Data Domain: Active Directory Guide

Summary: This Guide is based on steps from DDOS code 7.9.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

The Data Domain and PowerProtect operating environment provides secure administration through either the DD System Manager by HTTPS or SSH for CLI. Either method enables locally defined users, Network Information Service (NIS) users, Lightweight Directory Access Protocol (LDAP), Microsoft Active Directory (AD) domain users, and Single Sign-on (SSO).

Data Domain and PowerProtect systems can use Microsoft Active Directory pass-through authentication for the users or servers. Administrators can enable certain domains and groups of users to access files that are stored on the system. It is recommended to have Kerberos configured. Also, systems support Microsoft Windows NT LAN Managers NTLMv1 and NTLMv2. However, NTLMv2 is more secure and is intended to replace NTLMv1.

Viewing Active Directory and Kerberos Information

The Active Directory/Kerberos configuration determines the methods CIFS and NFS clients use to authenticate.
The Active Directory/Kerberos Authentication panel displays this configuration.

Steps:

  1. Select Administration > Access > Authentication.
  2. Expand the Active Directory/Kerberos Authentication panel.

Configuring Active Directory and Kerberos Authentication

Configuring Active Directory authentication makes the protection system part of a Windows Active Directory realm.
CIFS clients and NFS clients use Kerberos authentication.

Steps:

  1. Select Administration > Access > Authentication. The Authentication view appears.
  2. Expand the Active Directory/Kerberos Authentication panel.
  3. Click Configure next to Mode to start the configuration wizard. The Active Directory/Kerberos Authentication dialog appears.
  4. Select Windows/Active Directory and click Next.
  5. Enter the Full Realm Name for the system (example; domain1.local), the username, and password for the system.
  6. Click Next.
Note: Use the complete realm name. Ensure that the user is assigned sufficient privileges to join the system to the domain. The username and password must be compatible with Microsoft requirements for the Active Directory domain. This user must also be assigned permission to create accounts in this domain.
 
  1. Select the default CIFS Server Name, or select Manual and enter a CIFS server name.
  2. To select Domain Controllers, select Automatically Assign, or select Manual and enter up to three domain controller names. Enter fully qualified domain names, hostnames, or IP addresses (IPv4 or IPv6).
  3. To select an organizational unit, select Use Default Computers, or select Manual and enter an organization unit name.
Note: The account is moved to the new organizational unit.
 
  1. Click Next. The Summary page for the configuration appears.
  2. Click Finish. The system displays the configuration information in the Authentication view.
  3. Click Enable to the right of Active Directory Administrative Access to enable administrative access.

Authentication Mode Selections

The authentication mode selection determines how CIFS and NFS clients authenticate using supported combinations of Active Directory, Workgroup, and Kerberos authentication.
About this task, DDOS supports the following authentication options.

  • Disabled: Kerberos authentication is disabled for CIFS and NFS clients. CIFS clients use Workgroup authentication.
  • Windows/Active Directory: Kerberos authentication is enabled for CIFS and NFS clients. CIFS clients use Active Directory authentication.
  • UNIX: Kerberos authentication is enabled for only NFS clients. CIFS clients use Workgroup authentication.

Managing Administrative Groups for Active Directory

Use the Active Directory/Kerberos Authentication panel to create, modify, and delete Active Directory (Windows) groups and assign management roles (admin, backup-operator, so on) to those groups.

To prepare for managing groups, select Administration > Access > Authentication, expand the Active Directory/Kerberos Authentication panel, and click the Active Directory Administrative Access Enable button.

Creating Administrative Groups for Active Directory

Create an administrative group to assign a management role to all the users configured in an Active Directory group.
Prerequisites: Enable Active Directory Administrative Access on the Active Directory/Kerberos Authentication panel in the Administration > Access > Authentication page.

