Active Directory Best Practices

  • Updated on Apr 14, 2025
  • Published on Dec 12, 2024
  • 8 minute(s) read
  • CD
 Prev Next

Overview

The following are best practices when installing a Nasuni Edge Appliance into an Active Directory environment.

Note: Limits on domains, groups, users, objects, and other items are the same as the limits of Active Directory. See Active Directory Maximum Limits - Scalability for details.

Tip: For Nasuni recommendations for volume configuration, see Nasuni recommendations for configuring volumes.

Important: Before joining Edge Appliance to Active Directory, contact Nasuni Support.

Important: To connect an Edge Appliance to a shared volume owned by another Edge Appliance, the following must be true:

  • The Edge Appliance must join the same domain as the owning Edge Appliance.

  • The domain configuration for the Edge Appliance must match the domain configuration for the owning Edge Appliance.

Use lower-case hostnames

When specifying a hostname, use lower-case letters.

Use a Fully Qualified Domain Name (FQDN)

When joining a Nasuni Edge Appliance to an Active Directory domain, a Nasuni Edge Appliance should have a fully qualified domain name (FQDN) that matches the Active Directory domain. Otherwise, clients might have trouble discovering a Nasuni Edge Appliance by name.

Only one DNS “A” record for each Nasuni Edge Appliance

There should only be one DNS “A” record for each Nasuni Edge Appliance.

Additional names for Nasuni Edge Appliance

To specify additional names for a Nasuni Edge Appliance, add CNAME records to the DNS entry.

Forward and Reverse DNS for all Nasuni Edge Appliances

Each Nasuni Edge Appliance should have PTR records consistent for both forward and reverse DNS. If forward/reverse resolution is not consistent, clients might have issues authenticating to a Nasuni Edge Appliance.

Matching hostname

The A record, the PTR record, and the hostname must all be the same. In addition, the hostname must also match the Service Principal Name (SPN) for Active Directory.

Ensure "Sites and Services" in Active Directory is configured correctly

Active Directory “Sites and Services” is a Microsoft Management Console (MMC) snap-in that you can use to administer the replication of directory data among all sites in an Active Directory Domain Services (AD DS) forest. This snap-in also provides a view of the service-specific objects published in AD DS.

If the Active Directory “Sites and Services” feature is not configured correctly, a Nasuni Edge Appliance might not contact the correct domain controller when authenticating.

Ensure that the IP addresses of a Nasuni Edge Appliance and the NMC are added to the Active Directory “Sites and Services” subnet object on which a Nasuni Edge Appliance resides.

In most cases, do not specify a domain controller

A Nasuni Edge Appliance allows you to specify a domain controller when joining an Active Directory domain. In most cases, you should not specify a domain controller.

Entering a Domain Controller name forces a Nasuni Edge Appliance to use ONLY that domain controller. However, leaving the Domain Controller text box blank causes a Nasuni Edge Appliance to automatically find and use an appropriate Domain Controller, and allows for Domain Controller failover. Unless you want only one specific domain controller to be used, leave the Domain Controller text box blank.

If you want support for trusted domains of multiple Active Directory servers, leave the Domain Controller text box blank.

Prefer Active Directory domain controller for NTP when available

For Kerberos to work correctly, a Nasuni Edge Appliance and the domain controller must have the same time. If the times are different, Kerberos stops authenticating. Therefore, if the Active Directory domain controller is configured to serve Network Time Protocol (NTP) requests, prefer using NTP services from the Active Directory domain controller. This ensures the proper time synchronization needed for Kerberos.

Nasuni recommends using the Nasuni Edge Appliance’s "Edge Appliance Time Configuration" page to set the Time Server to 1 - 4 of the closest Active Directory domain controllers to be Time Servers, if the information is available.

If that information is unavailable, you can try using “NTP from Domain Controllers” when joining a Nasuni Edge Appliance to the Active Directory domain. However, the latter configuration is unaware of sites and services, and you might experience performance issues.

If no NTP services are available from domain controllers, the current NTP server is used.

DNS TXT record for Kerberos

A _kerberos TXT record for Kerberos is required in DNS, such as the following:

_kerberos.example.com TXT "example.com"

where example.com is the Active Directory domain that a Nasuni Edge Appliance is joined to.

Has the patch "Security Update for SAM and LSAD Remote Protocols (3148527)" been installed?

After applying this patch, it might become necessary for a Nasuni Edge Appliance to rejoin the Active Directory domain.

Do not use “Protected Users” to join a domain

If joining an Active Directory domain, members of the Active Directory "Protected Users" security group cannot be used to join the domain. This is due to the login restrictions for members of that security group. Nasuni recommends using a Domain Admin account that is not a part of the “Protected Users” group to join Active Directory.

Ensuring user access to data if domain connection lost

If your Edge Appliance has users authenticated by a domain, and if the Edge Appliance loses connectivity to the domain, the user accounts might not be able to authenticate. In cases like this, you would like your users to be able to access data, even without the domain to authenticate them.

You can define user access that does not require connectivity to the domain. This involves creating a Permission Group with Storage Access (not User Interface Access). Storage Access does not require authentication through the domain. You then create Native Users with Storage Access. Native Users do not require authentication through the domain.

