Archive

Tips for using Active Directory integration with IBM Cloud Managed Services

Share this post:

In April 2014, Mike McGuire introduced the Active Directory (AD) integration capabilities of the IBM Cloud Managed Services offering. In this post, I’d like to provide some support for clients and deal teams as they search for the right choice of AD and Domain Name Service (DNS) integration in IBM Cloud Managed Services.

As Mike pointed out, there are three possible AD integration deployment options:

• Scenario one: IBM Managed AD Lite
• Scenario two: IBM Managed AD
• Scenario three: Customer Managed AD

The following diagram summarizes these scenarios.

Active directory integrationIn order to understand this diagram best, let’s clarify some of the key items displayed:

• Red boxes in scenarios one, two and three: These represent the customer’s existing AD account domains, holding the customers users (circled in red).

• Blue boxes in scenarios one and two: These boxes represent IBM Managed AD resource domains, holding the provisioned guest servers (circled in blue).

• Blue box at the top: This box represents the IBM AD management domain holding IBM support groups and users.

As you can see from this overview, scenarios one and two are called “IBM Managed AD” because the IBM Cloud Managed Services guest systems (blue circles) are provisioned into an AD domain managed by IBM, while scenario three is called “Customer Managed AD” because the guest systems are provisioned directly into the AD domain managed by the customer.

Let’s take a look at each scenario individually, in order to understand its capabilities in detail. For those of you just interested in a summary of the features mapped against the AD scenarios, please refer to the section following the feature details for each of the scenarios.

Scenario one: IBM Managed Active Directory Lite

This is the default offering used for all new customers, unless they request Scenario two or three. This also applies to non-Windows customers. Scenario one provides a dedicated IBM Managed Active Directory environment that acts as a resource domain to host guest Windows virtual machines (VMs) for Cloud Managed Services.

Features

AD and extended premise (EP) DNS suffix is xxxscep.ssm.sdc.gts.ibm.com (xxx = CDIR).
• Customers can use DNS aliases (CNAME) in their internal DNS if required.
• The primary DNS suffix of a guest will match the AD suffix.

AD schema cannot be modified.

Single sign-on:
• Customer IDs from the customer AD domain are valid on servers hosted with Cloud Managed Services.
• Supports an AD trust (external) to a single customer AD domain.

Deployment variants of AD Scenario one:
• Standard includes both the AD trust relationship and DNS forwarding.
• DNS Forwarding Only includes DNS forwarding only, not the AD trust relationship.
• Native IP Only covers just the IBM managed resource domain, not the AD trust relationship and not DNS forwarding.

Migration:
• Scenario one customers can migrate to Scenario two without re-provisioning of Windows guest VMs.
• Scenario one customers cannot migrate to Scenario three without re-provisioning of Windows guest VMs.

DNS forwarding is supported to and from customer DNS.
• Customer site servers can resolve Cloud Managed Services guest VMs.
• Cloud Managed Services guest VMs can resolve customer site servers.

Deployment during Cloud Managed Services onboarding is handled by two IBM managed IBM Domain Controllers.

Scenario two: IBM Managed Active Directory

This scenario provides a dedicated IBM managed Active Directory environment, acting as resource domain to host Cloud Managed Services Windows guest VMs.

Features

AD and EP DNS suffix is xxxscep.ssm.sdc.gts.ibm.com (xxx = CDIR).
• Customer is able to use DNS aliases (CNAME) in their internal DNS if required.
• The primary DNS suffix of the guest will match AD suffix.

Single sign-on:
• Customer IDs from the customer domain are valid on servers hosted by Cloud Managed Services.
• AD trusts (external/forest) to multiple customer domains are supported. Each trusted customer domain requires two Cloud Managed Services unmanaged servers.

DNS forwarding is supported to and from customer DNS.
• Customer site servers can resolve Cloud Managed Services guest VMs.
• Cloud Managed Services guest VMs can resolve customer site servers.

