Dell Compellent Storage Center Active Directory Integration Best Practices

8/10/2019 Dell Compellent Storage Center Active Directory Integration Best Practices

1/31

Dell Compellent Storage

Center

Active Directory Integration

Best Practices Guide

Dell Compellent Technical Solutions Group

January, 2013


2/31

ii

THIS BEST PRACTICES GUIDE IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN

TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS,

WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND.

2013 Dell Inc. All rights reserved. Reproduction of this material in any manner whatsoeverwithout the express written permission of Dell Inc. is strictly forbidden. For more information,

contact Dell.

Dell, the DELL logo, and the DELL badge are trademarks of Dell Inc. Microsoft and Windows are

either trademarksor registered trademarks of Microsoft Corporation in the United States and/or

other countries. Other trademarks and trade names may be used in this document to refer to either

the entities claiming the marks and names or their products. Dell disclaims any proprietary interest i n

the marks and names of others.


3/31

iii

Table of Contents

1 Preface ................................................................................................................................................. 1

1.1 Audience ..................................................................................................................................... 1

1.2 Purpose........................................................................................................................................ 1

1.3 Customer Support ..................................................................................................................... 1

2 Introduction to Storage Center Active Directory Integration .................................................... 2

2.1 Overview ..................................................................................................................................... 2

2.1.1 Authentication Method ......................................................................................................... 2

2.1.2 Single Sign-On ....................................................................................................................... 2

2.1.3 Active Directory Functional Levels ..................................................................................... 2

2.1.4

Read-Only Domain Controllers (RODC) ........................................................................... 3

2.1.5 Trusts and Child Domains .................................................................................................... 3

2.2 Prerequisites ............................................................................................................................... 3

2.2.1 DNS Settings/Domain Settings ........................................................................................... 3

2.2.2 Creating a Host (A) record ................................................................................................... 3

2.2.3 Reverse Lookup Zones and Pointer (PTR) records .......................................................... 6

2.2.4 Creating a Pointer (PTR) record ........................................................................................ 11

2.2.5

Storage Center Network Settings ..................................................................................... 13

3 Setup and Configuration ................................................................................................................. 17

3.1 Configure Directory Services Authentication ..................................................................... 17

4 Active Directory User and Group Access .................................................................................... 24

4.1 Storage Center Permissions ..................................................................................................25

4.2 Active Directory Account Maintenance ..............................................................................25

4.2.1 Granting Access to User and Group Objects in a Child or Trusted Domain ............25

4.2.2 Account and Group Deletion ........................................................................................... 26

4.2.3 Disabled/Locked Out Accounts ....................................................................................... 26

5 Changing Domains ......................................................................................................................... 26

6 Troubleshooting ............................................................................................................................... 27

7 Additional Resources ....................................................................................................................... 27


4/31

iv

Document Revisions

Date Revision Author Comments

01/10/2013 1.0 Kris Piepho Initial Release


5/31

January 2013 Storage Center Active Directory Integration Best Practices 1

1Preface

1.1 Audience

The audience for this document is system administrators who are responsible for the setup

and maintenance of Active Directory, Windows servers and associated storage. Readers

should have a working knowledge of Active Directory, Windows and the Dell Compellent

Storage Center.

1.2

Purpose

This document provides an overview of Storage Center Active Directory integration, and

introduces best practice guidelines for configuring Storage Center Active Directory

integration for use with Windows Server Active Directory Domain Services. Active Directoryintegration is included as part of Storage Center release 6.3.1. For installation procedures,

please refer to the Storage Center 6.3 System Manager Administrators Guidelocated onDell

Compellent Knowledge Center.

1.3

Customer Support

Dell Compellent provides live support 1-866-EZSTORE (866.397.8673), 24 hours a day, 7

days a week, 365 days a year. For additional support, email Dell Compellent at

[email protected] Compellent responds to emails during normal business

hours.
http://kc.compellent.com/http://kc.compellent.com/http://kc.compellent.com/http://kc.compellent.com/mailto:[email protected]:[email protected]:[email protected]://kc.compellent.com/http://kc.compellent.com/


6/31


2Introduction to Storage Center ActiveDirectory Integration

2.1

OverviewEnterprises of all sizes consolidate user management and authentication into services such

as Active Directory (AD). The Microsoft Active Directory service allows organizations to

efficiently organize, manage, and control resources. Active Directory is implemented as a

distributed, scalable database managed by Windows Server 2012, 2008 R2, 2003 R2, or 2003

SP1 domain controllers. It is now possible in these environments to manage administrator

accounts in the Dell Compellent Storage Center SAN from Active Directory.

