Dell Compellent Storage Center

(1)

Dell Compellent Storage

Center

Active Directory Integration

Best Practices Guide

Dell Compellent Technical Solutions Group

January, 2013

(2)

THIS BEST PRACTICES GUIDE IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND.

© 2013 Dell Inc. All rights reserved. Reproduction of this material in any manner whatsoever without the express written permission of Dell Inc. is strictly forbidden. For more information, contact Dell.

Dell, the DELL logo, and the DELL badge are trademarks of Dell Inc. Microsoft® and Windows® are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or

(3)

Document Revisions

Date Revision Author Comments

01/10/2013 1.0 Kris Piepho Initial Release

(5)

1 Preface

1.1 Audience

The audience for this document is system administrators who are responsible for the setup and maintenance of Active Directory, Windows servers and associated storage. Readers should have a working knowledge of Active Directory, Windows and the Dell Compellent Storage Center.

1.2 Purpose

This document provides an overview of Storage Center Active Directory integration, and introduces best practice guidelines for configuring Storage Center Active Directory

integration for use with Windows Server Active Directory Domain Services. Active Directory integration is included as part of Storage Center release 6.3.1. For installation procedures, please refer to the Storage Center 6.3 System Manager Administrator’s Guide located on Dell Compellent Knowledge Center.

1.3 Customer Support

Dell Compellent provides live support 1-866-EZSTORE (866.397.8673), 24 hours a day, 7 days a week, 365 days a year. For additional support, email Dell Compellent at

[email protected]. Dell Compellent responds to emails during normal business hours.

(6)

2 Introduction to Storage Center Active

Directory Integration

2.1 Overview

Enterprises of all sizes consolidate user management and authentication into services such as Active Directory (AD). The Microsoft Active Directory service allows organizations to efficiently organize, manage, and control resources. Active Directory is implemented as a distributed, scalable database managed by Windows Server 2012, 2008 R2, 2003 R2, or 2003 SP1 domain controllers. It is now possible in these environments to manage administrator accounts in the Dell Compellent Storage Center SAN from Active Directory.

Storage Center Active Directory integration provides a scalable solution for authentication that enables administrators to manage a potentially large number of accounts across many Storage Center systems from a central location. In addition, Storage Center Active Directory integration simplifies account management for administrators by enabling them to leverage their existing native Active Directory infrastructure.

2.1.1 Authentication Method

Storage Center AD integration requires Kerberos v5 authentication. NTLMv2 authentication is not supported. Kerberos v5 authentication is available with Windows Server 2003 SP1 and later.

2.1.2 Single Sign-On

As of the 6.3.1 release of Storage Center, Single Sign-On (SSO) is not supported between Active Directory and Storage Center. Active Directory users will need to enter their

credentials each time they access Storage Center. SSO will be supported in a future release of Storage Center.

2.1.3 Active Directory Functional Levels

Storage Center AD integration supports Windows Server 2012, 2008 R2, 2008, and 2003 native Active Directory functional levels, and will function in environments with domain controllers running a combination of any of the aforementioned server operating systems.

The functional level of a domain or forest controls which advanced features are available in the domain or forest.

Note: The functional level of a domain or forest is limited (but not determined by) the

(7)

2.1.4 Read-Only Domain Controllers (RODC)

Storage Center AD integration supports the use of a combination of traditional domain controllers and read-only domain controllers for authentication. Storage Center AD Integration will work when only a single read-only domain controller is functional.

Note: A primary or backup domain controller must be online during intial setup and

configuration of Storage Center AD integration. During setup an Active Directory object for Storage Center is created and joined to the domain. This process can only be completed on a writeable domain controller.

2.1.5 Trusts and Child Domains

Storage Center AD integration allows the joining of Storage Center to one AD domain. When joined to the domain, Storage Center can authenticate users and groups in the local domain, as well as users and groups from child and trusted domains. A two-way transitive trust must exist between the local forest and any external forests in order for Storage Center to

authenticate trusted users. For more information about Active Directory trusts, please refer to Microsoft TechNet.

Detailed information about configuring Storage Center AD integration with child domains and forest trusts can be found in Chapter 4 of this document.

2.2 Prerequisites

Storage Center AD Integration requires Active Directory Domain Services (ADDS) to be running and properly configured. As with any AD installation, the Domain Name Service (DNS) must be running in a healthy state, and properly configured.

