We have seen over the last number of years more people moving to a cloud-first, or even cloud-only strategy. People may or may not know that Cohesity DataPlatform is available in various Cloud Edition versions for Azure, Amazon Web Services, and others. Deploying the appliance for each cloud is a little different and I actually posted a personal blog about the Azure edition a few months back.
Something that has come up from customers is the question of joining an Azure Cloud Edition instance of Cohesity DataPlatform to their Azure Active Directory. I finally had a chance to look at this and found it can be done with a few steps.
I will admit that Azure Active Directory was pretty new to me, but thanks to my colleague Jon Hildebrand, I now understand how it works. I am going to simplify his explanation a little bit for the purposes of this post. There are really two types of users:
The other thing to point out is that, depending on your use case, you may or may not have your internal domain name used both on-premises and in the Azure cloud. You can choose to sync users without using the same internal domain name in Azure, but in my case I specifically wanted to use the same domain when signing onto my on-premises or Azure accounts. The users with Windows Server AD are the on-premises synced users shown below.
With on-premises Cohesity DataPlatform, I also use Role Based Access with a windows group, which is also synced to Azure. Ultimately, the goal is to allow the same users to log into the Cloud Edition with the same permissions as the local on-premises units without re-creating users and groups.
At this point though, it is important to note there is no way yet to join the Cohesity Cloud Edition to the domain. While you could technically establish a VPN and authenticate over that back to your on-premises domain controllers, that would not be ideal for a number of reasons. Mainly the loss of the link could prove problematic, so in my case I wanted to establish domain authentication within the Azure Cloud.
As I thought about this, there really are two ways to accomplish this. The first is how I have traditionally done it in cloud, even back at my days with the vCloud Air group at VMware. That would be to stand up a virtual machine in Azure and promote it to a domain controller. With a VPN link up you can ensure that domain controller is part of the forest, and configure the Azure side as a new “site” along with all the corresponding networks. This certainly works, but I found a better, easier, more elegant way.
There is something known as Azure Active Directory Domain Services available. This is SEPARATE from the native Azure Active Directory that you get as part of your subscription. It may sound confusing at first, but what this provides is DNS and domain authentication in the form of redundant services assigned to your networks. This is pretty easy to deploy and the setup is well documented. Once it is enabled, you will have the services available and the DNS servers to use in your future applications. This option is much more Azure native and does not in fact require you to manage any separate Domain Controller machine in your Azure subscription.
Now, what I learned is if you set this up AFTER you create many cloud only or on-premises sync users, you will need to do a few things – including reading some Microsoft documentation – – for the usernames and passwords. This will enable you to sync over to this new service. Therein lies the confusion I had, which can be summed up by saying on-premises users sync up to the Active Directory Domain and then all that is sent over to the Active Directory Domain Services. There is a lot of password syncing going on in the background.
At this point, if you have already deployed your Cohesity Cloud Edition you might need to update the DNS servers in the cluster settings.
At this point (assuming all your users are properly synced over to the Domain Services component), joining this cluster to the domain to leverage all the users and groups is the same as on-premises. Below you can see under Access Management where you add a new Active Directory domain and the already-connected domain. Simply provide a domain administrator credential as you would normally to connect to the domain in order to see all the domain groups.
No matter how you are managing your Active Directory, either entirely on-premises or also within the Azure cloud, it’s important to know you can leverage services provided by Azure natively. The combination of Azure Active Directory and Active Directory Domain Services is powerful and works seamlessly with the Cohesity Data Platform options to control access with Active Directory.
I am a fan of using the tools at your disposal. Domain Services in Azure was new to me, but I can tell you we will be using this a lot going forward for lab demos and trade show demos.