AD schema extensions are supported, which allows Cloud Managed Services AD to host applications that use AD for configuration.

Kerberos authentication protocol is supported when using a forest trust.

Password rules could be stronger than the CMS default (derived from cloud internet security policy).

Co-located customer Domain Controllers (unmanaged Cloud Managed Services Windows VMs) are required in either one of the following deployment variants:
• Standard: Trusted customer AD domains extended into Cloud Managed Services.
• Standalone: Trusted new “standalone” customer AD domain(s) created on CMS.

Deployment during onboarding:
• Two managed IBM domain controllers.
• Two unmanaged co-located customer domain controllers (two domain controllers required per trusted domain).

Scenario three: Customer Managed Active Directory

This scenario relies on the customer AD to host Cloud Managed Services Windows guests, rather than an IBM Managed AD.

Features

The customer AD hosts Cloud Managed Services Windows guests.
• Customer’s AD schema is used.
• Customer’s AD Kerberos authentication protocol is allowed.

AD and EP DNS suffix will match customer AD domain name.
• Customers are able to use DNS aliases (CNAME) in their internal DNS if required.
• Customers are responsible for creating DNS records in the customer DNS.

Single sign-on: Customer IDs from customer AD domain are valid on Cloud Managed Services Windows guest servers.

DNS forwarding is supported to and from the customer DNS.
• Customer site servers can resolve Cloud Managed Services guest VMs.
• Cloud Managed Services guest VMs can resolve customer site servers.
• Customer is responsible for managing DNS records for customer DNS spaces.

Password rules can be stronger than the Cloud Managed Services (derived from Cloud ISeC Policy). The customer AD password policy will apply. This policy must be equal to or stronger than the IBM Cloud ISeC policy.

Provisioning into multiple customer AD domains is supported.
• Customer must provide a single “IBMCloud” organizational unit (OU).
• Within the IBMCloud OU, child OUs can be created by the customer.
• Group policy object (GPO) inheritance must be disabled on IBMCloud OU (Global policy enforcement must be turned off).

Co-located Customer Domain Controllers (unmanaged CMS Windows VMs) are required in either one of the following deployment variants:
• Standard: Customer AD domain(s) are extended into CMS
• Standalone: New “standalone” customer AD domain(s) are created on CMS

Deployment during onboarding:
• Two managed IBM Domain Controllers.
• Two unmanaged co-located Customer Domain Controllers (two DCs required per trusted domain).

Here is a summary table of the features mapped against the three AD scenarios:

AD Scenarios

Mapping key features against AD scenarios

By now you’re familiar with the principle differences and specific features of the three AD scenarios in IBM Cloud Managed Services. You can validate your understanding against the summary table above to check whether your requirements will be addressed by one of the AD scenarios in IBM Cloud Managed Services.

Let me know if this post has been helpful by leaving a comment or question below, or by reaching out to me on Twitter @hst62.

More stories

Why we added new map tools to Netcool

I had the opportunity to visit a number of telecommunications clients using IBM Netcool over the last year. We frequently discussed the benefits of have a geographically mapped view of topology. Not just because it was nice “eye candy” in the Network Operations Center (NOC), but because it gives an important geographically-based view of network […]

Continue reading

How to streamline continuous delivery through better auditing

IT managers, does this sound familiar? Just when everything is running smoothly, you encounter the release management process in place for upgrading business applications in the production environment. You get an error notification in one of the workflows running the release management process. It can be especially frustrating when the error is coming from the […]

Continue reading

Want to see the latest from WebSphere Liberty? Join our webcast

We just released the latest release of WebSphere Liberty, 16.0.0.4. It includes many new enhancements to its security, database management and overall performance. Interested in what’s new? Join our webcast on January 11, 2017. Why? Read on. I used to take time to reflect on the year behind me as the calendar year closed out, […]

Continue reading