2.2.1 DNS Settings/Domain Settings

Storage Center AD integration is heavily dependent upon a properly configured DNS environment. Storage Center and the domain controller(s) must be able to communicate with each other using Fully Qualified Domain Names (FQDN). In order to facilitate

communication via FQDN between Storage Center and the domain controller(s), a Host (A) record as well as a Pointer (PTR) record must exist for each Storage Center in DNS.

2.2.2 Creating a Host (A) record

To create a Host (A) record for a Storage Center on Windows Server 2012, perform the following steps:

1. Open a RDP session to the primary DNS server and login as an administrator.

2. Open DNS Manager (Start  Administrative Tools  DNS)

(8)

Figure 1: Administrative Tools

3. In DNS Manager, expand the domain controller, expand Forward Lookup Zones, right-click the domain, and select New Host (A or AAAA).

Figure 2: Context Menu

(9)

4. The New Host window appears:

Figure 3: New Host window

5. Enter the name of the Storage Center in the Name field, and provide the IP address of the Storage Center. For a single-controller Storage Center system, enter the

controller IP address. For a dual-controller Storage Center system, enter the management IP address. Leave the Create associate pointer (PTR) record box checked. Click Add Host.

Figure 4: Host Information

(10)

Note: Creating a pointer (PTR) record will fail if a Reverse Lookup Zone has not yet been configured for the subnet the Storage Center resides on. Click OK to close the error message. The Host (A) record will still be created.

Figure 5: DNS warning message

To create a Reverse lookup zone and pointer (PTR) record, refer to section 2.2.3 of this document.

6. Once the Host (A) record has been created, it will reflect in the right hand screen of DNS Manager.

Figure 6: New Host (A) Record

2.2.3 Reverse Lookup Zones and Pointer (PTR) records

A Reverse Lookup Zone enables clients to use a known IP address during a name query and look up a computer name based on its address. Pointer records map an IP to a hostname, whereas a Host record maps a hostname to an IP. Reverse Lookup Zones are not

automatically created with the install of DNS and need to be manually created.

Note: Without Host and Pointer records for Storage Center, the domain join operation performed while configuring Storage Center Directory Services will fail.

To create a Reverse Lookup Zone:

(11)

3. In DNS Manager, expand the domain controller, right-click on Reverse Lookup Zones and select New Zone.

Figure 8: Context menu

(12)

4. The New Zone Wizard window appears. Click Next.

Figure 9: New Zone Wizard

5. Select Primary Zone. Click Next.

Figure 10: Select zone type

(13)

6. Select the Zone Replication Scope. Click Next.

Figure 11: Zone Replication Scope

7. Select IPv4 Reverse Lookup Zone. Click Next.

Figure 12: Zone name selection

(14)

8. Enter the first three octets of the Storage Center’s IP address. For example, if the Storage Center’s IP address is 172.16.22.122, enter 172.16.22. Click Next.

Figure 13: Network ID

9. Select Dynamic Update Type. Click Next.

(15)

10. Click Finish to complete the New Zone Wizard.

Figure 15: Complete the New Zone Wizard

2.2.4 Creating a Pointer (PTR) record

To create a Pointer (PTR) record:

(16)

3. In DNS Manager, expand the domain controller, expand Reverse Lookup Zones, right-click the proper reverse lookup zone, and select New Pointer (PTR).

Figure 17: Context menu

4. The New Resource Record window appears.

Figure 18: New Resource Record window

(17)

Click OK.

Figure 19: Host information

11. Once the Pointer (PTR) record has been created, it will be reflected in the right hand screen of DNS Manager.

Figure 20: New Pointer (PTR) record

2.2.5 Storage Center Network Settings

On the Storage Center, each controller’s primary DNS server must be set to a DNS server used by Active Directory. If a secondary DNS server also exists, each controller should be configured to point to it. Each controller must also reflect the domain name in which the Storage Center will exist and authenticate with. To modify a controller’s DNS/Domain settings, perform the following steps:

1. Connect to the Storage Center using Compellent System Manager, or the web GUI.

Login as a user with administrator rights.

(18)

Figure 21: Storage Center System Manager

2. In the left navigation window, expand Controllers.

Figure 22: Controllers

(19)

3. Right-click on the first controller, and select Properties.

Figure 23: Controller properties

4. Click the IP button at the top of the window.

Figure 24: Controller IP settings

(20)

5. Scroll down to the Primary DNS Server setting.

Figure 25: Controller DNS settings

6. Enter the IP Address of the Primary DNS Server, the Secondary DNS Server (if applicable), and the Domain Name.

Figure 26: Updated Controller DNS settings

7. Click OK to save settings

(21)

3 Setup and Configuration

Refer to chapter 9 of the Storage Center 6.3 System Manager Administator’s Guide for more information about enabling Active Directory integration.

