a
member of a parent domain group that has access. In this configuration, the parent domain
group should be set to domain local because a global group cannot contain domain local or
global groups from a child domain.
A user in a trusted domain can gain access to Storage Center by being a member of a local
domain group that has access, or by being a member of group on the trusted domain that is
a member of the local domain group that has access. In this configuration, the local domain
group should be set to domain local. The local domain group cannot be a global group
because global groups cannot contain cross-domain members. Groups on the trusted
domain should be created as global.
4.2.2 Account and Group Deletion
When an Active Directory user account that has been granted access to Storage Center
either directly or via group membership is deleted, that user no longer has access to Storage
Center. The corresponding Storage Center user account must be manually deleted.
When an Active Directory Group that has been granted access to Storage Center is deleted
from AD, all members of that group will no longer have access to Storage Center (unless
they were directly granted access). The group mapping and all user accounts that were part
of that group must be manually deleted from Storage Center.
4.2.3 Disabled/Locked Out Accounts
Active Directory user accounts that have been granted access to Storage Center either
directly or via group membership will be unable to login to Storage Center if the user
account is disabled or locked out in Active Directory. Access to Storage Center is regained
when the account is enabled.
5 Changing Domains
At any time Storage Center AD integration can be configured to point to a different domain
and domain controllers. DNS settings and Storage Center networking settings must be
updated to reflect the new domain information. The Authentication Configuration wizard
will need to be re-run to enter new settings and join the Storage Center to the new domain.
January 2013
Storage Center Active Directory Integration Best Practices
26
All previous user and group mappings from Active Directory will no longer be functional and
can be removed. Please note that if the Storage Center is returned to the original domain,
any user mappings that were deleted that are to be used again must be restored by a Storage
Center administrative user.
Note: Domain changes require a restart of Storage Center. Refer to chapter 8 of the
Storage Center 6.3 System Manager Administrator’s Guide for instructions on how to restart
Storage Center.
6 Troubleshooting
As mentioned earlier in this document, Storage Center AD integration is heavily dependant
upon DNS properly configured and running in a healthy state. Verifying DNS settings and
connectivity is a good place to start when troubleshooting problems with Storage Center AD
integration.
At least one domain controller listed in Directory Services Configuration must be online in
order for Storage Center to authenticate directory users and groups. If all domain controllers
are offline, access to Storage Center is restricted to local users only.
7 Additional Resources
In addition to the hyperlinks in this document, please refer to the following sites for more
information:
Dell Compellent Home Page: http://www.compellent.com
Dell Compellent Knowledge Center: http://kc.compellent.com
Microsoft DNS Overview: http://technet.microsoft.com/en-us/library/hh831667.aspx
Microsoft Active Directory Domain Services Overview: http://technet.microsoft.com/enus/library/hh831484.aspx
January 2013
Storage Center Active Directory Integration Best Practices
27
Related documents
reading
reading
Construction Check List for The Preserve, Delwood Point, and
Construction Check List for The Preserve, Delwood Point, and
Faculty Directory Information Form
Faculty Directory Information Form
Data Classification Examples
Data Classification Examples
Network Services
Network Services
Membership Enrollment Form
Membership Enrollment Form
File-Directory
File-Directory
Installing the CAR package.doc
Installing the CAR package.doc
Download