How to Join Client-premises Cohesity Cluster to Active Directory

Introduction

You can join a Cohesity cluster to client domains to allow for SMB share authentication and other functionality.

Prerequisites

1. Identify a Domain Controller they wish to act as Preferred for AD authentication
   1. 2 Preferred DCs are highly encouraged but not required
   2. IP and FQDN are needed from the tenant
   3. This information is critical, as if we do not set Preferred Domain Controllers, Cohesity will leverage what DNS returns in a round-robin fashion
      1. If some of those DCs are inaccessible, this will cause intermittent or constant authentication issues
2. A network path to the domain controllers from their dedicated Cohesity network must exist
3. The client must come equipped with an account and credentials with permissions to join Computer Objects (Domain Administrator) to their domain
4. Cohesity SMB functionality utilizes the Kerberos authentication protocol
   1. Kerberos authentication is much more strict than basic NTLM authentication
   2. Kerberos functions by the client machine holding an authentication ticket and presenting it to the Cohesity cluster
   3. You must join any accessing client machine to the same domain you are joining the cluster to and be able to communicate with a domain controller in the domain
      1. Unjoined machines or machines from a different domain will be unable to receive a Kerberos ticket from said domain
      2. Linux machines may need additional packages installed to support Kerberos authentication

Network/Port Requirements

Incoming Traffic

Outgoing Traffic

Cohesity Static Routing

Depending on the network configuration, the Cohesity cluster may require static routes to complete the network path between the Cohesity cluster and domain controller(s). Adding static routes to the Cohesity cluster is done via the CLI and is the sole responsibility of Expedient. Please reach out to Expedient with the following information:

1. IP addresses of domain controllers. Expedient can allowlist a /24, if needed.
2. IP addresses/VLAN ID of dedicated the Cohesity node/VIP network.
3. Multiple routes may be required if you wish to establish connectivity to multiple servers/networks.

Join the Cluster to the Domain

1. Log in to the respective Cohesity Cluster via the GUI
2. From the navigation bar at the top of the page, select the Settings → Access Management → Active Directory tab
3. Select Add Active Directory
   
4. Enter the applicable information on the Join Active Directory page:
   1. Domain Name:                                       Domain the client has requested to join
   2. Username:                                             Account with Domain Administrator access
   3. Password:                                              Password for the above account
   4. Preferred Domain Controllers:              Set Preferred Domain Controllers to minimize DNS round-robin
   5. Machine Accounts:                                Create and match the Machine Account name present within the AD domain
      
   6. Mapped Provider:                                  Can be left at the default of None
   7. OU:                                                        Can be left default (optional)
   8. NetBIOS Name:                                     NETBIOS name of AD instance being joined to (optional)
      
5. Select Join after all required fields are filled in.