|
| 1 | +--- |
| 2 | +title: Deploy in Active Directory mode - prerequisites |
| 3 | +titleSuffix: SQL Server Big Data Cluster |
| 4 | +description: Configure Active Directory for SQL Server Big Data Clusters |
| 5 | +author: cloudmelon |
| 6 | +ms.author: melqin |
| 7 | +ms.reviewer: mikeray |
| 8 | +ms.date: 09/30/2020 |
| 9 | +ms.topic: conceptual |
| 10 | +ms.prod: sql |
| 11 | +ms.technology: big-data-cluster |
| 12 | +--- |
| 13 | + |
| 14 | +# Deploy [!INCLUDE[big-data-clusters-2019](../includes/ssbigdataclusters-ss-nover.md)] in Active Directory mode: Prerequisites |
| 15 | + |
| 16 | +[!INCLUDE[SQL Server 2019](../includes/applies-to-version/sqlserver2019.md)] |
| 17 | + |
| 18 | +This document explains how to prepare to deploy a SQL Server big data cluster (BDC) in the Active Directory |
| 19 | +authentication mode. The cluster uses an existing AD domain for authentication. |
| 20 | + |
| 21 | +>[!Note] |
| 22 | +>Before SQL Server 2019 CU5 release, there is a restriction in big data clusters so that only one cluster could be deployed against an Active Directory domain. This restriction is removed with the CU5 release, see [Concept: deploy [!INCLUDE[big-data-clusters-2019](../includes/ssbigdataclusters-ss-nover.md)] in Active Directory mode](active-directory-deployment-background.md) for details on the new capabilities. Examples in this article are adjusted to accommodate both deployment use cases. |
| 23 | +
|
| 24 | +## Background |
| 25 | + |
| 26 | +To enable Active Directory (AD) authentication, the BDC automatically creates the users, groups, machine accounts, and service principal names (SPN) that the various services in the cluster need. To provide some containment of these accounts and allow scoping permissions, we suggest create an organizational unit (OU) before cluster deployment. All BDC-related AD objects will be created during deployment. |
| 27 | + |
| 28 | +## Pre-requisites |
| 29 | + |
| 30 | +### Organizational Unit (OU) |
| 31 | +An organizational unit (OU) is a subdivision within an Active Directory into where place users, groups, and even other organizational units. Big picture Organizational units can be used to mirror an organization's functional or business structure. This article we'll create an OU called `bdc` as an example. |
| 32 | + |
| 33 | +>[!NOTE] |
| 34 | +>The organizational unit (OU) represents administrative boundaries and enable customers to control the scope of authority of data administrators. |
| 35 | +
|
| 36 | +You can follow [OU Design Principles](/windows-server/identity/ad-ds/plan/reviewing-ou-design-concepts) to decide on the best structure on working with OUs within your organization. |
| 37 | + |
| 38 | +### AD account for BDC domain service account |
| 39 | + |
| 40 | +To be able to create all the required objects in Active Directory automatically, the BDC needs an AD account which have specific permissions to create users, groups, and machine accounts inside the provided organizational unit (OU). This article will explain how to configure the permission of this AD account. We use an AD Account call `bdcDSA` as an example in this article. |
| 41 | + |
| 42 | +### Auto generated Active Directory objects |
| 43 | +BDC deployment automatically generates account and group names. Each of the accounts represents a service in BDC and will be managed by BDC throughout the lifetime where BDC cluster is in use. Those accounts own the Service Principal Names (SPNs) are required by each service. For a full list of AD auto-generated accounts, groups, and service that they managed, see [Auto generated Active Directory objects](active-directory-objects.md). |
| 44 | + |
| 45 | +>[!IMPORTANT] |
| 46 | +>Depending on the password expiration policy set in the Domain Controller, passwords for these accounts can expire. The default expiration policy is 42 days. There is no mechanism to rotate credentials for all accounts in BDC, so the cluster will become inoperable once the expiration period is met. To workaround this issue, update the expiration policy for the BDC service accounts to “Password never expires” in the Domain Controller. This action can be done before or after the expiration time. In the latter case, Active Directory will reactivate the expired passwords. |
| 47 | +> |
| 48 | +>The following image shows where to set this property in in Active Directory Users and Computers. |
| 49 | +> |
| 50 | +>:::image type="content" source="media/deploy-active-directory/image25.png" alt-text="Set password expiration policy"::: |
| 51 | +
|
| 52 | +The steps below assume you already have an Active Directory domain controller. If you don't have a domain controller, the following [guide](https://social.technet.microsoft.com/wiki/contents/articles/37528.create-and-configure-active-directory-domain-controller-in-azure-windows-server.aspx) includes steps that can be helpful. |
| 53 | + |
| 54 | +## Create AD objects |
| 55 | + |
| 56 | +Do the following things before you deploy a BDC with AD integration: |
| 57 | + |
