Using the Windows Active Directory within ScaleArc allows for automatic synchronization of Windows AD user authentication credentials from the AD domain to ScaleArc. These synchronized credentials can then be configured for database user Authentication Offload in the ScaleArc cluster configuration.
You can implement Windows AD in one of two ways:
- ScaleArc as RODC
- ScaleArc as a machine account for Kerberos
Review the following prerequisites for RODC configuration before you begin configuring Windows AD.
Prerequisites
Before joining the domain you should have completed the following on ScaleArc:
Make sure you have ScaleArc, minimum version 3.10.x installed and running for this configuration.
- ScaleArc recommends you configure the AD DC server as the NTP server in the ScaleArc configuration. The timezones on both the AD DC server and ScaleArc HA pair should also be the same. It is acceptable for the DC and ScaleArc to use the same NTP server, but essential that they be in time synchronization for Windows Authentication to work properly.
- Ensure that the Windows AD domain has been prepped to allow Read-Only Domain Controller (RODC) support. If you have not run adprep /rodcprep on your forest to allow RODCs to join your domains, run it once for your forest before you attempt to have ScaleArc join a domain in your forest.
- Make sure you have observed the maximum length for a hostname recommended by Microsoft for the ScaleArc hostname.
- Verify the primary DNS setting on ScaleArc is correct and ScaleArc is able to ping the AD server by hostname. ScaleArc's primary DNS server should in most cases be the AD DC server; this is the usual setup in AD. If it is not, ScaleArc and the AD domain should use the same DNS server.
- Ensure that DNS forward and reverse lookup are configured correctly for the AD domain and the AD DC on the DNS server that ScaleArc uses.
Optionally, ensure that the Windows AD users who require access to databases serviced by ScaleArc are configured on the desired SQL Server instances. Users can be added to AD and SQL Server after this domain join procedure is complete, and will automatically appear as the user fetch cycle runs; however, pre-configuring some users will allow immediate testing of the ScaleArc AD Integration functionality.
Configure for RODC
Before you begin, review these best practices. Then, configure as follows:
- Click the Settings tab > System Settings on the ScaleArc dashboard.
- Click the Windows AD Setup tab. Select the RODC radio button.
Complete the fields as follows.
Field Description Default/User input Fully Qualified Domain Name (FQDN) Enter the FQDN of the domain that you want the ScaleArc appliance to join.
Enter an appropriate domain name. NetBIOS Domain Name The NetBIOS name of the domain that you want the ScaleArc appliance to join. This is the "short" domain name and ScaleArc automatically enters it correctly.
Enter a NetBIOS name, if necessary. Active Directory (AD) Server
The active directory server FQDN (fully qualified domain name) that the domain is configured on. Note that the server name should not include a trailing dot (".") at the end, unless you are using a valid DNS entry for the name. Enter the FQDN. Administrative username The username of the account that has the privilege to add the ScaleArc appliance to the domain as a Read-only domain controller.
Enter the username. Password The administrator password.
Enter the password. - Click Join the AD Domain to complete the set up. Once connected, you can use Unjoin the AD Domain to leave the domain.
- Add the appropriate domain users and/or groups to the Password Replication Policy for each of the ScaleArc RODC server objects in AD. Note that in an HA configuration this must be done in AD for both ScaleArc RODC objects for the HA pair, or users will not be allowed access after an HA failover operation.
- Add all desired users and groups into the Allowed RODC Password Replication Group for the ScaleArc server in AD.
- The Denied RODC Password Replication Group takes precedence, so membership in this group, or any group that is a member of this group, will prevent the user account from working with ScaleArc AD Integration even if it is allowed by membership in the Allow group. By default, the Deny group contains all the usual administrator groups and administrative users in the domain.
- For further information on how to set user replication privileges for the ScaleArc RODC please refer to this KB article.
- On the SQL Server instances that ScaleArc communicates with, add either user accounts or group accounts to Security > Logins for those users who will access the servers through ScaleArc.
- Go to Clusters > Settings > User &DBs.
- Click on the Fetch Users button. By default Auto Fetch Database Users is OFF. See Auto Fetch for details.
- Turn Auto Fetch Database Users ON. The default for the automatic synchronization interval is 60 seconds. Adjust this value, if required.
- User accounts that are enabled for RODC replication and for SQL Server instance access should appear in the Auto Fetch dialog no later than after two auto fetch intervals.
- You do not have to add the users from the Fetch Users dialog; they can access ScaleArc and the SQL servers if they are in the proper groups in AD and have SQL Server access.
- Note that if you add users from the Fetch Users dialog rather than through AD Integration, those users and their passwords are "frozen." The password in ScaleArc cannot be updated since it is no longer checked in the RODC but is stored in the ScaleArc configuration files. This option supports legacy accounts. To put this another way, any user that appears in the Users & DBs dialog overrides the AD Integration feature and will not be eligible for AD Integration. To update the password for such a user, use the gear icon next to the user account in Users & DBs, not the account in the Fetch Users dialog.
- As noted above in the Prerequisites, this option also applies to pre-existing user accounts in Users & DBs. Such accounts should be deleted from the Users & DBs dialog prior to joining the domain, if you wish these users to have AD Integration.
- Finally, for ScaleArc's monitoring to work correctly, note that the first account in Users & DBs is not eligible for use with AD Integration. This is the cluster service account, used for health checks and configuration updates.
Comments