Setting up the Active Directory

Initial high availability (HA) is done as part of initial filer deployment. After you set up HA using the setup wizard, use this section to manage the configuration. To configure Active Directory (AD) settings, navigate to the following section of the WebUI:

Configuration > Active Directory

All HA management is done from the Master Filer. Subordinate filers do not have a Configuration > High Availability section.

If you configure a Master Filer for HA with shared address, all the subordinates in the CloudFS must point to that address/hostname. If you change the HA configuration with shared address following the initial setup, the AD connections are lost for the subordinates, and they must rejoin the AD domain.

On the Master Filer, the High Availability section lists the configured standby filers for the CloudFS and allows you to perform these actions.

  • Edit: Click the edit icon, and do the following:
  • Verify the selection of active and standby filer.
  • To use a shared hostname/IP address, select Virtual IP and enter the shared hostname and IP address.
  • Delete: Click the delete icon to delete any of the listed filers.

On a standby filer, the High Availability section allows you to assign the pre‐cache target.

  • Pre‐cache: Target Select the active filer from which the standby will clone locality rules.

For All HA Setups:

  • Standby can be added to the domain but will disjoin on a failover
  • The new-Standby after a failover will not be joined to the domain
  • Joining Standby to the domain is recommended for DNS convenience

    On HA VIP Setup:

    • After a failover, the Active will remain joined to the domain

    SMB/CIFS File System Security

    CloudFS file system security is compatible with and adheres to the Microsoft SMB/CIFS architecture. Files and directories can have user permissions or group permissions known as Active Directory security ACLs.

    The security ACL informSation is made available via Microsoft Active Directory network queries between the client, the Active Directory forest, and the filer. This relationship is established and initiated during the client login to the filer.

    Joining a Microsoft Active Directory Domain

    The filer is designed to participate in Microsoft Active Directory Enterprise Forest topologies and therefore does not support an SMB workgroup‐only authentication model (an SMB network with no Active Directory Domain filer).

    An internal DNS server should be accessible to the filer during the Active Directory join process. The filer will try to understand the Active Directory topology during the join process and locate many Active Directory servers within the domain. These servers will be used as potential candidates during the join process.

    The process of joining a filer to an Active Directory domain will populate key domain security ACLs within the default BUILTIN groups. This facilitates global read‐write SMB/CIFS file sharing access throughout the Panzura unified namespace for each node in CloudFS (such as ..\cloudfs\cc1, ..\cloudfs\cc2, ..\cloudfs\cc3).

    By default the Active Directory groups 'Domain Admins' and 'Domain Users' are members of the Active Directory BUILTIN groups. If additional domain ACL security is needed, these can be modified after successfully joining the Active Directory domain.

    For SMB, the filer needs to join the AD domain that enforces the RBAC policies. Enabling a storage device to join the AD domain can be delegated to any user with this privilege. Panzura has found that in most cases, AD administrators tend to manage the devices that can join the AD domain. For this reason, AD administrator credentials are required during initial setup of a filer.

    WebUI Authentication Using Active Directory

    If the filer has joined an Active Directory domain, you can set up your AD domain filer to allow authentication to the Panzura filer using Active Directory credentials without additional setup in the Panzura filer. To use this feature, add the following two groups to the AD domain filer: priv_panzura_admins , priv_panzura_users

    Set the group scope to Global and group type to Security.

    Users assigned to either of these groups can then log in to the Panzura filer using their AD credentials. Both of the following user name formats are accepted: username@domainname and domainname\username.

    To join the Active Directory domain that you configured, enter the required AD information and click Join Domain. The page displays the name of the domain filer (if configured) and the current Active Directory domain status.

    If you are joining an Active Directory Read Only Domain Filer, see Joining a Microsoft Active Directory Domain.

    To remove the filer from an Active Directory Domain, click Detach from Domain. Domain Administrator credentials are required to perform this operation.

    AD Setting Description
    Active Directory Configuration
    AD Name Enter the Active Directory domain name and click Save.
    Domain NETBIOS Enter the user name of the NetBIOS domain.
    Domain Filer (optional)

    Enter the name of the preferred domain filer on your network.

    Example: ad2.panzura.com

    To see a list of available filers, click the magnifying glass icon. As a best practice, leave this field blank.

    This optional setting allows you to choose a preferred domain filer. However, configuring this optional field pins the Active Directory server selection. This can result in a scenario where an alternate Active Directory server will not be used when the pinned Active Directory server goes offline.

    Join Active Directory Domain
    Join Domain

    Click the button to join the domain. The status is displayed above the button. If the filer is joined to the domain, you can click Detach from Domain to leave the domain.

    When joining or detaching from the domain, you are prompted to enter a username and password.

     

    Joining an Active Directory Read Only Domain Filer

    The Active Directory Read Only Domain Filer (RODC) deployment mode is a common approach for providing remote site AD services. As the name suggests, the filer is read only and provides a level of security and protection against unauthorized changes.

    Adding any device, such as a cloud filer, to an RODC requires the use of a Read Write Domain Filer (RWDC). The following steps add the cloud filer to the RODC.

    1. From the cloud filer, join the RWDC.
    2. From the RWDC:
    • Use the following command to obtain the fully qualified domain name (FQDN) of the filer:

      dsquery computer -name <filer-hostname>

    • Use the following command to force replication of the cloud filers account credentials to the RODC:

      REPADMIN /RODCPWDREPL <RODC-HOSTNAME> <RWDC-HOSTNAME> <FQDN-of-filer>

    1. Verify that the machine name appears in the AD User and Computers list on both the RWDC and RODC.
    2. On the RWDC, use the following command to allow the RODC to authenticate the cloud filer.

    net localgroup "Allowed RODC Password Replication Group" <filer-NetBios-name>$ /add

    This completes the process of adding a cloud filer to an Active DIrectory RODC. Select Configuration > Basic > Active Directory in the WebUI to display the name of the RODC the filer has joined.

    Sometimes samba (winbindd) keeps the connection to RWDC (used for domain join) for a brief period. Eventually at the next winbindd discovery, the Cloud Filer will establish connection with its site local RODC.