Storage Center Active Directory integration provides a scalable solution for authentication

that enables administrators to manage a potentially large number of accounts across manyStorage Center systems from a central location. In addition, Storage Center Active Directory

integration simplifies account management for administrators by enabling them to leverage

their existing native Active Directory infrastructure.

2.1.1 Authentication Method

Storage Center AD integration requires Kerberos v5 authentication. NTLMv2 authentication

is not supported. Kerberos v5 authentication is available with Windows Server 2003 SP1 and

later.

2.1.2

Single Sign-On

As of the 6.3.1 release of Storage Center, Single Sign-On (SSO) is notsupported between

Active Directory and Storage Center. Active Directory users will need to enter their

credentials each time they access Storage Center. SSO will be supported in a future release

of Storage Center.

2.1.3

Active Directory Functional Levels

Storage Center AD integration supports Windows Server 2012, 2008 R2, 2008, and 2003

native Active Directory functional levels, and will function in environments with domain

controllers running a combination of any of the aforementioned server operating systems.The functional level of a domain or forest controls which advanced features are available in

the domain or forest.

Note: The functional level of a domain or forest is limited (but not determined by) the

domain controller running the oldest version of Windows Server in the domain or forest. For

example, in an environment where the domain controllers were upgraded from Windows

Server 2008 R2 to Server 2012, the functional level will remain at 2008 R2 until Active

Directory is upgraded.


7/31


2.1.4

Read-Only Domain Controllers (RODC)

Storage Center AD integration supports the use of a combination of traditional domain

controllers and read-only domain controllers for authentication. Storage Center AD

Integration will work when only a single read-only domain controller is functional.

Note: A primary or backup domain controller must be online during intial setup and

configuration of Storage Center AD integration. During setup an Active Directory object for

Storage Center is created and joined to the domain. This process can only be completed on

a writeable domain controller.

2.1.5

Trusts and Child Domains

Storage Center AD integration allows the joining of Storage Center to one AD domain. When

joined to the domain, Storage Center can authenticate users and groups in the local domain,

as well as users and groups from child and trusted domains. A two-way transitive trust must

exist between the local forest and any external forests in order for Storage Center to

authenticate trusted users. For more information about Active Directory trusts, please refer

toMicrosoft TechNet.

Detailed information about configuring Storage Center AD integration with child domains

and forest trusts can be found in Chapter 4 of this document.

2.2 Prerequisites

Storage Center AD Integration requires Active Directory Domain Services (ADDS) to be

running and properly configured. As with any AD installation, the Domain Name Service

(DNS) must be running in a healthy state, and properly configured.

2.2.1 DNS Settings/Domain Settings

Storage Center AD integration is heavily dependent upon a properly configured DNS

environment. Storage Center and the domain controller(s) must be able to communicate

with each other using Fully Qualified Domain Names (FQDN). In order to facilitate

communication via FQDN between Storage Center and the domain controller(s), a Host (A)

record as well as a Pointer (PTR) record must exist for each Storage Center in DNS.

2.2.2 Creating a Host (A) record

To create a Host (A) record for a Storage Center on Windows Server 2012, perform the

following steps:

1. Open a RDP session to the primary DNS server and login as an administrator.

2. Open DNS Manager (StartAdministrative ToolsDNS)
http://technet.microsoft.com/en-us/library/cc730798.aspxhttp://technet.microsoft.com/en-us/library/cc730798.aspxhttp://technet.microsoft.com/en-us/library/cc730798.aspxhttp://technet.microsoft.com/en-us/library/cc730798.aspx


8/31


Figure 1: Administrative Tools

3.

In DNS Manager, expand the domain controller, expand Forward Lookup Zones,right-click the domain, and select New Host (A or AAAA).

Figure 2: Context Menu


9/31


4. The New Hostwindow appears:

Figure 3: New Host window

5. Enter the name of the Storage Center in the Namefield, and provide the IP addressof

the Storage Center. For a single-controller Storage Center system, enter the

controller IP address. For a dual-controller Storage Center system, enter the

management IP address. Leave the Create associate pointer (PTR)record box

checked. Click Add Host.

Figure 4: Host Information


10/31


Note: Creating a pointer (PTR) record will fail if a Reverse Lookup Zone has not yet

been configured for the subnet the Storage Center resides on. Click OKto close the

error message. The Host (A) record will still be created.

Figure 5: DNS warning message

To create a Reverse lookup zone and pointer (PTR) record, refer to section 2.2.3 of

this document.

6. Once the Host (A) record has been created, it will reflect in the right hand screen of

DNS Manager.

