How to Join Client-premises Cohesity Cluster to Active Directory
  • 17 May 2022
  • Dark
    Light

How to Join Client-premises Cohesity Cluster to Active Directory

  • Dark
    Light

Article summary

Introduction

You can join a Cohesity cluster to client domains to allow for SMB share authentication and other functionality.

Prerequisites

  1. Identify a Domain Controller they wish to act as Preferred for AD authentication
    1. 2 Preferred DCs are highly encouraged but not required
    2. IP and FQDN are needed from the tenant
    3. This information is critical, as if we do not set Preferred Domain Controllers, Cohesity will leverage what DNS returns in a round-robin fashion
      1. If some of those DCs are inaccessible, this will cause intermittent or constant authentication issues
  2. A network path to the domain controllers from their dedicated Cohesity network must exist
  3. The client must come equipped with an account and credentials with permissions to join Computer Objects (Domain Administrator) to their domain
  4. Cohesity SMB functionality utilizes the Kerberos authentication protocol
    1. Kerberos authentication is much more strict than basic NTLM authentication
    2. Kerberos functions by the client machine holding an authentication ticket and presenting it to the Cohesity cluster
    3. You must join any accessing client machine to the same domain you are joining the cluster to and be able to communicate with a domain controller in the domain
      1. Unjoined machines or machines from a different domain will be unable to receive a Kerberos ticket from said domain
      2. Linux machines may need additional packages installed to support Kerberos authentication

Network/Port Requirements

Incoming Traffic

Source

Destination

Destination Port

Protocol

Usage Notes

Type of Traffic

Client

Cohesity cluster

53

TCP/UDP

Serve DNS requests from an external source.

Management

Cohesity cluster

Active Directory

445

TCP

Required only when initially joining the Cluster to Active Directory.

Outgoing Traffic

Source

Destination

Destination Port

Protocol

Usage Notes

Type of Traffic

Cohesity cluster

Kerberos Key Distribution Center (AD)

88

TCP/UDP

Required for Kerberos if the cluster is configured to use Active Directory.

Management

LDAP389Required if the cluster is configured to use Active Directory or LDAP.
Active Directory137TCP

Required only when initially joining the Cluster to Active Directory.

139

Required only when initially joining the Cluster to Active Directory (for the NetBIOS session service).

Configure the firewall settings to allow the Cohesity node IP addresses, not the VIPs.

Cohesity Static Routing

Depending on the network configuration, the Cohesity cluster may require static routes to complete the network path between the Cohesity cluster and domain controller(s). Adding static routes to the Cohesity cluster is done via the CLI and is the sole responsibility of Expedient. Please reach out to Expedient with the following information:

  1. IP addresses of domain controllers. Expedient can allowlist a /24, if needed.
  2. IP addresses/VLAN ID of dedicated the Cohesity node/VIP network.
  3. Multiple routes may be required if you wish to establish connectivity to multiple servers/networks.

Join the Cluster to the Domain

  1. Log in to the respective Cohesity Cluster via the GUI
  2. From the navigation bar at the top of the page, select the SettingsAccess Management → Active Directory tab
  3. Select Add Active Directory
  4. Enter the applicable information on the Join Active Directory page:
    1. Domain Name:                                       Domain the client has requested to join
    2. Username:                                             Account with Domain Administrator access
    3. Password:                                              Password for the above account
    4. Preferred Domain Controllers:              Set Preferred Domain Controllers to minimize DNS round-robin
    5. Machine Accounts:                                Create and match the Machine Account name present within the AD domain
    6. Mapped Provider:                                  Can be left at the default of None
    7. OU:                                                        Can be left default (optional)
    8. NetBIOS Name:                                     NETBIOS name of AD instance being joined to (optional)
  5. Select Join after all required fields are filled in.
The Cohesity cluster will attempt to reach out to Domain Controllers returned by DNS in a round-robin fashion. This process may appear to take some time. If we have only configured connectivity to one or two of these domain controllers, connectivity may fail and rotate through available domain controllers before success. Furthermore, on sizeable Active Directory environments, if we can only connect to one or two domain controllers, this process may need to be attempted several times, as Cohesity may not round-robin to an accessible domain controller on the first few attempts.

Was this article helpful?