| 58 | +1. Create an organizational unit (OU) where all BDC-related AD objects will be stored. Alternatively you can choose an existing OU upon deployment. |
| 59 | +1. Create an AD account for BDC, or use an existing account, and provide this BDC AD account the right permissions inside the provided organizational unit (OU). |
| 60 | + |
| 61 | +### Create a user in AD for BDC domain service account |
| 62 | + |
| 63 | +The big data cluster requires an account with specific permissions. Before you proceed, make sure that you have an existing AD account or create a new account, which the big data cluster can use to set up the necessary objects. |
| 64 | + |
| 65 | +To create a new user in AD, you can right-click the domain or the OU and select **New** > **User**: |
| 66 | + |
| 67 | + |
| 68 | + |
| 69 | +This user will be referred to as the *BDC domain service account* in this article. |
| 70 | + |
| 71 | +### Create an OU |
| 72 | + |
| 73 | +On the domain controller, open **Active Directory Users and Computers**. On the left panel, right-click the directory under which you want to create your OU and select **New** \> **Organizational Unit**, then follow the prompts from the wizard to create the OU. Alternatively, you can create an OU with PowerShell: |
| 74 | + |
| 75 | +```powershell |
| 76 | +New-ADOrganizationalUnit -Name "<name>" -Path "<Distinguished name of the directory you wish to create the OU in>" |
| 77 | +``` |
| 78 | + |
| 79 | +The examples in this article use `bdc` for the OU name. |
| 80 | + |
| 81 | + |
| 82 | + |
| 83 | + |
| 84 | + |
| 85 | +### Set permissions for an AD account |
| 86 | + |
| 87 | +Whether you have created a new AD user or using an existing AD user, there are certain permissions the user needs to have. This account is the user account that the BDC controller will use when joining the cluster to AD. |
| 88 | + |
| 89 | +The BDC domain service account (DSA) needs to be able to create users, groups, and computer accounts in the OU. In the following steps, we have named the BDC domain service account `bdcDSA`. You can choose any name for this account. |
| 90 | + |
| 91 | +1. On the domain controller, open **Active Directory Users and Computers** |
| 92 | + |
| 93 | +1. In the left panel, navigate to your domain, then the OU which `bdc` will use |
| 94 | + |
| 95 | +1. Right-click the OU, and select **Properties**. |
| 96 | + |
| 97 | +1. Go to the Security tab (Make sure that you have selected **Advanced Features** by right-clicking on the OU, and selecting **View**) |
| 98 | + |
| 99 | +  |
| 100 | + |
| 101 | +1. Click **Add...** and add the **bdcDSA** user |
| 102 | + |
| 103 | +  |
| 104 | + |
| 105 | +  |
| 106 | + |
| 107 | +1. Select the **bdcDSA** user and clear all permissions, then click **Advanced** |
| 108 | + |
| 109 | +1. Click **Add** |
| 110 | + |
| 111 | +  |
| 112 | + |
| 113 | + - Click **Select a Principal**, insert **bdcDSA**, and click Ok |
| 114 | + |
| 115 | + - Set **Type** to **Allow** |
| 116 | + |
| 117 | + - Set **Applies To** to **This Object and all descendant objects** |
| 118 | + |
| 119 | +  |
| 120 | + |
| 121 | + - Scroll down to the bottom, and click **Clear all** |
| 122 | + |
| 123 | + - Scroll back to the top, and select: |
| 124 | + - **Read all properties** |
| 125 | + - **write all properties** |
| 126 | + - **Create Computer objects** |
| 127 | + - **Delete Computer objects** |
| 128 | + - **Create Group objects** |
| 129 | + - **Delete Group objects** |
| 130 | + - **Create User objects** |
| 131 | + - **Delete User objects** |
| 132 | + |
| 133 | + - Click **OK** |
| 134 | + |
| 135 | +- Click **Add** |
| 136 | + |
| 137 | + - Click **Select a Principal**, insert **bdcDSA**, and click Ok |
| 138 | + |
| 139 | + - Set **Type** to **Allow** |
| 140 | + |
| 141 | + - Set **Applies To** to **Descendant Computer objects** |
| 142 | + |
| 143 | + - Scroll down to the bottom, and click **Clear all** |
| 144 | + |
| 145 | + - Scroll back to the top, and select **Reset password** |
| 146 | + |
| 147 | + - Click **OK** |
| 148 | + |
| 149 | +- Click **Add** |
| 150 | + |
| 151 | + - Click **Select a Principal**, insert **bdcDSA**, and click Ok |
| 152 | + |
| 153 | + - Set **Type** to **Allow** |
| 154 | + |
| 155 | + - Set **Applies To** to **Descendant User objects** |
| 156 | + |
| 157 | + - Scroll down to the bottom, and click **Clear all** |
| 158 | + |
| 159 | + - Scroll back to the top, and select **Reset password** |
| 160 | + |
| 161 | + - Click **OK** |
| 162 | + |
| 163 | +- Click **OK** twice more to close open dialog boxes |
| 164 | + |
| 165 | +## Next steps |
| 166 | + |
| 167 | +[Deploy [!INCLUDE[big-data-clusters-2019](../includes/ssbigdataclusters-ss-nover.md)] in Active Directory mode](active-directory-deploy.md) |
| 168 | + |
| 169 | +[Troubleshoot SQL Server Big Data Cluster Active Directory integration](troubleshoot-active-directory.md) |
| 170 | + |
| 171 | +[Concept: deploy [!INCLUDE[big-data-clusters-2019](../includes/ssbigdataclusters-ss-nover.md)] in Active Directory mode](active-directory-deployment-background.md) |
0 commit comments