Figure 6: New Host (A) Record

2.2.3

Reverse Lookup Zones and Pointer (PTR) records

A Reverse Lookup Zone enables clients to use a known IP address during a name query and

look up a computer name based on its address. Pointer records map an IP to a hostname,

whereas a Host record maps a hostname to an IP. Reverse Lookup Zones are not

automatically created with the install of DNS and need to be manually created.

Note: Without Host and Pointer records for Storage Center, the domain join operation

performed while configuring Storage Center Directory Services will fail.

To create a Reverse Lookup Zone:

1. Open a RDP session to the primary DNS server and login as an administrator.

2. Open DNS Manager(StartAdministrative ToolsDNS)


11/31



3. In DNS Manager, expand the domain controller, right-click on Reverse Lookup

Zonesand select New Zone.

Figure 8: Context menu


12/31


4. The New Zone Wizardwindow appears. Click Next.

Figure 9: New Zone Wizard

5. Select Primary Zone. Click Next.

Figure 10: Select zone type


13/31


6. Select the Zone Replication Scope. Click Next.

Figure 11: Zone Replication Scope

7. Select IPv4 Reverse Lookup Zone. Click Next.

Figure 12: Zone name selection


14/31


8. Enter the first three octetsof the Storage Centers IP address. For example, if the

Storage Centers IP address is 172.16.22.122, enter 172.16.22. Click Next.

Figure 13: Network ID

9. Select Dynamic Update Type. Click Next.

Figure 14: Dynamic Update settings


15/31


10.Click Finishto complete the New Zone Wizard.

Figure 15: Complete the New Zone Wizard

2.2.4 Creating a Pointer (PTR) record

To create a Pointer (PTR) record:

1.

Open a RDP session to the primary DNS server and login as an administrator.

2. Open DNS Manager (StartAdministrative ToolsDNS)



16/31


3. In DNS Manager, expand the domain controller, expand Reverse Lookup Zones,

right-click the proper reverse lookup zone, and select New Pointer (PTR).

Figure 17: Context menu

4. The New Resource Recordwindow appears.

Figure 18: New Resource Record window

5. Enter the IP addressfor the Storage Center that matches what was entered for the

Host (A) record, and the Fully Qualified Domain Name of the Storage Center followed

by a period. Leave the Allow any authenticated user to updatebox unchecked.


17/31


Click OK.

Figure 19: Host information

11. Once the Pointer (PTR) record has been created, it will be reflected in the right hand

screen of DNS Manager.

Figure 20: New Pointer (PTR) record

2.2.5

Storage Center Network Settings

On the Storage Center, each controllers primary DNS server must be set to a DNS server

used by Active Directory. If a secondary DNS server also exists, each controller should be

configured to point to it. Each controller must also reflect the domain name in which the

Storage Center will exist and authenticate with. To modify a controllers DNS/Domain

settings, perform the following steps:

1. Connect to the Storage Center using Compellent System Manager, or the web GUI.

Login as a user with administrator rights.


18/31


Figure 21: Storage Center System Manager

2. In the left navigation window, expand Controllers.

Figure 22: Controllers


19/31


3. Right-clickon the first controller, and select Properties.

Figure 23: Controller properties

4. Click the IP buttonat the top of the window.

Figure 24: Controller IP settings


20/31


5. Scroll down to the Primary DNS Serversetting.

Figure 25: Controller DNS settings

6. Enter the IP Addressof the Primary DNS Server, the Secondary DNS Server(if

applicable), and the Domain Name.

Figure 26: Updated Controller DNS settings

7. Click OKto save settings

8. For a dual-controller Storage Center sytem, repeat this process on the other

controller.


21/31


3Setup and Configuration

Refer to chapter 9 of the Storage Center 6.3 System Manager Administators Guide for more

information about enabling Active Directory integration.

Note: All existing Storage Center users and groups will remain after Directory Services

Authentication is configured.

Note: It is recommended that an Active Directory service account be created prior to

configuring Storage Center directory services authentication. The service account will need

to be assigned or delegated rights to query the directory. This account will be used by

Storage Center to process all directory query requests.

3.1

Configure Directory Services Authentication1. Connect to the Storage Center using Compellent System Manager, or the web GUI.

Login as an administrator user.

2. Click Storage Management, select System, select Access, and choose Configure

Authentication.

Figure 27: Storage Center context menu

3. The Configure Authenticationwindow will appear:


22/31


Figure 28: Configure Authentication window

4. Make sure the Enable External Directory Servicesbox is checked, and enter the

name(s) of the AD Domain Controller(s), separated by spaces. Click Start.

