How NetApp Volumes uses Active Directory

Active Directory is the central service in large organizations to manage identities for Windows environments. Active Directory provides a Lightweight Directory Access Protocol (LDAP) service to look up entities, a Kerberos service for secure authentication, and a Domain Name Service (DNS) for host and service discovery. Any enterprise SMB service needs to integrate with Active Directory for access control.

NetApp Volumes is no exception. It joins your Active Directory as a computer account. In addition to a few specific NFS related use cases, it is mostly used for SMB. Every volume is presented as an SMB share to SMB clients. Active Directory authenticated users can access files and folders on NetApp Volumes SMB shares and are granted or denied access based on NTFS access control lists (ACLs) stored with every file or folder.

Active Directory policies

Under the hood, NetApp Volumes spins up one or more SMB servers to serve your volumes. These SMB servers show up as computer accounts inside the specified organizational unit of your Active Directory, with a computer name consisting of the netBIOS prefix that you specify and a five-letter random suffix. For it to be able to join the domain, you need to provide Active Directory join instructions, called Active Directory policies. The policies provide all the information that NetApp Volumes need to join its SMB servers to your domain. The information includes DNS IP address, domain name, netBIOS prefix, optional site and organizational unit information, and the credentials of an Active Directory user account that is allowed to join a computer to the domain. 

Attaching an Active Directory policy to a storage pool gives the pool all the information it needs to spin up and join an SMB server as soon as you create the first volume that requires Active Directory services.

Until now, only one Active Directory policy per region was allowed within a project, which means that you can serve only one Windows domain per project. You can use a different Windows domain in a different region of the project, but the clean and cloudlike approach is to separate volumes for different Windows domains into different Google projects. You still can connect those projects to a shared VPC, which allows authorized users on that network to connect to all the volumes. This approach is architecting the cloud way— clean isolation of resources with more security controls, like Google Identity and Access Management (IAM).

Reality check

But reality isn’t always architecturally pristine. Sometimes you can’t put volumes for different Windows domains into different service projects. In that case, allowing only one Windows domain for all volumes in your project’s region becomes a problem.

To support such configurations, NetApp Volumes is adding the ability to specify multiple Active Directory policies per region. You are now able to create as many as five Active Directory policies per region in your project.

The following screenshot shows an example of three different policies for three different domains in the same region.

As shown in the following screenshot, when creating a new storage pool, you can now select which policy to attach.

A single storage pool still uses only one Active Directory policy, which means that all its volumes connect to only one Windows domain. If you need to use multiple domains, you must create an Active Directory policy for each of them, and at least one pool each. The following screenshot shows three pools. Two pools connect to two different Active Directory policies. The third pool, which doesn’t use an Active Directory policy, will be able to host only NFSv3 or NFSv4 volumes:

Note that a single storage pool or volume cannot be connected to multiple Active Directory domains. You can achieve this configuration by connecting multiple domains into a domain forest. If you use a forest, you can connect all volumes to a single domain of your forest, but users from other domains will be able to access it. You  won’t need to use multiple Active Directory policies in your region.

Greater flexibility

Most users are happy with using a single domain. But if yours is a large enterprise with multiple domains, this feature will give you more flexibility to map your complex organization to NetApp Volumes use. In the rare case that you need more than five domains per region, reach out to your Google account team for assistance.