Integrating with AD server

If the authentication method is selected as AD, you must set up the AD server before you configure the authentication method in the IBM Storage Scale system.

Ensure that you have the following details before you start configuring AD-based authentication:
  • IP address or hostname of the AD server. Both IPv4 and IPv6 addresses are supported.
  • Domain details are as follows:
    • Domain name and realm.
    • AD admin user ID and password to join the IBM Storage Scale system as machine account into the AD domain.
  • ID map role of the system is identified.
  • Define the ID map range and size depending upon the maximum RID (sum of allocated and expected growth).
  • Primary DNS is added in the /etc/resolv.conf file on all the protocol nodes. It resolves the authentication server system with which the IBM Storage Scale system is configured. This primary DNS addition is a mandatory requirement when AD is used as the authentication server. Because the DNS must be able to resolve the host domain and its trusted domains of interest. The manual changes done to the configuration files might get overwritten by the Operating System's network manager. So, ensure that the DNS configuration is persistent even after you restart the system. For more information about the circumstances where the configuration files are overwritten, see the corresponding operating system documentation.
  • During the AD join process, a computer account that has the same name as the NetBIOS name is searched within the AD domain that will be joined. If the name is not found, a new computer entry is created in the standard location (CN=Computers). If the user chooses to pre-create computer accounts for IBM Storage Scale in the AD domain within a particular organizational unit, the computer account must be created with a valid name and it must be passed as the NetBIOS name while configuring the IBM Storage Scale system. After the account is created on the AD server, the system must be joined to the AD domain.

To achieve high-availability, you can configure multiple AD domain controllers. While you configure the AD-based authentication, you do not need to specify multiple AD servers in the command line to achieve high-availability. The IBM Storage Scale system queries the specified AD server for relevant details and configures itself for the AD-based authentication. The IBM Storage Scale system relies on the DNS server to identify the set of available AD servers that are currently available in the environment that is serving the same domain system.