This topic describes how to configure an Active Directory (AD) domain controller for an Elastic Compute Service (ECS) instance and connect an ApsaraDB RDS for PostgreSQL instance to a self-managed AD domain.
Background information
AD is a directory service that is provided by Microsoft. A directory is a hierarchical structure that stores information about the objects on the same LAN. An enterprise can store data, such as computer accounts, user accounts, and groups, in a directory. This way, the enterprise can improve the security of the data and manage the data in a more convenient manner.
You can connect your RDS instance to a self-managed AD domain. This way, you can manage your enterprise in a centralized manner and can configure IP addresses whitelists at the database level and the user level to improve the security of your data.
Prerequisites
- Your RDS instance runs one of the following database engine versions:
- Major engine version: PostgreSQL 10, PostgreSQL 11, PostgreSQL 12, PostgreSQL 13, or PostgreSQL 14.
- Minor engine version: 20210228 or later. For more information about how to update the minor engine version of your RDS instance, see Update the minor engine version of an ApsaraDB RDS for PostgreSQL instance.
- Your RDS instance uses standard SSDs or enhanced SSDs (ESSDs).
- An ECS instance is created. For more information, see Create an ECS instance. Your RDS instance must access the self-managed AD domain by using a private IP address.
Therefore, the ECS instance must meet the following conditions:
- The ECS instance and your RDS instance reside in the same virtual private cloud (VPC).
- The security group to which the ECS instance belongs is configured to allow access from the private IP address of your RDS instance. For more information, see Add security group rules.
- The firewall feature of the ECS instance is disabled by default. If the firewall feature is enabled for the ECS instance, you must configure the firewall feature to allow access from the private IP address of your RDS instance.
- The image of the ECS instance runs Windows Server 2016 or a later version.
- The domain account belongs to the Domain Admins group.
- Your Alibaba Cloud account is used to log on to the ApsaraDB RDS console.
Procedure
View the modification history of AD domain service information
- Visit the RDS instance list, select a region above, and click the target instance ID.
- In the left-side navigation pane, click Accounts. On the page that appears, click the AD Domain Services Edit History tab.
- You can view changedetails in the Actions column. If the modification fails, the status is Not Taking Effect. You can click Change Log to view the error message.