Managing Active Directory connections

File sharing protocols such as SMB (CIFS), NFSv3 with extended groups, and NFSv4 rely on external directory services to provide user identity information. Cloud Volumes Service for Google Cloud relies on Microsoft Active Directory (AD) for directory services. Active Directory provides services including an LDAP server for looking up objects (users, groups, machine accounts), a DNS server to resolve hostnames, and a Kerberos server for authentication.

For more information, see Active Directory: Design Considerations and Best Practices.

Use cases

Cloud Volumes Service uses Active Directory for several use cases:

  • For SMB, Active Directory is the domain service. It is used for identity lookups for users and groups and for authentication. Cloud Volumes Service joins the domain as a member.
  • For NFS, Active Directory is used as an LDAP server for identity lookups for users and groups.
  • For Kerberos, Active Directory is used as a Kerberos server for authentication for Kerberized NFSv4.x.

Identify supported AD DC topologies

You must have a working layer 3 IP network that allows Cloud Volumes Service to communicate with Active Directory domain controllers (DCs). Microsoft recommends deploying at least two domain controllers for redundancy and availability. You can use a Windows Server VM to support Active Directory, or you can purchase an Active Directory domain controller from the Google Cloud Marketplace.

The following sections illustrate various potential topologies. The diagrams show only the domain controller used by Cloud Volumes Service. Other domain controllers for the same domain are shown only where required.

This diagram shows the simplest deployment mode: a single domain controller in the same region as the Cloud Volumes Service volumes. This topology works for CVS and CVS-Performance service types.

AD DC in same region as Cloud Volumes Service volumes

Placing the domain controller in a different region from the Cloud Volumes Service volumes can affect end user authentication and CVS file access performance. Placing domain controllers in a different region is only supported for the CVS-Performance service type.

AD DC in different region from Cloud Volumes Service volumes

AD DCs in multiple regions using AD sites

If you are using Cloud Volumes Service volumes in multiple regions, NetApp recommends that you place at least one domain controller in each region.

In this deployment mode, using sites is required for the CVS service type. For the CVS-Performance service type, using sites is optional but recommended.

AD DC in multiple regions using AD sites

Placing the domain controller in a different region from the Cloud Volumes Service volumes can affect end user authentication and CVS file access performance. Placing domain controllers in a different region is only supported for the CVS-Performance service type.

AD DC in an on-premises network

Google Cloud VPC network peering doesn't allow transitive routing, so placing the domain controller in a different VPC network doesn't work. Consider attaching Cloud Volumes Service to a shared VPC network that also hosts the Active Directory domain controllers. If you attach Cloud Volumes Service to a shared VPC network, then this scenario becomes architecturally one of the scenarios in the previous sections.

AD DC in a different VPC network

Manage DC selection using AD sites

Your Active Directory sites and subnets should represent the actual data center locations, offices, and network topology as closely as possible. In your Cloud Volumes Service project, you should place domain controllers in the same region as your volumes and define an Active Directory site for that region. When Cloud Volumes Service is connected to your domain, the service uses DNS-based discovery to find the right domain controllers to communicate with. By specifying a site in the Active Directory settings of Cloud Volumes Service, you tell it to search only domain controllers for that site.

You must specify a site for the CVS service type, because it only connects to domain controllers within the same region. Specifying a site is recommended for the CVS-Performance service type. Without site specification, DNS-based discovery might identify domain controllers outside of the region. Trying to create a volume can fail due to connection timeouts.

Recommended actions:

  • Deploy at least one domain controller in the Cloud Volumes Service region and connect the domain controllers to your existing Active Directory.
  • Create an Active Directory site for your Google Cloud region and place the appropriate domain controllers into that site.
  • Use the Active Directory site when setting up Active Directory connections.

To verify that your Active Directory site contains only reachable domain controllers, see How can I identify Active Directory domain controllers used by the CVS and CVS-Performance service types?.

For more information, see Active Directory: Design Considerations and Best Practices.

Set up Active Directory for SMB

  1. In the Google Cloud console, go to Cloud Volumes.

    Go to the Cloud Volumes page

  2. Select Active Directory connections, and then click Create.

  3. In the Create Active Directory Connection dialog, enter the information indicated in the following table.

    Required fields are marked with an asterisk (*). This table only shows fields relevant to SMB.

    Field Description CVS CVS-Performance
    Username*
    Password*
    Credentials for the AD account with permissions to create the computer account within the specified organizational unit. For details, see permissions needed to create Active Directory machine accounts.
    Connection type*

    Specifies whether an AD connection will be used for volumes of the CVS service type or volumes of the CVS-Performance service type.

    You can mark existing AD connections with the AD connection type to avoid problems when creating new volumes or editing parameters of that AD connection. Specifying the wrong connection type for an existing AD connection can cause problems with creating new volumes or editing parameters of that AD connection.

    Domain* Fully qualified domain name for the AD domain.
    Site Name of an AD site. Limits discovery of AD domain controllers. Use when multiple AD connections in different regions are configured.
    DNS Servers*

    IP addresses for DNS servers that are used for DNS-based domain controller discovery. The CVS-Performance service type checks all IP addresses listed. The CVS service type uses the first IP address listed.