Figure 29: Enable External Directory Services


23/31


5. The following screen appears:

Figure 30: Configure Authentication

Note: fields in this screen are case sensitive.

a. In the Directory Typedropdown, choose Active Directory.

b. In the URIfield, make sure the FQDN name of the AD Domain Server(s) are

entered. Each FQDN should be prefaced by ldap://and names should be

separated by spaces. i.e.: ldap://JS24.EXLab.local ldap://JS25.EXLab.local

Note: Storage Center AD Integration is not site aware, meaning it cannot

automatically detect a domain and associated domain controllers To use a

specific domain controller it must be defined in the URI field. Storage Center

will try to authenticate to domain controllers in the order they are defined in

this field. If a domain controller becomes inaccessible, Storage Center will try

the next domain controller in the list.

Note: Storage Center AD Integration supports authentication against a Read-

Only Domain Controller (RODC).

c.

In the Server Connection Timeoutfield enter 30.d. In the Base DN field enter the canonical name of the domain. For example, if

your domain is EXLab.local, the canonical name is dc=EXLab,dc=local.

e. (Optional) In the Relative Basefield enter the canonical location of where the

Storage Center Active Directory object should be created. Default is

CN=Computers.

f. In the Storage Center Hostnamefield enter the Storage Center name

followed by the domain name. This will be the FQDN of the Storage Center

(i.e. SC22.EXLab.local).


24/31


g. In the LDAP Domainfield enter the name of the domain (i.e. EXLab.local).

h. In the Auth Bind Usernamefield enter the AD service account with rights to

search the directory created prior to setup. The format of this field is

username@domain ([email protected]).

i. In the Auth Bind Passwordfield enter service account password.

Figure 31: Configure Authentication settings

6. To verify Storage Center connectivity to the domain controller(s), click the Test

Serversbutton.

Figure 32: Verify connectivity
mailto:[email protected]:[email protected]:[email protected]:[email protected]


25/31


Note:If the test fails, review DNS settings for the Storage Center and domain

controllers.

7. Click Return.

Figure 33: Configure Authentication

8. Click Continue.

9. The following screen is for configuring Kerberos Authentication. The values

displayedwill be the default values, and in most cases, can be left as is. If the defaults

are modified, all values should be entered in UPPERCASE.


26/31


Figure 34: Kerberos information

a. In the Domain Realmsfield enter the domain name (i.e. EXLAB.LOCAL).

b. In the KDC Hostnamefield specify a Kerberos server (this is usually a domain

controller).

c. In the Password Renew Rate (Days) field leave the value at 15.

d. Click Continue.

10.Storage Center will attempt to save values and configure authentication.

Figure 35: Successful configuration


27/31


11. Click Join.

Figure 36: Join domain

12.Enter credentials for a domain user that has rights to join objects to the domain. This

one-time operation does not require a service account.

Figure 37: Domain user info


28/31


13.Click Join Now.

Figure 38: Successful domain join

14.Click Finish Nowto close the window and complete setup.

4

Active Directory User and Group Access

Detailed information on how to grant access to directory users and groups can be found in

the Storage Center 6.3 System Manager Administrators Guide.

There are a few things to keep in mind when granting access to a Directory user:

In cases where a directory user has been given access to the Storage Center directly

and also belongs to a directory group that has been granted access, the local userpermissions will override the mapped group permissions.

A directory group mapped to the Storage Center with Volume Manager or Reporter

privileges must be mapped to a local Storage Center group. The local Storage Center

group determines what folders the users in the mapped directory group have access

to. A directory group mapped to the Storage Center with Administrator priveleges

does not require mapping to a local group as Administrators have access to all folders

in Storage Center.


29/31


Storage Center supports authentication of a user in up to 16 nested groups.

64 Active Directory groups can be mapped to a single Storage Center group.

4.1

Storage Center Permissions

If a directory user has been given Administratorprivileges to Storage Center, that users

privilege level cannot be changed to Volume Manager or Reporter. However, user privileges

can be changed from Volume Managerto Reporterand vice versa.

Like directory users, directory groups that have been given Administratorprivileges to

Storage Center cannot be changed to Volume Manageror Reporter.

Privileges can be changed on a directly mapped directory user, but cannot be changed on a

user that is allowed access through a group.

When a directory user is a member of more than one directory group that has been granted

access to Storage Center, that user will receive the least restrictive permissions of the group

he/she belongs to. For example, a user is a member of the Accounting directory group

which has been granted Reporter access in Storage Center. The user is also a member of the

Storage directory group which has been granted Volume Manager access in Storage Center.

When the directory user logs into Storage Center, their effective permissions will be Volume

Manager.

