All Products
Search
Document Center

ApsaraDB RDS:Connect an ApsaraDB RDS for SQL Server instance to a self-managed domain

Last Updated:Jan 29, 2024

If you want to integrate an ApsaraDB RDS for SQL Server instance with the identity authentication system of your enterprise, you can follow the instructions in this topic to deploy a domain controller server on an Elastic Compute Service (ECS) instance and connect the RDS instance to a self-managed domain. This helps you manage resource permissions and verify identities in a centralized manner.

Background information

Microsoft Active Directory (AD) is a directory service that is provided for specific Microsoft products, such as Windows Server Standard, Windows Server Enterprise, and Microsoft SQL Server. A directory is a hierarchical structure that stores information about the objects on the same LAN. For example, AD stores information about user accounts, such as names, passwords, and phone numbers, and allows other authorized users on the same LAN to access the information.

AD is an important part of the Windows ecosystem. A number of large enterprises rely on the domain control mechanism that is provided by Windows to plan and implement centralized access management. If you migrate all your workloads from an on-premises environment to the cloud or use a hybrid cloud architecture, make sure that the cloud supports AD for global management. AD support is a key factor to determine whether you can migrate on-premises SQL Server databases to the cloud.

ApsaraDB RDS for SQL Server enables you to connect an RDS instance to a self-managed domain to improve your business systems.

Warning

After the AD domain feature is enabled and configured, you can create an account by using a self-managed AD domain and grant the account the permissions to log on to your RDS instance and perform operations on the RDS instance.

However, the system admin account or the host account has the permissions that are beyond the management scope of ApsaraDB RDS. The system does not provide the service availability that is specified in Alibaba Cloud service level agreement (SLA) for the RDS instances for which the accounts are created by using a self-managed AD domain.

Prerequisites

  • The RDS instance meets the following requirements:

    • The primary RDS instance that runs RDS Cluster Edition and the read-only RDS instances that belong to the primary RDS instance.

    • The RDS instance belongs to the general-purpose or dedicated instance family. The shared instance family is not supported.

  • Note

    You can go to the Basic Information page of the RDS instance to view the preceding information.

  • The logon account is an Alibaba Cloud account.

  • The RDS instance and the ECS instance that hosts your domain controller server reside in the same virtual private cloud (VPC).

  • The security group to which the ECS instance belongs is configured to allow access from the private IP address of your RDS instance. For more information, see Add a security group rule.

  • The private IP address of the RDS instance is allowed by the firewall of the ECS instance. The firewall is disabled by default. If you have enabled the firewall, you must configure the firewall to allow access from the private IP address of your RDS instance.

  • The domain account that is used belongs to the Domain Admins group because high permissions are required for a client to proactively add a domain.

  • The domain controller server uses the same IP address as the Domain Name System (DNS) server.

Select a Windows version

You must deploy a domain controller server on an ECS instance that runs Windows Server. The ECS instance must run Windows Server 2012 R2 or later. We recommend that you use Windows Server 2016 or later and select English as the display language. In the following sections, an ECS instance that runs Windows Server 2016 is used to describe how to deploy a domain controller server for an RDS instance.

Procedure

  1. Deploy a domain controller server on an ECS instance.

  2. Configure a security group for the ECS instance.

  3. Configure the AD domain service for the RDS instance.

Deploy a domain controller server on an ECS instance

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the top navigation bar, select the region and resource group to which the resource belongs. 地域

  4. On the Instances page, find the required ECS instance and click the ID of the ECS instance.

  5. Log on to the ECS instance.

  6. Search for and open Server Manager.

  7. Click Add roles and features and configure the following parameters.

    Parameter

    Description

    Installation Type

    Retain default settings.

    Server Selection

    Retain default settings.

    Server Roles

    • Select Active Directory Domain Services. In the dialog box that appears, click Add Features.

    • Select DNS Server. In the dialog box that appears, click Add Features. Make sure that your computer uses a fixed IP address. If the IP address dynamically changes, the DNS server becomes unavailable.

    Server Roles

    Features

    Retain default settings.

    AD DS

    Retain default settings.

    DNS Server

    Retain default settings.

    Confirmation

    Click Install.