    NetBIOS* Name of the created AD machine account. A 5-character random ID is generated automatically (for example, -6f9a).
    Organizational Unit LDAP path for the organizational unit where the computer account will be created.
    Enable AES Encryption for AD authentication Enables AES-128 and AES-256 encryption for Kerberos-based communication with Active Directory.
    Region* Associates the AD connection that you're creating with a single region.
    Backup Users Domain users or groups to receive elevated file/folder privileges. Can be used for data migration, NetApp Global File Cache.
    Security Privilege Users Domain user accounts that require elevated privileges to manage security logs for the Active Directory associated with Cloud Volumes Service. This list is specifically needed for the installation of a SQL server where binaries and system databases are stored on an SMB share. This option isn't required if you use an administrator user during installation.
  4. Click Save.

Set up Active Directory for NFS

NFSv3 uses Active Directory as an LDAP server for the extended groups feature to provide more than 16 groups. Kerberized NFSv4.1 uses Active Directory as an LDAP and Kerberos server.

Make sure that you have configured the AD connection settings. A machine account will be created in the organizational unit (OU) that is specified in the AD connection settings. The settings are used by the LDAP client to authenticate with your Active Directory.

  • LDAP support is available for CVS-Performance only.
  • You can enable the LDAP with extended groups feature only during volume creation. You cannot enable or disable this feature after you have created a volume.
  • LDAP with extended groups is supported only with Active Directory. OpenLDAP and other third-party LDAP directory services aren’t supported.
  • LDAP signing is supported if your Active Directory domain controller is configured to require it.

The following table describes the time to live (TTL) settings for the LDAP cache. You must wait until the cache is refreshed before trying to access a file or directory through a client. Otherwise, an access or permission denied message appears on the client. After the TTL timeout period, entries age out so that stale entries don't linger. The negative TTL value is where a failed lookup resides to help avoid performance issues because of LDAP queries for objects that might not exist.

Cache Default timeout
Group membership list 24-hour TTL
Unix groups 24-hour TTL, 1-minute negative TTL
Unix users 24-hour TTL, 1-minute negative TTL
  1. In the Google Cloud console, go to Cloud Volumes.

    Go to the Cloud Volumes page

  2. Select Active Directory connections, and then click Create.

  3. In the Create Active Directory Connection dialog, enter the information indicated in the following table.

    Required fields are marked with an asterisk (*). This table only shows fields relevant to NFS.

    Field Description CVS CVS-Performance
    Username*
    Password*
    Credentials for the AD account with permissions to create the computer account within the specified organizational unit. For details, see permissions needed to create Active Directory machine accounts.
    Connection type*

    Specifies whether an AD connection will be used for volumes of the CVS service type or volumes of the CVS-Performance service type.

    You can mark existing AD connections with the AD connection type to avoid problems when creating new volumes or editing parameters of that AD connection. Specifying the wrong connection type for an existing AD connection can cause problems with creating new volumes or editing parameters of that AD connection.

    Domain* Fully qualified domain name for the AD domain.
    Site Name of an AD site. Limits discovery of AD domain controllers. Use when multiple AD connections in different regions are configured.
    DNS Servers*

    IP addresses for DNS servers that are used for DNS-based domain controller discovery. The CVS-Performance service type checks all IP addresses listed. The CVS service type uses the first IP address listed.

    NetBIOS* Name of the created AD machine account. A 5-character random ID is generated automatically (for example, -6f9a).
    Organizational Unit LDAP path for the organizational unit where the computer account will be created.
    Enable AES Encryption for AD authentication Enables AES-128 and AES-256 encryption for Kerberos-based communication with Active Directory.
    Kerberos Realm (Only required if using Kerberos.) Used with NFSv4.1 Kerberos volumes to create the service principal name machine account. AD Server Name and Key Distribution Center (KDC) IP can be the same server.
    Region* Associates the AD connection that you're creating with a single region.
    Allow local NFS users with LDAP

    Provides occasional and temporary access to local users. When this option is enabled, user authentication and lookup from the LDAP server stop working. This option also limits the number of group memberships that CVS supports to 16.

    Keep this option disabled on AD connections, except for the occasion when a local user needs to access LDAP-enabled volumes. In that case, you should disable this option as soon as local user access is no longer required for the volume.

  4. Click Save.

Managing LDAP POSIX attributes

This section describes the attributes that you need to set for LDAP users and LDAP groups. You can manage POSIX attributes by using the Active Directory Users and Computers MMC snap-in.

You open the Attribute Editor as follows:

  1. Select Start, go to Windows Administrative Tools, and select Active Directory Users and Computers.

    The Active Directory Users and Computers window opens.

  2. Select the domain name that you want to view, and then expand the contents.

  3. In the Active Directory Users and Computers View menu, select Advanced Features.

  4. In the left pane, double-click Users.

  5. In the list of users, double-click a user to see its Attribute Editor tab.

Required attributes for LDAP users

LDAP users must have the following attributes set: uid, uidNumber, cn, gidNumber, objectClass. Each user must have a unique uidNumber.

Example:

  • uid: Alice (case-sensitive)
  • uidNumber: 139
  • gidNumber: 555
  • objectClass: user (default on most AD deployments)

Required attributes for LDAP groups

LDAP groups must have the following attributes set: cn, gidNumber, objectClass.

Each group must have a unique gidNumber.

Example:

  • cn: AliceGroup (case-sensitive)
  • gidNumber: 555
  • objectClass: group (default on most AD deployments)