4.2 Active Directory Account Maintenance

4.2.1

Granting Access to User and Group Objects in a Child or Trusted Domain

To allow access to users and groups from child or trusted domains, it is important to

understand the three types of groups (Universal, Global and Domain Local) within Active

Directory.

A Universal Groupcan contain users and groups (global and universal) from any domain in

the forest. Universal groups do not care about trust. Universal groups can be a member of

domain local groups but not global groups. Because Storage Center requires a two-way

trust in order to grant access to non-local users, using universal groups for Storage Center

access is not recommended.

A Global Groupcan contain users, computers and groups from the same domain, but not

universal groups. A global group can be a member of global groups of the same domain,

domain local groups or universal groups of any domain in the forest or trusted domains.


30/31


A Domain Local Group can contain users, computers, global groups and universal groups

from any domain in the forest and any trusted domain, and domain local groups from the

same domain. Domain local groups can be a member of any domain local group in the

same domain.

A user in a child domain can gain access to Storage Center by being a member of a parent

domain group that has access, or by being a member of a local child domain group that is a

member of a parent domain group that has access. In this configuration, the parent domain

group should be set to domain local because a global group cannot contain domain local or

global groups from a child domain.

A user in a trusted domain can gain access to Storage Center by being a member of a local

domain group that has access, or by being a member of group on the trusted domain that is

a member of the local domain group that has access. In this configuration, the local domaingroup should be set to domain local. The local domain group cannot be a global group

because global groups cannot contain cross-domain members. Groups on the trusted

domain should be created as global.

4.2.2 Account and Group Deletion

When an Active Directory user account that has been granted access to Storage Center

either directly or via group membership is deleted, that user no longer has access to Storage

Center. The corresponding Storage Center user account must be manually deleted.

When an Active Directory Group that has been granted access to Storage Center is deleted

from AD, all members of that group will no longer have access to Storage Center (unless

they were directly granted access). The group mapping and all user accounts that were part

of that group must be manually deleted from Storage Center.

4.2.3 Disabled/Locked Out Accounts

Active Directory user accounts that have been granted access to Storage Center either

directly or via group membership will be unable to login to Storage Center if the user

account is disabled or locked out in Active Directory. Access to Storage Center is regained

when the account is enabled.

5Changing Domains

At any time Storage Center AD integration can be configured to point to a different domain

and domain controllers. DNS settings and Storage Center networking settings must be

updated to reflect the new domain information. The Authentication Configuration wizard

will need to be re-run to enter new settings and join the Storage Center to the new domain.


31/31

All previous user and group mappings from Active Directory will no longer be functional and

can be removed. Please note that if the Storage Center is returned to the original domain,

any user mappings that were deleted that are to be used again must be restored by a Storage

Center administrative user.

Note: Domain changes require a restart of Storage Center. Refer to chapter 8 of the

Storage Center 6.3 System Manager Administrators Guide for instructions on how to restart

Storage Center.

6Troubleshooting

As mentioned earlier in this document, Storage Center AD integration is heavily dependant

upon DNS properly configured and running in a healthy state. Verifying DNS settings and

connectivity is a good place to start when troubleshooting problems with Storage Center AD

integration.

At least one domain controller listed in Directory Services Configuration must be online in

order for Storage Center to authenticate directory users and groups. If all domain controllers

are offline, access to Storage Center is restricted to local users only.

7Additional Resources

In addition to the hyperlinks in this document, please refer to the following sites for more

information:

Dell Compellent Home Page: http://www.compellent.com

Dell Compellent Knowledge Center: http://kc.compellent.com

Microsoft DNS Overview: http://technet.microsoft.com/en-us/library/hh831667.aspx

Microsoft Active Directory Domain Services Overview: http://technet.microsoft.com/en-us/library/hh831484.aspx
http://www.compellent.com/http://www.compellent.com/http://kc.compellent.com/http://kc.compellent.com/http://technet.microsoft.com/en-us/library/hh831667.aspxhttp://technet.microsoft.com/en-us/library/hh831667.aspxhttp://technet.microsoft.com/en-us/library/hh831484.aspxhttp://technet.microsoft.com/en-us/library/hh831484.aspxhttp://technet.microsoft.com/en-us/library/hh831484.aspxhttp://technet.microsoft.com/en-us/library/hh831484.aspxhttp://technet.microsoft.com/en-us/library/hh831484.aspxhttp://technet.microsoft.com/en-us/library/hh831667.aspxhttp://kc.compellent.com/http://www.compellent.com/

Documents

Dell Compellent Storage Center Active Directory Integration Best Practices