All Products
Search

This Product

    Elastic High Performance Computing:Connect an AD domain to a cluster

    Document Center

    Elastic High Performance Computing:Connect an AD domain to a cluster

    Last Updated:Jul 11, 2023

    You can connect an Active Directory (AD) domain to the LDAP service of an E-HPC cluster to reduce the O&M cost of domain accounts. This topic describes how to connect an AD domain to the LDAP service of an E-HPC cluster. This allows you to synchronize AD accounts and passwords to the cluster.

    Background information

    This topic is applicable to scenarios in which an AD domain and an LDAP service are connected for the first time, or AD accounts are added to or removed from a domain.

    Limits

    Only AD domains whose suffixes are .com are supported.

    Deploy an AD domain and enable SSL

    You can skip this section if you have deployed an AD domain on a Windows server and enabled SSL. This section uses an ECS instance that runs Windows Server 2016 as an example to describe how to deploy an AD domain and enable the SSL service.

    Note

    The operating system of the on-premises server or cloud server on which you need to install an AD domain must be Windows Server 2012, 2016, or 2019.

    1. Create an ECS instance. For more information, see Create an instance by using the wizard.

      The following configuration is used in this example:

      • Image: Windows Server 2012 R2 Datacenter 64-bit

      • Hostname: The hostname is automatically generated by default. We recommend that you customize the hostname for convenient management. The hostname example is used in this example.

    2. Add an inbound rule to the security group to which the ECS instance belongs and specify port 636. For more information, see Add a security group rule.

      The following configuration of the inbound rule is used in this example:

      • Action: Allow

      • Priority: Based on your business requirements

      • Protocol Type: Custom TCP

      • Port range: 636/636

      • Authorization Object: The IPv4 CIDR block of the vSwitch where the ECS instance resides

    3. Connect to the instance. For more information, see Connect to a Windows instance by using a password or key.

    4. On the Windows desktop, click the AD-图标..png icon in the taskbar to open Server Manager.

    5. Install the AD domain.

      1. In the Server Manager window, click Add roles and features.

      2. In the Add Roles and Features dialog box, follow the on-screen instructions to install the AD domain.

        Take note of the following configuration items. You can use the default setting for other configuration items.

        • On the Server Roles page, click Active Directory Domain Services.

          AD-1..png

        • On the Confirmation tab, select Restart the destination server automatically if required and click Install.

          AD-2..png

        • On the Results tab, click Promote this server to a domain controller after the AD domain is installed.

          AD-3..png

    6. In the Active Directory Domain Services Configuration Wizard window, deploy Active Directory Domain Services. |

      Take note of the following configuration items. You can use the default setting for other configuration items.

      • On the Deployment Configuration tab, click Add a new forest, and specify the root domain name. In this example, example.com is used.

        AD-4..png

      • On the Domain Controller Options tab, specify the password.

        AD-5..png

      • On the Prerequisites Check page, wait until the prerequisite validation is complete and then click Install.

        AD-6..png
        Note

        • If the prerequisite validation fails, troubleshoot the issue as prompted.

        • After the AD domain is installed, the system automatically deploys the AD domain, and the ECS instance is automatically restarted.

    7. Log on to the ECS instance after it is restarted.

    8. In the Server Manager window, click Add roles and features. Install the Active Directory Certificate Services.

      Take note of the following configuration items. You can use the default setting for other configuration items.

      • On the Server Roles tab, select Active Directory Certificate Services.

        AD-7..png

      • On the Role Services tab, select Certification Authority.

        AD-8..png

      • On the Confirmation page, select Restart the destination server automatically if required and click Install.

        AD-9..png

      • On the Results tab, click Configure Active Directory Certificate Services on the destination server after the certificate service is installed.

        AD-10..png

    9. In the AD CS Configuration dialog box, configure the certificate.

      Take note of the following configuration items. You can use the default setting for other configuration items.

      • On the Role Services tab, select Certification Authority.

      • On the Setup Type tab, select Enterprise CA.

      • On the CA Type tab, select Root CA.

      • On the Private Key tab, select Create a new private key.

