This topic describes how to configure an Active Directory (AD) domain controller on an Elastic Compute Service (ECS) instance and connect an ApsaraDB RDS for PostgreSQL instance to a self-managed AD domain.
Background information
AD is a directory service that is provided by Microsoft. A directory is a hierarchical structure that stores information about the objects on the same LAN. An enterprise can store data, such as computer accounts, user accounts, and groups, in a directory. This way, the enterprise can improve the security of the data and manage the data in a more convenient manner.
You can connect your RDS instance to a self-managed AD domain. This way, you can manage your enterprise in a centralized manner and can configure IP address whitelists at the database level and the user level to improve the security of your data.
Prerequisites
- The following requirements are met:
- The RDS instance runs a major engine version of PostgreSQL 10, PostgreSQL 11, PostgreSQL 12, PostgreSQL 13, or PostgreSQL 14.
- The RDS instance runs a minor engine version of 20210228 or later. For more information about how to update the minor engine version of your RDS instance, see Update the minor engine version of an ApsaraDB RDS for PostgreSQL instance.
- The RDS instance uses standard SSDs or enhanced SSDs (ESSDs).
- The RDS instance does not use a new general-purpose instance type.
Note The new general-purpose instance types provide better scalability and performance and reduce the time to create an RDS instance or change the specifications of an RDS instance. The new general-purpose instance types do not support the self-managed AD domain controller connection feature. For more information, see Primary ApsaraDB RDS for PostgreSQL instance types.
- An ECS instance is created. For more information, see Create an ECS instance. Your RDS instance must access the self-managed AD domain by using a private IP address.
Therefore, the ECS instance must meet the following conditions:
- The ECS instance and your RDS instance reside in the same virtual private cloud (VPC).
- The security group to which the ECS instance belongs is configured to allow access from the private IP address of your RDS instance. For more information, see Add security group rules.
- The firewall of the ECS instance is disabled by default. If the firewall is enabled for the ECS instance, you must configure the firewall to allow access from the private IP address of your RDS instance.
- The image of the ECS instance runs Windows Server 2016 or a later version.
- The domain account belongs to the Domain Admins group.
- Your Alibaba Cloud account is used to log on to the ApsaraDB RDS console.
Procedure
View the modification history of AD domain service information
- Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
- In the left-side navigation pane, click Accounts. On the page that appears, click the AD Domain Services Edit History tab.
- You can view changedetails in the Actions column. If the modification fails, the status is Not Taking Effect. You can click Change log to view the error message.