Data Domain: Active Directory Guide
Summary: This Guide is based on steps from DDOS code 7.9.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
The Data Domain and PowerProtect operating environment provides secure administration through either the DD System Manager by HTTPS or SSH for CLI. Either method enables locally defined users, Network Information Service (NIS) users, Lightweight Directory Access Protocol (LDAP), Microsoft Active Directory (AD) domain users, and Single Sign-on (SSO).
Data Domain and PowerProtect systems can use Microsoft Active Directory pass-through authentication for the users or servers. Administrators can enable certain domains and groups of users to access files that are stored on the system. It is recommended to have Kerberos configured. Also, systems support Microsoft Windows NT LAN Managers NTLMv1 and NTLMv2. However, NTLMv2 is more secure and is intended to replace NTLMv1.
Viewing Active Directory and Kerberos Information
The Active Directory/Kerberos configuration determines the methods CIFS and NFS clients use to authenticate.
The Active Directory/Kerberos Authentication panel displays this configuration.
Steps:
- Select Administration > Access > Authentication.
- Expand the Active Directory/Kerberos Authentication panel.
Configuring Active Directory and Kerberos Authentication
Configuring Active Directory authentication makes the protection system part of a Windows Active Directory realm.
CIFS clients and NFS clients use Kerberos authentication.
Steps:
- Select Administration > Access > Authentication. The Authentication view appears.
- Expand the Active Directory/Kerberos Authentication panel.
- Click Configure next to Mode to start the configuration wizard. The Active Directory/Kerberos Authentication dialog appears.
- Select Windows/Active Directory and click Next.
- Enter the Full Realm Name for the system (example; domain1.local), the username, and password for the system.
- Click Next.
Note: Use the complete realm name. Ensure that the user is assigned sufficient privileges to join the system to the domain. The username and password must be compatible with Microsoft requirements for the Active Directory domain. This user must also be assigned permission to create accounts in this domain.
- Select the default CIFS Server Name, or select Manual and enter a CIFS server name.
- To select Domain Controllers, select Automatically Assign, or select Manual and enter up to three domain controller names. Enter fully qualified domain names, hostnames, or IP addresses (IPv4 or IPv6).
- To select an organizational unit, select Use Default Computers, or select Manual and enter an organization unit name.
Note: The account is moved to the new organizational unit.
- Click Next. The Summary page for the configuration appears.
- Click Finish. The system displays the configuration information in the Authentication view.
- Click Enable to the right of Active Directory Administrative Access to enable administrative access.
Authentication Mode Selections
The authentication mode selection determines how CIFS and NFS clients authenticate using supported combinations of Active Directory, Workgroup, and Kerberos authentication.
About this task, DDOS supports the following authentication options.
- Disabled: Kerberos authentication is disabled for CIFS and NFS clients. CIFS clients use Workgroup authentication.
- Windows/Active Directory: Kerberos authentication is enabled for CIFS and NFS clients. CIFS clients use Active Directory authentication.
- UNIX: Kerberos authentication is enabled for only NFS clients. CIFS clients use Workgroup authentication.
Managing Administrative Groups for Active Directory
Use the Active Directory/Kerberos Authentication panel to create, modify, and delete Active Directory (Windows) groups and assign management roles (admin, backup-operator, so on) to those groups.
To prepare for managing groups, select Administration > Access > Authentication, expand the Active Directory/Kerberos Authentication panel, and click the Active Directory Administrative Access Enable button.
Creating Administrative Groups for Active Directory
Create an administrative group to assign a management role to all the users configured in an Active Directory group.
Prerequisites: Enable Active Directory Administrative Access on the Active Directory/Kerberos Authentication panel in the Administration > Access > Authentication page.
Steps:
- Click Create
- Enter the domain and group name separated by a backslash.
For example:
domainname\groupname
- Select the Management Role for the group from the drop-down menu.
- Click OK.
Modifying Administrative Groups for Active Directory
Modify an administrative group when you want to change the administrative domain name or group name configured for an Active Directory group.
Prerequisites: Enable Active Directory Administrative Access on the Active Directory/Kerberos Authentication panel in the Administration > Access > Authentication page.
Steps:
- Select a Group to modify under the Active Directory Administrative Access heading.