Note: All existing Storage Center users and groups will remain after Directory Services Authentication is configured.

Note: It is recommended that an Active Directory service account be created prior to configuring Storage Center directory services authentication. The service account will need to be assigned or delegated rights to query the directory. This account will be used by Storage Center to process all directory query requests.

3.1 Configure Directory Services Authentication

1. Connect to the Storage Center using Compellent System Manager, or the web GUI.

Login as an administrator user.

2. Click Storage Management, select System, select Access, and choose Configure Authentication.

Figure 27: Storage Center context menu

3. The Configure Authentication window will appear:

(22)

Figure 28: Configure Authentication window

4. Make sure the Enable External Directory Services box is checked, and enter the name(s) of the AD Domain Controller(s), separated by spaces. Click Start.

Figure 29: Enable External Directory Services

(23)

5. The following screen appears:

Figure 30: Configure Authentication

Note: fields in this screen are case sensitive.

a. In the Directory Type dropdown, choose Active Directory.

b. In the URI field, make sure the FQDN name of the AD Domain Server(s) are entered. Each FQDN should be prefaced by “ldap://” and names should be separated by spaces. i.e.: “ldap://JS24.EXLab.local ldap://JS25.EXLab.local”

Note: Storage Center AD Integration is not site aware, meaning it cannot automatically detect a domain and associated domain controllers To use a specific domain controller it must be defined in the URI field. Storage Center will try to authenticate to domain controllers in the order they are defined in this field. If a domain controller becomes inaccessible, Storage Center will try the next domain controller in the list.

Note: Storage Center AD Integration supports authentication against a Read- Only Domain Controller (RODC).

c. In the Server Connection Timeout field enter 30.

d. In the Base DN field enter the canonical name of the domain. For example, if your domain is EXLab.local, the canonical name is “dc=EXLab,dc=local”.

e. (Optional) In the Relative Base field enter the canonical location of where the Storage Center Active Directory object should be created. Default is

CN=Computers.

f. In the Storage Center Hostname field enter the Storage Center name followed by the domain name. This will be the FQDN of the Storage Center

(24)

g. In the LDAP Domain field enter the name of the domain (i.e. EXLab.local).

h. In the Auth Bind Username field enter the AD service account with rights to search the directory created prior to setup. The format of this field is

username@domain (i.e. [email protected]).

i. In the Auth Bind Password field enter service account password.

Figure 31: Configure Authentication settings

6. To verify Storage Center connectivity to the domain controller(s), click the Test Servers button.

(25)

Note: If the test fails, review DNS settings for the Storage Center and domain controllers.

7. Click Return.

Figure 33: Configure Authentication

8. Click Continue.

9. The following screen is for configuring Kerberos Authentication. The values

displayedwill be the default values, and in most cases, can be left as is. If the defaults are modified, all values should be entered in UPPERCASE.

(26)

Figure 34: Kerberos information

a. In the Domain Realms field enter the domain name (i.e. EXLAB.LOCAL).

b. In the KDC Hostname field specify a Kerberos server (this is usually a domain controller).

c. In the Password Renew Rate (Days) field leave the value at 15.

d. Click Continue.

10. Storage Center will attempt to save values and configure authentication.

(27)

11. Click Join.

Figure 36: Join domain

12. Enter credentials for a domain user that has rights to join objects to the domain. This one-time operation does not require a service account.

Figure 37: Domain user info

(28)

13. Click Join Now.

Figure 38: Successful domain join

14. Click Finish Now to close the window and complete setup.

4 Active Directory User and Group Access

Detailed information on how to grant access to directory users and groups can be found in the Storage Center 6.3 System Manager Administrator’s Guide.

There are a few things to keep in mind when granting access to a Directory user:

 In cases where a directory user has been given access to the Storage Center directly and also belongs to a directory group that has been granted access, the local user permissions will override the mapped group permissions.

 A directory group mapped to the Storage Center with Volume Manager or Reporter privileges must be mapped to a local Storage Center group. The local Storage Center group determines what folders the users in the mapped directory group have access

(29)

 Storage Center supports authentication of a user in up to 16 nested groups.

