No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

File Access and Protocols Feature Guide 13

OceanStor 18500 V3 and 18800 V3 Mission Critical Storage System V300R003

This document describes the implementation principles and application scenarios of the NAS feature. Also, it explains how to configure and manage NAS.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Storage System to Add It to an AD Domain

Configuring a Storage System to Add It to an AD Domain

In a domain, after the Homedir share service is enabled in the storage system, you can access Homedir shares as a domain user.

Preparing AD Domain Configuration Data

Why AD Domains?

In the Windows shared mode, every Windows host is an independent node. The account and permission information about users allowed to access the shares are stored on each node. As a result, the information maintenance is complex and uncontrollable. For example, to grant a user the access permission, you need to add the configuration information about this user to every node.

If an AD domain is used, however, the domain controller manages all the user configuration information and authenticates the access to the domain. The domain controller incorporates a database that stores information about the domain account, password, and nodes in the domain. A user can access all the shared content in the domain after passing the authentication by the domain controller.

Working Principles and Panorama
  1. Create a DNS server and provide a full AD domain name (such as 123.com) using the server. Other servers only need to input the full domain name and pass the authentication to access the shares.
  2. Set up an AD domain on the domain controller side.
  3. Add the storage systems that need to provide sharing services to the AD domain.
  4. Create a domain user on the domain controller side. Log in to the servers in the AD domain using the domain user account. The shares in the domain can be accessed.


Data Preparation

The data to be prepared is as follows: Domain Administrator Username, Password, Full Domain Name, Organization Unit (optional), and System Name. For details about how to obtain the data, see the parameter description in section "Configuring AD Domain Authentication Parameters".

Connecting a Storage System to the DNS Server

After a storage system is connected to a DNS server, you can access the storage system through the IP address or domain name. This operation enables you to configure a system management IP address for the active or standby DNS.

Prerequisites

  • The DNS has been configured and is running properly.
  • Port 53 of the TCP/UDP protocol between the storage system and the DNS server is enabled.
  • Management network port 0 of management module A or management module B of the controller enclosure 0 has been connected to the network. And run change system management_ip command to change the management IP address to an IP address in the customer's network segment. For details about the command, see OceanStor 18500 V3&18800 V3 Mission Critical Storage System V300R003 Command Reference

Context

  • A DNS server is used to resolve host names in a domain.
  • If you want to configure a standby DNS server, keep the domain names of the active and standby servers consistent.

Procedure

  1. Log in to DeviceManager.
  2. Choose Settings > Basic Information > DNS Service.
  3. Set the DNS information.

    1. Set Active DNS IP Address.
    2. Optional: Set Standby DNS IP Address 1.
    3. Optional: Set Standby DNS IP Address 2.

      NOTE:

      Please configure the standby DNS IP address 1 first and then the standby DNS IP address 2.

  4. Click Save.

    The Success dialog box is displayed indicating that the operation succeeded.

  5. Click OK.

Configuring AD Domain Authentication Parameters

In an AD domain, add a storage system to the AD domain. Then the AD server can authenticate CIFS clients when they try to access shared resources. The administrator can manage the share access permission and quotas of domain users. If the storage system is not added to the AD domain, domain users cannot use share services provided by the share server.

Prerequisites

  • An AD domain has been set up.
  • The storage system has been connected to the DNS server.
  • AD domain server and DNS server must have time synchronization with storage system. The time difference must be no larger than 5 minutes.
  • Between the storage system and AD domain environment, the following ports are enabled: ports 88 (TCP/UDP), 389 (TCP/UDP), 445 (TCP), and 464 (TCP/UDP).
NOTE:
  • OceanStor 18500 V3/18800 V3 storage system can be connected to the AD domain and DNS server through the service network port (logical port) only. And it requires all the controllers can communicate with the AD server.
  • If the management network and the AD domain server (or the DNS server) cannot communicate, and the IP address of the service network and the IP address of the AD domain server (or the DNS server) belong to different subnets, you need to configure the route from the service network to the AD domain server (or the DNS server) on the storage system to ensure that the service network and the AD domain server (or the DNS server) can communicate.
  • AD domain servers support the primary/secondary domain, parent/child domain, active/standby domain, or trust domain. One storage system can be connected to only one AD domain server.
Precautions
  • When adding a storage system to an AD domain, ensure that the network between primary controllers of the storage system and DNS and AD domain servers is working properly.
    NOTE:

    Run show controller general to query information about all controllers. Wherein Role indicates cluster role of a controller. When Role is Master, this controller is the primary controller of the storage system.

  • If OverWrite System Name is enabled and the entered system name is the same as that on the AD domain server, information of the existing system will be overwritten by that of the new system.
  • Simple password may cause security risk. Complicated password is recommended, for example, password contains uppercases, lowercases, digits and special characters.
  • You are advised to use physical isolation and end-to-end encryption to ensure security of data transfer between clients and AD domain servers.

Procedure

  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > File Storage Service > Domain Authentication.
  3. In the AD Domain Settings area, configure the AD domain authentication. The related parameters are as shown in Table 3-15.



    Table 3-15  Parameters of the AD domain

    Parameter

    Description

    Value

    Domain Administrator Username

    User name of an administrator who logs in to the AD domain server.

    [Rule]

    Contains 1 to 63 letters.

    [Example]

    test123

    [How to Obtain]

    Contact the administrator of the AD domain controller.

    Password

    Password of an administrator who logs in to the AD domain server.

    [Rule]

    Contains 1 to 127 letters.

    [Example]

    !QAZ2wsx

    [How to Obtain]

    Contact the administrator of the AD domain controller.

    Full Domain Name

    Full domain name of the AD domain server

    [Rule]

    Contains 1 to 127 characters.

    [Example]

    abc.com

    [How to Obtain]

    Contact the administrator of the AD domain controller.

    Organization Unit

    Organization unit of a type of directory objects in a domain. These objects include users, computers, and printers. After an object is added to a domain, it will be a member in the organization unit. If you do not enter anything, the storage system is added to organization unit as Computers by default.

    If the Type of organization units of a domain controller is Container, enter cn=xxx,dc=abc,dc=com. Otherwise, enter ou=xxx,dc=abc,dc=com.

    [Example]

    ou=xxx,dc=abc,dc=com

    [How to Obtain]

    1. On the Windows AD domain server, open Active Directory Users and Computers or ADSI Edit.
    2. Select the folder directory on the left and right-click the directory. Choose Properties.
    3. In the Properties dialog box that is displayed, click Attribute Editor. The value of distinguishedName is the organization unit.

    System Name

    Name of the storage system in the AD domain. After being added to the domain, the client can use the name to access storage systems.

    [Rule]

    It can contain only letters, digits, and hyphens (-), and must not contain digits only, and contains 1 to 15 letters.

    [Example]

    systemname

    Overwrite System Name

    If a same system name already exists on the domain control server, the existing system name is overwritten after this option is selected.

    [Example]

    Enable

    Domain Status

    Whether storage system has been added to the domain.

    [Example]

    Exited domain

  4. Click Join Domain. The AD domain authentication configuration is completed.

Follow-up Procedure

If you want to exit domain, perform the following operations:
  1. In AD Domain Settings, input Domain Administrator Username and Password.
  2. Click exit domain.

    The Success dialog box is displayed indicating that the operation succeeded.

  3. Click OK to finish exiting the storage system to AD domain.
Translation
Download
Updated: 2019-08-14

Document ID: EDOC1000084098

Views: 30799

Downloads: 72

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next