- Click Modify
- Modify the domain and group name, and use a backslash "\" to separate them. For example:
domainname\groupname
Deleting Administrative Groups for Active Directory
Delete an administrative group to terminate system access for all the users configured in an Active Directory group.
Prerequisites: Enable Active Directory Administrative Access on the Active Directory/Kerberos Authentication panel in the Administration > Access > Authentication page.
Steps:
- Select a Group to delete under the Active Directory Administrative Access heading.
- Click Delete.
System clock
When using active directory mode for CIFS access, the system clock time can differ by no more than five minutes from that of the domain controller.
When configured for Active Directory authentication, the system regularly syncs time with the Windows domain controller.
Therefore for the domain controller to obtain the time from a reliable time source, see the Microsoft documentation for your Windows operating system version to configure the domain controller with a time source.
CAUTION: When the system is configured for Active Directory authentication, it uses an alternate mechanism to sync time with the domain controller. To avoid time sync conflicts, DO NOT enable NTP when the system is configured for Active Directory authentication.
Additional Information
Ports for Active Directory
| Port | Protocol | Port configurable | Description |
| 53 | TCP/UDP | Open | DNS (if AD is also the DNS) |
| 88 | TCP/UDP | Open | Kerberos |
| 139 | TCP | Open | NetBios/NetLogon |
| 389 | TCP/UDP | Open | LDAP |
| 445 | TCP/UDP | No | User authentication and other communication with AD |
| 3268 | TCP | Open | Global Catalog Queries |
Active Directory
Active Directory is not FIPS-compliant.
Active Directory continues to work when it is configured and when FIPS is enabled.
| Using Authentication Server for authenticating users before granting administrative access. |
DD supports multiple name servers protocols such as LDAP, NIS, and AD. DD recommends using OpenLDAP with FIPS enabled. DD manages only local accounts. DD recommends using UI or CLI to configure LDAP. • UI: Administration > Access > Authentication • CLI: Authentication LDAP commands |
Authentication Configuration
The information in the Authentication panel changes, depending on the type of authentication that is configured.
Click the Configure link in to the left of the Authentication label in the Configuration tab. The system goes to the Administration > Access > Authentication page where to configure authentication for Active Directory, Kerberos, Workgroups, and NIS.
Active directory configuration information
| Item | Description |
| Mode | The Active Directory mode is displayed. |
| Realm | The configured realm is displayed. |
| DDNS | The status of the DDNS Server display: either enabled or disabled. |
| Domain controller | The name of the configured domain controllers is displayed or a * if all controllers are permitted. |
| Organizational Unit | The name of the configured organizational units is displayed. |
| CIFS Server Name | The name of the configured CIFS server is displayed. |
| WINS Server Name | The name of the configured WINS server is displayed. |
| Short Domain Name | The short domain name is displayed. |
Workgroup Configuration
| Item | Description |
| Mode | The Workgroup mode is displayed. |
| Workgroup Name | The configured workgroup name is displayed. |
| DDNS | The status of the DDNS Server is displayed: either enabled or disabled. |
| CIFS Server Name | The name of the configured CIFS server is displayed. |
| WINS Server Name | The name of the configured WINS server is displayed. |
Related Articles:
- Data Domain - Joining a Data Domain System to a Windows Domain
- Unable to join a Data Domain to a Specific Organizational Unit (OU) of Active Directory
The Following Related Articles can only be Viewed By Logging In to Dell Support as a Registered User:
- PowerProtect DD System Manager (DDSM) and Data Domain Management Server (DDMC) access fails with AD Authentication
- Active Directory Authentication not working as GC is disabled in Data Domain
- Data Domain: Unable to Access the Data Domain System with CIFS in Active Directory Mode
- Data Domain: Using CIFS "Set Authentication Active-Directory" Command
- Join Data Domain to Active Directory to a specific Organizational Unit (OU)
- Data Domain: Windows Authentication Issues with the Data Domain System Configured for Active Directory
- Data Domain: Unable to Join Active Directory Due to Server Policies
Affected Products
Data DomainArticle Properties
Article Number: 000204265
Article Type: How To
Last Modified: 16 Sept 2025
Version: 11
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.