Join an RDS for SQL Server instance to a self-managed domain-ApsaraDB RDS(RDS)-阿里云帮助中心

You can integrate your ApsaraDB RDS for SQL Server instance with your enterprise Active Directory (AD) for centralized permission management and unified identity authentication. This requires configuring a self-managed domain and ensuring network connectivity between your RDS instance and the domain controller. Your domain controller can be hosted on an Alibaba Cloud ECS instance, on another cloud platform, or in an on-premises data center. This topic uses an ECS instance that hosts a domain controller as an example to demonstrate the configuration.

Background

Microsoft Active Directory (AD) is a directory service that Microsoft developed for its products, including Windows Standard Server, Windows Enterprise Server, and Microsoft SQL Server. A directory is a hierarchical structure that stores information about objects on a network. For example, AD stores information about user accounts, such as names, passwords, and phone numbers, and allows other authorized users on the same network to access this information.

As a critical part of the Microsoft ecosystem, AD support is a fundamental requirement for large enterprises migrating to the cloud.

ApsaraDB RDS for SQL Server allows you to join an instance to a self-managed domain to complete your business ecosystem.

Warning

After you enable and configure the AD feature, you can create accounts in your self-managed AD domain and grant them permissions to log on to the ApsaraDB RDS for SQL Server instance and perform database operations.

However, the permissions of superuser (System Admin) or host accounts that are created through your self-managed AD domain are beyond the control of RDS, so Alibaba Cloud cannot guarantee the SLA for RDS instances with such accounts.

Prerequisites

Your ApsaraDB RDS for SQL Server instance must meet the following requirements:

Instance specifications: General-purpose, Dedicated (does not support the Shared type)
Billing method: subscription or pay-as-you-go (Not supported for Serverless instances)
Account: An Alibaba Cloud account is required.

Note

You can find this information on the Basic Information page of the instance.

Preparations

Deploy a domain controller
- Operating system: The domain controller must run on Windows Server. The minimum supported version is Windows Server 2012 R2. We recommend that you use Windows Server 2016 or later. This topic uses Windows Server 2016 English Edition as an example.
- DNS configuration: The domain controller must also function as a DNS server, and its IP address must be the same as the DNS server address.
- Permission requirements: The domain account used to join the RDS instance to the domain must be a member of the Domain Admins group. This is because clients require high-level permissions to actively join a domain.
Ensure network connectivity: The RDS instance and the domain controller must have bidirectional network connectivity. The domain controller can be located anywhere, including on an Alibaba Cloud ECS instance, on another cloud platform, or in an on-premises data center.
Example configuration (An ECS instance is used to host the domain controller):
- We recommend that you place the RDS instance and the ECS instance in the same VPC to simplify network configuration. This is not a mandatory requirement.
- Configure the security group of the ECS instance to allow traffic from the private IP address of the RDS instance. For more information, see Add a security group rule.
- If you have enabled the system firewall on the ECS instance, you must also allow traffic from the private IP address of the RDS instance.

Considerations

Joining or leaving an AD domain requires a restart of the Windows operating system. To avoid service interruptions, we recommend performing this operation during off-peak hours.

Limitations

You cannot perform the following operations on an instance joined to an AD domain: upgrading the major engine version, upgrading the minor engine version, or migrating the instance to another zone.

Step 1: Configure the domain controller

Log in to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instance.
In the upper-left corner of the page, select a region and resource group.
On the Instances page, click the ID of the target instance.
Remotely connect to the Windows Server 2016 operating system of the ECS instance.
Search for and open Server Manager.

Click Add roles and features and configure the following settings.

Page	Settings
Installation Type	Keep the default settings.
Server Selection	Keep the default settings.
Server Roles	Select Active Directory Domain Services, and then click Add Features in the dialog box that appears. Select DNS Server, and then click Add Features in the dialog box that appears. If a message indicates that your computer does not have a static IP address, we recommend that you change it to a static IP address. This prevents the DNS server from becoming unavailable if the IP address changes automatically.
Features	Keep the default settings.
AD DS	Keep the default settings.
DNS Server	Keep the default settings.
Confirmation	Click Install.

After the installation is complete, click Close.
In the left-side navigation pane, click AD DS. In the upper-right corner, click More.

Click Promote this server to a domain... and configure the following settings.

