Dell EMC SC Series and Active Directory Integration Dell EMC Engineering December 2017 A Dell EMC Best Practices Guide
Revisions Date Description January 2013 Initial release January 2017 Updated for new features and DSM December 2017 Updated to reflect current branding Acknowledgements Author: Marty Glaser, Midrange Storage Technical Solutions The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.
Dell EMC believes the information in this document is accurate as of its publication date. The information is subject to change without notice. Table of contents Revisions.............................................................................................................................................................................2 Acknowledgements ....................................................................................................................................................
1 Introduction Organizations of all sizes can benefit from consolidating user management and authentication into services such as Microsoft® Active Directory® (AD). The Active Directory service allows organizations to efficiently organize, manage, and control resources. Active Directory is a distributed, scalable database managed by Windows Server® domain controllers.
2 Introduction to SC Series Active Directory integration 2.1 Overview Dell EMC Storage introduced Active Directory integration with the release of Storage Center Operating System (SCOS) 6.3.1. Since the initial release, improvements such as single sign on and automatic discovery make configuring and managing SC Series Active Directory integration seamless and intuitive. Note: Active Directory integration is available on both the DSM Data Collector and SC Series arrays.
2.6 Trusts and child domains SC Series AD integration allows for the joining of SC Series storage to one AD domain. When joined to the domain, the SC Series array can authenticate users and groups in the local domain, as well as users and groups from child and trusted domains. A two-way transitive trust must exist between the local forest and any external forests in order for the SC Series array to authenticate trusted users.
3 Prerequisites SC Series AD integration requires Active Directory Domain Services (AD DS) to be running and properly configured. As with any AD installation, the Domain Name System (DNS) must be running in a healthy state, and properly configured. 3.1 DNS/domain settings SC Series AD integration is heavily dependent upon a properly configured DNS environment. SC Series arrays and the domain controller(s) must be able to communicate with each other using fully qualified domain names (FQDN).
3. In DNS Manager, expand the domain controller, expand Forward Lookup Zones, right-click the domain, and select New Host (A or AAAA). 4.
5. Enter the name of the SC Series array in the Name field, and provide the IP address of the SC Series array. For a single-controller SC Series array, enter the controller IP address. For a dual-controller SC Series array, enter the management IP address. Leave the Create associated pointer (PTR) record box checked. Click Add Host. Note: Creating a pointer (PTR) record will fail if a reverse lookup zone has not been configured for the subnet where the SC Series array resides.
3.1.2 Reverse lookup zones and PTR records A reverse lookup zone enables clients to use a known IP address during a name query and look up a computer name based on its address. PTR records map an IP to a hostname, whereas a host record maps a hostname to an IP. Reverse lookup zones are independent of the DNS installation and need to be manually created. Note: Without host and PTR records for the SC Series array, the domain join operation will fail while configuring SC Series AD integration.
4. The New Zone Wizard window appears. Click Next. 5. Select Primary zone. Click Next.
6. Select the zone replication scope. Click Next. 7. Select IPv4 Reverse Lookup Zone. Click Next.
8. Enter the first three octets of the IP address for the SC Series array. For example, if the IP address is 172.16.22.122, enter 172.16.22. Click Next. 9. Select the dynamic update type. Click Next.
10. Click Finish to complete the New Zone Wizard.
3.1.3 Creating a PTR record To create a PTR record: 1. Open a console session to the primary DNS server. Log in as Administrator. 2. To open DNS Manager, at the start screen click Administrative Tools > DNS. 3. In DNS Manager, expand the domain controller, expand Reverse Lookup Zones, right-click the proper reverse lookup zone, and select New Pointer (PTR).
4. The New Resource Record window appears. The Host IP Address and Fully qualified domain name (FQDN) are automatically prepopulated, but will need modification in the following step. 5. Enter the Host IP Address for the SC Series array that matches the Host (A) record, the Fully qualified domain name (FQDN) of the SC Series array, and the Host name followed by a period. Leave the Allow any authenticated user to update… box unchecked. Click OK. 6.
3.1.4 SC Series network settings On the SC Series array, each controller’s primary DNS server must be set to the primary DNS server used by Active Directory. If a secondary DNS server also exists, configure each controller to point to it. Each controller must also reflect the domain name where the SC Series array will exist and authenticate with. To modify the DNS/domain settings of the controller, perform the following steps: 1.
4 Active Directory user and group access For detailed information on granting access to directory users and groups, see the Dell Storage Manager Administrator’s Guide for your version of DSM. Consider the following when granting access to an Active Directory user: 4.1 In the case a directory user has been given access to the SC Series array directly and also belongs to a directory group that has been granted access, the local user permissions will override the mapped group permissions.
A global group can contain users, computers and groups from the same domain, but not universal groups. A global group can be a member of global groups of the same domain, domain local groups, or universal groups of any domain in the forest or trusted domains. A domain local group can contain users, computers, global groups, and universal groups from any domain in the forest and any trusted domain, and domain local groups from the same domain.
5 Changing AD domains SC Series AD integration can be changed to point to a different AD domain. DNS settings and SC Series networking settings must be updated to reflect the new AD domain information. To change to a new AD domain, run the Authentication Configuration wizard and enter the new AD domain settings. When changing to a different AD domain, the original user and group mappings to the SC array from the previous AD domain configuration will no longer grant access to the SC array.
A Additional resources A.1 Technical support and resources Dell.com/support is focused on meeting customer needs with proven services and support. Dell TechCenter is an online technical community where IT professionals have access to numerous resources for Dell software, hardware and services. Storage Solutions Technical Documents on Dell TechCenter provide expertise that helps to ensure customer success on Dell Storage platforms. A.