  8. After the installation is complete, click Close.

  9. In the left-side navigation pane, click AD DS. In the upper-right corner of the page, click More.

    More

  10. Click Promote this server to a domain and configure the following parameters.

    Promote

    Parameter

    Description

    Deployment Configuration

    Select Add a new forest and specify the domain name.new forest

    Domain Controller Options

    Configure the password for the Directory Services Restore Mode (DSRM).恢复模式密码

    DNS Options

    Clear Create DNS delegation.取消选项

    Additional Options

    Retain default settings.

    Paths

    Retain default settings.

    Review Options

    Retain default settings.

    Prerequisites Check

    Click Install.

    Note

    After the installation is complete, the system restarts.

  11. After the system restarts, search for and open Server Manager again.

  12. In the left-side navigation pane, click AD DS. Right-click the required domain controller server and select Active Directory Users and Computers to go to the AD user management module.

    ad用户管理

  13. Expand testdomain.net. Right-click Users and choose New > User.

    创建新用户

  14. Specify a username and click Next.

    用户名

  15. Specify a password, select Password never expires, and then click Next. Then, click Finish.

    设置密码

  16. Double-click the created user and add the user to the Domain Admins group.

    加入管理员组添加成功

Configure a security group for the ECS instance

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the top navigation bar, select the region and resource group to which the resource belongs. 地域

  4. On the Instances page, find the required ECS instance and click the ID of the ECS instance.

  5. On the page that appears, click the Security Groups tab. On the tab that appears, click Add Rules in the Actions column.

  6. On the Inbound tab, click Add Rule to create a rule to allow your RDS instance to access the ECS instance over the following ports.

    放通RDS访问ECS

    Protocol

    Port

    Description

    TCP

    88

    The port for the Kerberos authentication protocol.

    TCP

    135

    The port for the Remote Procedure Call (RPC) protocol.

    TCP/UDP

    389

    The port for the Lightweight Directory Access Protocol (LDAP).

    TCP

    445

    The port for the Common Internet File System (CIFS) protocol.

    TCP

    3268

    The port for Global Catalog.

    TCP/UDP

    53

    The port for the DNS service.

    TCP

    49152~65535

    The default dynamic port range for connections. Enter a value in the following format: 49152/65535.

Configure the AD domain service for the RDS instance

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Accounts.

  3. Click the AD Domain Services tab and click Configure AD Domain Services.

  4. In the Configure AD Domain Services dialog box, configure the parameters and read and select I have read and understand the impact of AD Domain Services on the RDS Service Level Agreement.

    Warning

    After the AD domain feature is enabled and configured, you can create an account by using a self-managed AD domain and grant the account the permissions to log on to your RDS instance and perform operations on the RDS instance.

    However, the system admin account or the host account has the permissions that are beyond the management scope of ApsaraDB RDS. The system does not provide the service availability that is specified in Alibaba Cloud SLA for the RDS instances for which the accounts are created by using a self-managed AD domain. For more information, see SLA.

    Parameter

    Description

    Domain Name

    The domain name that you specified when you create an AD on the Deployment Configuration page. In this example, testdomian.net is used.

    Directory IP Address

    The IP address of the ECS instance on which the domain controller server is deployed. You can obtain the IP address by running the ipconfig command on the ECS instance or by using the ECS console.查看私网IP

    Domain Account

    The username of the account that you created.

    Domain Password

    The password of the account.

  5. Click OK and wait until the domain is added.

FAQ

Which account can I use to connect my RDS instance to a domain? How do I manage the permissions of the account?

We recommend that you use an account that has the administrative rights on the domain. If you do not want to enable the administrative rights, you can use the principle of least privilege by performing the following operations. However, if you use the principle of least privilege, you must manually remove your computer from the domain controller server when you disconnect your RDS instance from the domain. Otherwise, an error is reported when you reconnect your RDS instance to this domain.

  1. After you create a user and confirm that the user belongs to the Domain Users group, choose Computers > Delegate Control... to add the user that you created.控制权限1控制权限2

  2. Right-click the user and select Create a custom task to delegate. Then, click Next.

  3. Select Only the following objects in the folder and the red highlighted items that are shown in the following figure. Then, click Next.控制权限3

  4. Select the items that are shown in the following figure. Then, click Next until the procedure is complete.控制权限4