 64 Active Directory groups can be mapped to a single Storage Center group.

4.1 Storage Center Permissions

If a directory user has been given “Administrator” privileges to Storage Center, that user’s privilege level cannot be changed to Volume Manager or Reporter. However, user privileges can be changed from “Volume Manager” to “Reporter” and vice versa.

Like directory users, directory groups that have been given “Administrator” privileges to Storage Center cannot be changed to “Volume Manager” or “Reporter”.

Privileges can be changed on a directly mapped directory user, but cannot be changed on a user that is allowed access through a group.

When a directory user is a member of more than one directory group that has been granted access to Storage Center, that user will receive the least restrictive permissions of the group he/she belongs to. For example, a user is a member of the Accounting directory group which has been granted Reporter access in Storage Center. The user is also a member of the Storage directory group which has been granted Volume Manager access in Storage Center.

When the directory user logs into Storage Center, their effective permissions will be Volume Manager.

4.2 Active Directory Account Maintenance

4.2.1 Granting Access to User and Group Objects in a Child or Trusted Domain

To allow access to users and groups from child or trusted domains, it is important to understand the three types of groups (Universal, Global and Domain Local) within Active Directory.

A Universal Group can contain users and groups (global and universal) from any domain in the forest. Universal groups do not care about trust. Universal groups can be a member of domain local groups but not global groups. Because Storage Center requires a two-way trust in order to grant access to non-local users, using universal groups for Storage Center access is not recommended.

A Global Group can contain users, computers and groups from the same domain, but not universal groups. A global group can be a member of global groups of the same domain, domain local groups or universal groups of any domain in the forest or trusted domains.

(30)

A Domain Local Group can contain users, computers, global groups and universal groups from any domain in the forest and any trusted domain, and domain local groups from the same domain. Domain local groups can be a member of any domain local group in the same domain.

A user in a child domain can gain access to Storage Center by being a member of a parent domain group that has access, or by being a member of a local child domain group that is a member of a parent domain group that has access. In this configuration, the parent domain group should be set to domain local because a global group cannot contain domain local or global groups from a child domain.

A user in a trusted domain can gain access to Storage Center by being a member of a local domain group that has access, or by being a member of group on the trusted domain that is a member of the local domain group that has access. In this configuration, the local domain group should be set to domain local. The local domain group cannot be a global group because global groups cannot contain cross-domain members. Groups on the trusted domain should be created as global.

4.2.2 Account and Group Deletion

When an Active Directory user account that has been granted access to Storage Center either directly or via group membership is deleted, that user no longer has access to Storage Center. The corresponding Storage Center user account must be manually deleted.

When an Active Directory Group that has been granted access to Storage Center is deleted from AD, all members of that group will no longer have access to Storage Center (unless they were directly granted access). The group mapping and all user accounts that were part of that group must be manually deleted from Storage Center.

4.2.3 Disabled/Locked Out Accounts

Active Directory user accounts that have been granted access to Storage Center either directly or via group membership will be unable to login to Storage Center if the user account is disabled or locked out in Active Directory. Access to Storage Center is regained when the account is enabled.

5 Changing Domains

At any time Storage Center AD integration can be configured to point to a different domain

(31)

All previous user and group mappings from Active Directory will no longer be functional and can be removed. Please note that if the Storage Center is returned to the original domain, any user mappings that were deleted that are to be used again must be restored by a Storage Center administrative user.

Note: Domain changes require a restart of Storage Center. Refer to chapter 8 of the Storage Center 6.3 System Manager Administrator’s Guide for instructions on how to restart Storage Center.

6 Troubleshooting

As mentioned earlier in this document, Storage Center AD integration is heavily dependant upon DNS properly configured and running in a healthy state. Verifying DNS settings and connectivity is a good place to start when troubleshooting problems with Storage Center AD integration.

At least one domain controller listed in Directory Services Configuration must be online in order for Storage Center to authenticate directory users and groups. If all domain controllers are offline, access to Storage Center is restricted to local users only.

7 Additional Resources

In addition to the hyperlinks in this document, please refer to the following sites for more information:

Dell Compellent Home Page: http://www.compellent.com Dell Compellent Knowledge Center: http://kc.compellent.com

Microsoft DNS Overview: http://technet.microsoft.com/en-us/library/hh831667.aspx Microsoft Active Directory Domain Services Overview: http://technet.microsoft.com/en- us/library/hh831484.aspx

Dell Compellent Storage Center