Page	Settings
Deployment Configuration	Select Add a new forest. In the Root domain name field, enter `testdomain.net`.
Domain Controller Options	Set the Directory Services Restore Mode (DSRM) password. Set both the Forest functional level and Domain functional level to Windows Server 2016. Select the Domain Name System (DNS) server and Global Catalog (GC) checkboxes. In the Type the Directory Services Restore Mode (DSRM) password section, enter and confirm the recovery password.
DNS Options	Clear the Create DNS delegation option's √.
Additional Options	Keep the default settings.
Paths	Keep the default settings.
Review Options	Keep the default settings.
Prerequisites Check	Click Install. Note The system restarts automatically after the installation is complete.

After the system restarts, search for and open Server Manager again.
In the left-side navigation pane, click AD DS. In the right-side pane, right-click the target domain controller and select Active Directory Users and Computers.
Right-click testdomain.net > Users, and select New > User.
Set the user logon name and click Next.

In the Full name field, enter testuser. In the User logon name field, enter testuser and select @testdomain.net from the drop-down list.
Set the user password, configure it to never expire, and then click Next and Finish to create the user.

In the Password and Confirm password fields, enter a password. Select the Password never expires checkbox, and then click Next. On the confirmation page, click Finish.
Double-click the newly created user and add the user to the Domain Admins group.

In the user properties dialog box, click the Member Of tab and click Add. In the Select Groups dialog box, enter Domain Admins, click Check Names to verify the name, and then click OK.

Step 2: Configure the security group

Log in to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instance.
In the upper-left corner of the page, select a region and resource group.
On the Instances page, click the ID of the target instance.
In the top navigation bar, click Security Group. Then, in the Actions column of the security group, click Manage Rules.

On the Inbound tab, click Add Rule to allow access to the ECS instance on the following ports.

Protocol type	Port range	Description
TCP	88	Kerberos authentication protocol port.
TCP	135	Remote Procedure Call (RPC) protocol port.
TCP/UDP	389	Lightweight Directory Access Protocol (LDAP) port.
TCP	445	Common Internet File System (CIFS) protocol port.
TCP	3268	Global Catalog port.
TCP/UDP	53	DNS port.
TCP	49152-65535	The default dynamic port range for connections. Enter the port range as 49152/65535.

Step 3: Configure AD domain services

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Accounts.
Click the AD Domain Services tab, and then click Configure AD Domain Services.

In the Configure AD Domain Services dialog box, set the following parameters, and then select I have read and understand the impact of AD Domain Services on the RDS Service Level Agreement.

Warning

Parameter	Description
Domain Name	The domain name that you specified on the Deployment Configuration page when you created the Active Directory. In this example, the domain name is `testdomain.net`.
Directory IP Address	The IP address of the ECS instance that hosts the domain controller. You can find this IP address in the ECS console on the instance details page. In the Network Information section, find the Primary Private IP. Alternatively, you can run the `ipconfig` command on the ECS instance.
Domain Account	The username that you created earlier.
Domain Password	The password for the domain account.

Click OK and wait for the AD domain configuration to complete.

Related operations

You can use the following API operations to view, modify, or remove the AD domain association:

DescribeADInfo: Queries the AD domain information of an ApsaraDB RDS for SQL Server instance.
ModifyADInfo: Modifies the AD domain configuration of an ApsaraDB RDS for SQL Server instance.
DeleteADSetting: Deletes the AD domain settings of an ApsaraDB RDS for SQL Server instance.

FAQ

What permissions are required for the RDS instance to join the domain? How can I restrict these permissions?

We recommend that you use an account with domain administrator permissions to join the RDS instance to the domain. Alternatively, use an account with the minimum required permissions by following the steps below. Caution: If you use a minimum-permission account to leave the domain, you must manually delete the corresponding computer object from the domain controller. Failure to do so will cause an error if you later try to rejoin the same RDS instance to the domain.

After you create a new user and confirm that the user belongs to the Domain Users group, add the new user via Computers > Delegate Control.... In Active Directory Users and Computers, right-click the Computers container and select Delegate Control... to start the Delegation of Control Wizard. On the Users or Groups page of the Delegation of Control Wizard, click the Add button. In the Select Users, Computers, or Groups dialog box that appears, enter the name of the user or group to which you want to delegate control, click OK, and then click Next.
On the Tasks to Delegate page, select Create a custom task to delegate, and then click Next.
On the Active Directory Object Type page, select Only the following objects in the folder. In the list of objects, select Computer objects. Then, select the Create selected objects in this folder and Delete selected objects in this folder checkboxes at the bottom, and click Next.
On the Permissions page, in the Show these permissions section, select the General and Creation/deletion of specific child objects checkboxes. In the Permissions list, select Create All Child Objects, and then click Next.