佈建 Active Directory 服務帳戶 - AWS 方案指引

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

佈建 Active Directory 服務帳戶

如果您想要將 Amazon FSx for NetApp ONTAP SVMs加入您的內部部署 Active Directory 網域,您必須在 Amazon FSx 檔案系統的整個生命週期中維護有效的 Active Directory 服務帳戶。Amazon FSx 必須能夠完整管理檔案系統,並執行需要取消加入和重新加入 Active Directory 網域的任務,例如取代失敗的檔案 SVM 或修補 NetApp ONTAP 軟體。在 Amazon FSx 中保持 Active Directory 組態,包括服務帳戶憑證。

此服務帳戶必須在 Active Directory 中具有下列許可:

  • 將電腦加入網域的許可

  • 在您加入檔案系統的組織單位 (OU) 中,許可為:

    • 重設密碼

    • 限制帳戶讀取和寫入資料

    • 寫入 DNS 主機名稱

    • 寫入服務主體名稱

    • 建立和刪除電腦物件

    • 讀取和寫入帳戶限制

Active Directory 網域管理員可以使用 Active Directory 使用者和電腦 MMC 嵌入來手動建立服務帳戶。如需說明,請參閱 FSx for ONTAP 文件中的將許可委派給 Amazon FSx 服務帳戶。 FSx 您也可以透過程式設計方式設定此帳戶。例如,您可以使用 PowerShell,如下列範例所示。

param(
    [string] $DomainName,
    [string] $Username, #Service Account username
    [string] $Firstname, #Service Account Firstname
    [string] $Lastname, #Service Account Lastname
    [string] $saOU, #OU where Service Account is created
    [string] $delegateOrganizationalUnit #OU where Service Account has delegation
)

#Retrieve Active Directory domain credentials of a Domain Admin
$DomainCredential = ...

#Import Active Directory PowerShell module
...

#Create Service Account in specified OU
New-Active DirectoryUser -Credential $DomainCredential -SamAccountName $Username -UserPrincipalName "$Username@$DomainName" -Name "$Firstname $Lastname" -GivenName $Firstname -Surname $Lastname -Enabled $True -ChangePasswordAtLogon $False -DisplayName "$Lastname, $Firstname" -Path $saOU -CannotChangePassword $True -PasswordNotRequired $True
$user = Get-Active Directoryuser -Identity $Username
$userSID = [System.Security.Principal.SecurityIdentifier] $user.SID

#Connect to Active Directory drive
Set-Location Active Directory:

$ACL = Get-Acl -Path $delegateOrganizationalUnit
$Identity = [System.Security.Principal.IdentityReference] $userSID

#GUID of Active Directory Class
$Computers = [GUID]"bf967a86-0de6-11d0-a285-00aa003049e2"
$ResetPassword = [GUID]"00299570-246d-11d0-a768-00aa006e0529"
$ValidatedDNSHostName = [GUID]"72e39547-7b18-11d1-adef-00c04fd8d5cd"
$ValidatedSPN = [GUID]"f3a64788-5306-11d1-a9c5-0000f80367c1"
$AccountRestrictions = [GUID]"4c164200-20c0-11d0-a768-00aa006e0529"

#Delegation list
$rules = @()
$rules += $(New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, "CreateChild, DeleteChild", "Allow", $Computers, "All"))
$rules += $(New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, "ExtendedRight", "Allow", $ResetPassword, "Descendents", $Computers))
$rules += $(New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, "ReadProperty, WriteProperty", "Allow", $AccountRestrictions, "Descendents", $Computers))
$rules += $(New-Object System.DirectoryServices.ActiveDirectoryAccessRule($userSID, "Self", "Allow", $ValidatedDNSHostName, "Descendents", $Computers))
$rules += $(New-Object System.DirectoryServices.ActiveDirectoryAccessRule($userSID, "Self", "Allow", $ValidatedSPN, "Descendents", $Computers))

#Set delegation
foreach($rule in $rules) {
    $ACL.AddAccessRule($rule)
}
Set-Acl -Path $delegateOrganizationalUnit -AclObject $ACL