      Expected result:

      AD-11..png

    10. Restart the ECS instance, create an AD domain user, and confirm the certificate.

      1. Open Server Manager.

      2. Create AD users.

        In this example, a common user named test is created to test whether user information can be automatically synchronized from the AD domain to the cluster after configuration.

        1. In the upper-right corner of Server Manager, choose Tools> Active Directory Users and Computers.

        2. In the dialog box that appears, right-click User and choose New> User.

          AD-新建用户..png

        3. Configure the user information.

      3. Confirm the certificate.

        1. In the upper-right corner of Server Manager, choose Tools> Certification Authority.

        2. On the Issued Certificates tab, view the certificate.

          AD-证书..png

    11. Check whether the LDAP protocol of the AD domain takes effect.

      1. Right-click the Start icon and select Run.

      2. In the Run window, enter ldp.exe. In the Ldp window, choose Connection > Connect in the top navigation bar.

      3. In the Connect window, enter the server name and port number 389, and then click OK.

        AD-连接1..png

        You need to enter the full name of the computer in the Server field. A response similar to the following figure indicates that the connection is normal.

        AD-连接1-1..png

      4. Open a new Ldp window and choose Connection > Connect in the top navigation bar.

      5. In the Connect window, enter the server name and port number 636, select SSL, and then click OK.

        AD-连接2..png

        You need to enter the full name of the computer in the Server field. A response similar to the following figure indicates that the connection is normal.

        AD-连接2-1..png

    Connect the AD domain to the LDAP service

    1. Log on to the AD domain server and generate a certificate.

      1. Log on to the AD domain server.

      2. Obtain the full computer name and IP address of the AD domain server.

        • You can obtain the full computer name in the properties of the server.

        • You can run the ipconfig command to obtain the IP address.

      3. Open the CLI and enter the certutil -ca.cert client.crt command to generate the certificate.

        Note

        By default, the certificate file is stored in the C:\Users\Administrator directory.

        AD-生成证书..png

    2. Create a cluster whose domain account type is LDAP. For more information, see Create a cluster by using the wizard.

      When you create the cluster, on the Software Configuration tab, set Domain Service to ldap, and specify the Local Cluster Domain Name. This domain name is the same as the AD domain name. For example, if the AD domain name is example.com, you only need to enter example.

      AD-创建集群..png

    3. Log on to the cluster. For more information, see Log on to an E-HPC cluster.

    4. Log on to the management node.

      • If you deploy a Standard cluster, run the ssh account command to switch to the management node.

      • If you deploy a tiny cluster, the logon node is the management node.

    5. Download the certificate from the AD domain server and upload it to a directory on the management node of the cluster.

      Note

      You can use WinSCP to upload the certificate file.

    6. On the management node, run the following commands to connect the AD domain to the LDAP service.

      1. Run the following command to connect the AD domain to the cluster: 

        /usr/local/ehpc/bin/ehpcutil account connectad --ad_hostname <The full computer name of the AD domain server> --ad_ip <The IP address of the AD domain server> --ad_passwd <The password of the AD domain server>

        Replace the command parameters based on the actual situation. Sample command:

        /usr/local/ehpc/bin/ehpcutil account connectad --ad_hostname ***.example.com --ad_ip 47.106.XX.XX --ad_passwd ehpc***

        A response similar to the following code indicates that the configuration is successful.

        AD-集群1..png

      2. Run the following command to import the certificate to the cluster: 

        /usr/local/ehpc/bin/ehpcutil account importcert --filename <Certificate storage path> --ad_passwd <The password of the AD domain server>

        Replace the command parameters based on the actual situation. Sample command:

        /usr/local/ehpc/bin/ehpcutil_py account importcert --filename /root/client.crt --ad_passwd ehpc***

        A response similar to the following code indicates that the configuration is successful.

        AD-集群2..png

      3. Run the following command to synchronize accounts: 

        /usr/local/ehpc/bin/ehpcutil account syncad

        A response similar to the following code indicates that the configuration is successful.

        AD-集群3..png

    7. On the User page of the E-HPC console, check whether the user information is synchronized from the AD domain to the cluster.

      If a cluster user with the same name as the user in the AD domain is automatically created, the synchronization is succeeded.