Sun Storage 7000 Unified Storage System: Configuring the ZFSSA for Active Directory

Asset ID:	1-71-1402154.1
Update Date:	2012-06-26
Keywords:

Solution Type Technical Instruction Sure

Solution 1402154.1 : Sun Storage 7000 Unified Storage System: Configuring the ZFSSA for Active Directory

Applies to:

Sun ZFS Storage 7420 - Version Not Applicable to Not Applicable [Release N/A]
Sun ZFS Storage 7120 - Version Not Applicable to Not Applicable [Release N/A]
Sun ZFS Storage 7320 - Version Not Applicable to Not Applicable [Release N/A]
Sun Storage 7110 Unified Storage System - Version Not Applicable to Not Applicable [Release N/A]
Sun Storage 7310 Unified Storage System - Version Not Applicable to Not Applicable [Release N/A]
7000 Appliance OS (Fishworks)

Goal

This document describes the required and optional settings used to configure the ZFS Storage Appliance for use with Active Directory.

To discuss this information further with Oracle experts and industry peers, we encourage you to review, join or start a discussion in the My Oracle Support Community - 7000 Series ZFS Appliances

Fix

The following settings should be configured for integration with Active Directory. The order is not important, except that the Active Directory domain and credentials should not be entered until all other necessary settings have been configured. Either the BUI or command line administration interface can be used to configure these settings:

Configuration / Services / DNS :

DNS Domain: Fully qualified domain name. This will usually, but not always match the AD domain.

DNS Servers: Add individual DNS servers. These servers will need to be able to look up the AD Domain Controllers by their SRV records. See <Document 1402003.1> for more information. Note that if the first server is responding to DNS requests, the secondary and other servers are not used, even in the event of a failed lookup.

Configuration / Services / SMB :

(Also listed as Configuration / Services / CIFS on obsolete software versions)

Active Directory Site: An Active Directory Site is configured on the Domain controller with the Active Directory Sites and Services plug-in. It is used for distributed organizations to group domain controllers by location or purpose. Each of these groups is named, and servers are manually moved into them. Refer to the Windows Server documentation for more information. This setting is optional. If an invalid site configured, this setting will have no effect.

Preferred Domain Controller: This setting specifies a preferred Domain Controller to use for Active Directory services. If used, the server should be specified by IP address. When this setting is present, the appliance will attempt to connect to this server to join the AD Domain. If unsuccessful for any reason, it will perform the standard DNS query for a Domain Controller. Note that this setting does not remove the requirements for the DNS SRV records as noted above.

Lan Manager Compatibility Level: For most installations, this can be left at the default of "2". The higher numbers (3,4,5) are more secure. For detailed information on these settings, and the accompanying AD server-side settings, see <Document:1402208.1>.

SMB Signing Enabled / SMB Signing Required: These settings control SMB signing. SMB Signing improves SMB security by signing each packet, at the cost of performance. The SMB Signing Enabled checkbox will use signing when required by the client or server. The SMB Signing Required checkbox will refuse to communicate with systems that are configured to use signing. For more information, including details on how to configure/unconfigure this on the Windows side, see MSKB document #887429.

Configuration / Services / NTP

Server Settings: If NTP is configured on the network, enter the server IP and authorization keys if applicable. See MSKB Document #816042 for details on how to configure NTP on a Windows Server. Active Directory will not tolerate a time difference of more than five minutes (by default). It is strongly recommended that NTP is used to keep the server time of the ZFSSA synchronized with the AD servers.

Clock: If NTP is not available, determine the current time of the Domain Controller(s), and manually set the time of the system being used for administration to this time. Click the "sync" button in the BUI to set the server time to match the administration workstation time. Note that this is a one-time setting, and if either the ZFSSA clock or the Domain Controller clocks drift out of sync Active Directory connectivity may be lost.

Configuration / Services / Active Directory / Join Domain

Active Directory Domain: The fully qualified name of the AD Domain to which the ZFSSA is being joined.

Administrative User: An Active Directory account with privileges to join the appliance to the AD Domain. See <Document 1402173.1> for specifics on the required privileges.

Administrative Password: Password for the above user account.

Additional DNS Search Path: This is a domain name or suffix that should be searched for the Active Directory SRV records in addition to the configured DNS Domain. This is optional, and will generally only be necessary when the DNS Domain differs from the AD Domain.

Back to <Document 1402353.1> Sun Storage 7000 Unified Storage System: How to Troubleshoot Active Directory Issues.

References

<NOTE:1402003.1> - Sun Storage 7000 Unified Storage System: DNS server settings required for integration of the ZFS Storage Appliance with Active Directory
<NOTE:1402208.1> - Sun Storage 7000 Unified Storage System: Configuring the ZFSSA for Active Directory with NTLMv2 / Windows Server 2008
<NOTE:1402353.1> - Sun Storage 7000 Unified Storage System: How to Troubleshoot Active Directory Issues
MSKB 887429: HTTP://SUPPORT.MICROSOFT.COM/KB/887429
MSKB 816042: HTTP://SUPPORT.MICROSOFT.COM/KB/816042

Attachments

This solution has no attachment