Caution: When a Nasuni Edge Appliance goes under the control of the Nasuni Management Console, the following processing occurs:

• Any existing local users and groups on the Nasuni Edge Appliance are replaced by the users and groups of the NMC.

• When a Nasuni Edge Appliance is disconnected from the Nasuni Management Console, the Nasuni Edge Appliance retains those users and groups that pertain to the Nasuni Edge Appliance.

For this reason, you should either use the NMC to define users and groups, or place the Edge Appliance under the management of the NMC before creating users and groups with the Edge Appliance.

Procedure using NMC

To use the NMC (recommended) to define a group whose members do not require connectivity to the domain, follow these steps:

  1. On the Console Settings page, select the Console Users and Groups Overview page, click Manage Groups, then click Add Group. The Add Group dialog box appears.

  2. In the Group Name text box, enter the name of this group. The Group Name can have up to 30 characters, including letters, digits, and symbols.

  3. From the Access Type drop-down list, select the type of access: Storage Access.

  4. In the Filer Access list, select or clear the Nasuni Edge Appliances to which you want to grant access by the new group.

  5. Click Add Group. The group is added with the selected permissions.

To use the NMC (recommended) to add users to this group, follow these steps:

  1. On the Console Settings page, select the Console Users and Groups Overview page, and click Manage Users. The Console Users page appears.

  2. Click Add Native User. The Add Native User dialog box appears.

  3. Enter the Username, Email, and Password.

  4. In the Groups list, select the check box for the Permission Group you created above.

  5. Click Add User. The user is added with membership in the selected groups.

These users can access the data, without requiring domain-based authentication.

Procedure using Edge Appliance

As mentioned above, if users and groups are created using the Edge Appliance, and then the Edge Appliance is placed under the management of the NMC, then those users and groups are replaced by users and groups from the NMC. For this reason, ensure that the Edge Appliance is already under the control of the NMC before performing this procedure.

To use the Edge Appliance to define a group whose members do not require connectivity to the domain, follow these steps:

  1. Perform the procedure “Adding Permission Groups” on page 417 up to step 5 on page 419 of the Edge Appliance Administration Guide.

  2. On step 5 on page 419, select Storage Access.

  3. Continue with the rest of the procedure.

The group is added with the selected permissions.

To use the Edge Appliance to add users to this group, follow these steps:

  1. Perform the procedure “Adding Users” on page 424 up to step d on page 425 of the Edge Appliance Administration Guide.

  2. On step d on page 425, select the group that you defined above.

  3. Continue with the rest of the procedure, but skip step 4 on page 426.

The user is added with membership in the selected groups.

These users can access the data, without requiring domain-based authentication.

Nasuni recommendations for configuring volumes

The following table contains Nasuni recommendations for configuring volumes, based on the objectives for the volume. Configuration includes consideration of the following:

  • Original volume protocol

  • Additional volume protocol, if any

  • Authentication

  • Volume Permissions Policy

  • Case Sensitivity

Objective of volume

Original volume protocol

Additional volume protocol

Set Authentication to …

Set Permissions Policy to …

Set Case Sensitivity to …

Options available include:

Unsupported features include:

SMB clients only (Microsoft Windows clients, macOS clients) (no NFS, no FTP)

SMB (CIFS)

None

Active Directory

NTFS Exclusive

No

Durable handles (with SMB 2.0+ and GFL disabled).

Web Access.

Global File Lock Advanced and Optimized mode.

NFS. FTP. LDAP. Multiple volume protocols.
Switching from NTFS Exclusive to NTFS Compatible.

SMB clients + FTP (Microsoft Windows clients, macOS clients)

SMB (CIFS)

FTP

Active Directory

NTFS Compatible
or POSIX

Yes (Case sensitivity required to add FTP)

FTP. Web Access. Global File Lock: Advanced and Optimized mode. Switch from NTFS Compatible to NTFS Exclusive.

NFS.
LDAP

NFS clients (UNIX or Linux clients)

NFS

None

Active Directory

POSIX

Yes (cannot be changed)

FTP.

Global File Lock: Optimized mode.

CIFS (SMB) volumes.
Web Access.

NFS + SMB Clients: IDs mapped between SMB/NFS using AD Unix Extensions (Microsoft Windows clients, macOS clients, UNIX or Linux clients)

NFS

SMB (CIFS)

Active Directory

POSIX (translated to NTFS)

Yes (cannot be changed)

FTP.

Web Access.

Global File Lock: Optimized mode

LDAP.

NFS + SMB Basic InterOp: no ID mapping (Microsoft Windows clients, macOS clients, UNIX or Linux clients)

SMB (CIFS)

NFS

Active Directory

NTFS Compatible
+ POSIX

Yes (Case sensitivity required to add NFS and FTP protocols)

FTP.

Web Access.

Global File Lock: Optimized mode.

Can switch from NTFS Compatible to NTFS Exclusive.

NFS-only volumes.
LDAP authentication.

Important: The Nasuni Mobile Access app is scheduled for End-of-Life on May 1, 2024. After this date, the Nasuni Mobile Access app will no longer be supported or available from app stores.

Technical Support

Online self-help resources and Technical Support are available at www.nasuni.com/support.

Copyright © 2010-2024 Nasuni Corporation. All rights reserved.

Related articles