If I had to list the top 10 questions asked from new Compellent customers after a deployment, if the ability to login via Active Directory credentials is available would certainly be one. The answer is yes. And luckily nowadays, it’s an easy yes. In the past, it would have been easy to lie and say it’s not possible due to the complexity of the setup requirements, but now it is super straightforward. If you are looking to for AD authentication, here we go..
Prereqs
– Each Controller should have a FQDN
– Each Controller should have an A Record in DNS
– Each Controller’s A Record should have Reverse Lookup and PRT
I am assuming most can do the basic DNS prereqs which is why I am not outlining those, but I may add those to the step-by-step guide in the future.
Step 1 – Make Sure each Controller has DNS entries to your internal AD DNS Server
Open Storage Center
Expand Controllers
Right Click on Controller and select Properties
Click IP Tab and go to DNS – Make sure your internal DNS servers are entered there
Repeat this step for the other controller
Step 2 – Configure AD Authentication Services
In Storage Center, go to Storage Management – System – Access – Configure Authentication
Enable External Directory Services and enter the FQDN of each controller, separated by spaces
- In the Directory Type dropdown, choose Active Directory.
- In the URI field, make sure the FQDN name of the AD Domain Server(s) are entered. Each FQDN should be prefaced by “ldap://” and names should be separated by spaces. i.e.: “ldap://JS24.EXLab.local ldap://JS25.EXLab.local” Note: Storage Center AD Integration is not site aware, meaning it cannot automatically detect a domain and associated domain controllers To use a specific domain controller it must be defined in the URI field. Storage Center will try to authenticate to domain controllers in the order they are defined in this field. If a domain controller becomes inaccessible, Storage Center will try the next domain controller in the list.
- Note: Storage Center AD Integration supports authentication against a ReadOnly Domain Controller (RODC).
- In the Server Connection Timeout field enter 30
- In the Base DN field enter the canonical name of the domain. For example, if your domain is EXLab.local, the canonical name is “dc=EXLab,dc=local”.
- (Optional) In the Relative Base field enter the canonical location of where the Storage Center Active Directory object should be created. Default is CN=Computers.
- In the Storage Center Hostname field enter the Storage Center name followed by the domain name. This will be the FQDN of the Storage Center (i.e. SC22.EXLab.local).
- In the LDAP Domain field enter the name of the domain (i.e. EXLab.local).
- In the Auth Bind Username field enter the AD service account with rights to search the directory created prior to setup. The format of this field is username@domain (i.e. User_SrchOnly@EXLab.local).
- In the Auth Bind Password field enter service account password.
Test – If test fails, troubleshoot DNS, the Continue
Configure Kerberos Authentication
The values displayed will be the default values, and in most cases, can be left as is. If the defaults are modified, all values should be entered in UPPERCASE.
- In the Domain Realms field enter the domain name (i.e. EXLAB.LOCAL)
- In the KDC Hostname field specify a Kerberos server (this is usually a domain controller).
- In the Password Renew Rate (Days) field leave the value at 15
- Continue
Enter credentials for a domain user that has rights to join objects to the domain. This one-time operation does not require a service account
Click Join Now and then Finish Now
*Posts on this site may contain affiliated links*