Steps:

  1. Click Create
  2. Enter the domain and group name separated by a backslash.
For example: domainname\groupname
  1. Select the Management Role for the group from the drop-down menu.
  2. Click OK.

Modifying Administrative Groups for Active Directory

Modify an administrative group when you want to change the administrative domain name or group name configured for an Active Directory group.
Prerequisites: Enable Active Directory Administrative Access on the Active Directory/Kerberos Authentication panel in the Administration > Access > Authentication page.

Steps:

  1. Select a Group to modify under the Active Directory Administrative Access heading.
  2. Click Modify
  3. Modify the domain and group name, and use a backslash "\" to separate them. For example: domainname\groupname

Deleting Administrative Groups for Active Directory

Delete an administrative group to terminate system access for all the users configured in an Active Directory group.
Prerequisites: Enable Active Directory Administrative Access on the Active Directory/Kerberos Authentication panel in the Administration > Access > Authentication page.

Steps:

  1. Select a Group to delete under the Active Directory Administrative Access heading.
  2. Click Delete.

System clock

When using active directory mode for CIFS access, the system clock time can differ by no more than five minutes from that of the domain controller.
When configured for Active Directory authentication, the system regularly syncs time with the Windows domain controller. 
Therefore for the domain controller to obtain the time from a reliable time source, see the Microsoft documentation for your Windows operating system version to configure the domain controller with a time source.

 
CAUTION: When the system is configured for Active Directory authentication, it uses an alternate mechanism to sync time with the domain controller. To avoid time sync conflicts, DO NOT enable NTP when the system is configured for Active Directory authentication.

Additional Information

Ports for Active Directory 

Port  Protocol Port configurable Description
53 TCP/UDP Open DNS (if AD is also the DNS)
88 TCP/UDP Open Kerberos
139 TCP Open NetBios/NetLogon
389 TCP/UDP Open LDAP
445 TCP/UDP No User authentication and other communication with AD
3268 TCP Open Global Catalog Queries

Active Directory

Active Directory is not FIPS-compliant.
Active Directory continues to work when it is configured and when FIPS is enabled.

Using Authentication Server for authenticating users before granting administrative access.  

DD supports multiple name servers protocols such as LDAP, NIS, and AD. DD recommends using OpenLDAP with FIPS enabled. DD manages only local accounts. DD recommends using UI or CLI to configure LDAP. 

• UI: Administration > Access > Authentication 

• CLI: Authentication LDAP commands 

Active Directory can also be configured for user logins with FIPS enabled. However, CIFS data access with AD users is no longer be supported with that configuration. 

Authentication Configuration

The information in the Authentication panel changes, depending on the type of authentication that is configured.
Click the Configure link in to the left of the Authentication label in the Configuration tab. The system goes to the Administration > Access > Authentication page where to configure authentication for Active Directory, Kerberos, Workgroups, and NIS.

Active directory configuration information 

Item Description
Mode The Active Directory mode is displayed.
Realm The configured realm is displayed.
DDNS The status of the DDNS Server display: either enabled or disabled. 
Domain controller The name of the configured domain controllers is displayed or a * if all controllers are permitted. 
Organizational Unit The name of the configured organizational units is displayed. 
CIFS Server Name  The name of the configured CIFS server is displayed. 
WINS Server Name The name of the configured WINS server is displayed. 
Short Domain Name  The short domain name is displayed. 

Workgroup Configuration 

Item Description
Mode  The Workgroup mode is displayed.
Workgroup Name The configured workgroup name is displayed.
DDNS The status of the DDNS Server is displayed: either enabled or disabled.
CIFS Server Name The name of the configured CIFS server is displayed.
WINS Server Name  The name of the configured WINS server is displayed

Related Articles:

The Following Related Articles can only be Viewed By Logging In to Dell Support as a Registered User:

Affected Products

Data Domain
Article Properties
Article Number: 000204265
Article Type: How To
Last Modified: 16 Sept 2025
Version:  11
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.