Integration into the Windows Active Directory infrastructure is needed to seamlessly integrate in the optimization of encrypted MAPI and signed CIFS sessions.
Before the Steelhead appliances can do this integration, they need to be joined to the Active Directory domain. Before this can happen you need to take care of several things:
The primary interface of the Steelhead appliance should be configured and have access to the network where the Domain Controllers are in.
The hostname configured on the Steelhead appliance should be 15 characters or less.
The hostname configured on the Steelhead appliance should not yet exist in the Active Directory configuration.
One of the domain names configured on the Steelhead appliance should contain the Active Directory domain name.
The DNS servers configured in the Steelhead appliance should be able to resolve the Active Directory domain name.
In DNS, the IP address of the primary interface of the Steelhead appliance needs to be available as a PTR record:
Figure 8.30. 192.168.1.6 points to ssh-primary.example.org
[~] edwin@t43>dig -x 192.168.1.6 ; <<>> DiG 9.8.1-P1 <<>> -x 192.168.1.6 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18322 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;6.1.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 6.1.168.192.in-addr.arpa. 3583 IN PTR ssh-primary.example.org. ;; AUTHORITY SECTION: 1.168.192.in-addr.arpa. 3583 IN NS ns0.example.org. ;; ADDITIONAL SECTION: ns0.example.org. 3583 IN A 192.168.1.1 ;; Query time: 12 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Fri Oct 26 20:13:39 2012 ;; MSG SIZE rcvd: 142
The clock on the Steelhead appliances needs to be in sync with the clock of the AD Domain Controller. If the Domain Controllers are synchronized against the same NTP server as the Steelhead appliance, then this will be fine. If the Domain Controllers are not synchronized against NTP servers, it will be best to configure the NTP servers on the Steelhead appliances to the Domain Controller:
Figure 8.31. NTP servers configured are the local Domain Controllers
ntp enable ntp server 192.168.1.1 enable ntp server 192.168.1.1 version "4"
DNS should contain the LDAP SRV records for the domain to join. So if the domain is example.com, the following DNS SRV records should exist: _ldap._tcp.example.org.
Figure 8.32. DNS SRV records for _ldap._tcp.example.org
[~] edwin@t43>dig _ldap._tcp.example.org srv ; <<>> DiG 9.8.1-P1 <<>> _ldap._tcp.example.org srv ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5339 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;_ldap._tcp.example.org. IN SRV ;; ANSWER SECTION: _ldap._tcp.example.org. 600 IN SRV 0 100 389 dc.example.org. ;; ADDITIONAL SECTION: dc.example.org. 3600 IN A 192.168.1.1 ;; Query time: 719 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Fri Oct 26 20:59:16 2012 ;; MSG SIZE rcvd: 2105
This shows that the domain controllers for the Active Directory domain example.org can be found at dc.example.org.
Access to an Active Directory account with domain join privileges.
Here are several examples of failures of the domain join.
If the clocks on the Steelhead appliance and on the domain controller are too far apart, the domain join will fail with the following error:
Figure 8.33. Domain join failed because of a clock skew between the Steelhead appliance and the Domain Controller
mgmtd[4232]: [mgmtd.NOTICE]: Join domain in progress... rcud[5610]: [rcud/main/.INFO] - {- -} Waiting for join domain to finish ... rcud[5610]: [rcud/main/.ERR] - {- -} Join domain failed. Failed to join domain: Error: Uns \ pecified GSS failure. Minor code may provide more information : Clock skew too great mgmtd[4232]: [mgmtd.ERR]: Domain configuration failed: 1 Join failed
If the Active Directory domain cannot be found in DNS, the domain join will fail with the following error:
Figure 8.34. Domain join failed because of DNS related issues
mgmtd[4232]: [mgmtd.NOTICE]: Join domain in progress... rcud[5610]: [rcud/main/.INFO] - {- -} Waiting for join domain to finish ... rcud[4637]: [rcud/main/.ERR] - {- -} Failed to join domain: Error: Operations error. Possi \ ble DNS misconfiguration. mgmtd[4232]: [mgmtd.ERR]: Domain configuration failed: 1 Join failed
If the object for the Steelhead appliance already exist in Active Directory and the joining account does not have privileges to replace old objects, the domain join will fail with the following error:
Figure 8.35. Domain join failed because the object in Active Directory already exists
mgmtd[4232]: [mgmtd.NOTICE]: Join domain in progress... rcud[5610]: [rcud/main/.INFO] - {- -} Waiting for join domain to finish ... rcud[14701]: [rcud/main/.ERR] - {- -} Failed to join domain: Failed to set account flags f \ or machine account (NT_STATUS_ACCESS_DENIED) mgmtd[4232]: [mgmtd.ERR]: Domain configuration failed: 1 Join failed