Below are the steps, including many PowerShell commands to prepare an AD environment
- Deploy Windows Server 2012 R2
- Set hostname to your liking
- Install AD services
- Configure AD
- Add self-signed certificate for AD's LDAPS to work
- Populate sample containers, users & groups
- Delegate control to appropriate users
- Most Cloud providers will have this option
- On Google Cloud, they have a "one-click" option to deploy AD
## this will restart the server
$new_hostname = "ad01"
Rename-Computer -NewName $new_hostname -Restart
-
Open Powershell (right click and "open as Administrator)
-
Prepare your environment. Update these to your liking.
$domainname = "lab.hortonworks.net"
$domainnetbiosname = "LAB"
$password = "BadPass#1"
- Install AD features & Configure AD. You have 2 options:
- Deploy AD without DNS (relying on /etc/hosts or a separate DNS)
Install-WindowsFeature AD-Domain-Services –IncludeManagementTools
Import-Module ADDSDeployment
$secure_string_pwd = convertto-securestring ${password} -asplaintext -force
Install-ADDSForest `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "Win2012R2" `
-DomainName ${domainname} `
-DomainNetbiosName ${domainnetbiosname} `
-ForestMode "Win2012R2" `
-InstallDns:$false `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-SafeModeAdministratorPassword:$secure_string_pwd `
-Force:$true
- Deploy AD with DNS
Install-WindowsFeature AD-Domain-Services –IncludeManagementTools
Import-Module ADDSDeployment
$secure_string_pwd = convertto-securestring ${password} -asplaintext -force
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "Win2012R2" `
-DomainName ${domainname} `
-DomainNetbiosName ${domainnetbiosname} `
-ForestMode "Win2012R2" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-SafeModeAdministratorPassword:$secure_string_pwd `
-Force:$true
If the domain of your Hadoop nodes is different than your AD domain: https://technet.microsoft.com/en-gb/library/cc772007.aspx
There are several methods to enable SSL for LDAP (aka LDAPS).
- Use a certificate from a public respected certificate authority.
- Generate a self-signed certificate from your AD server, or other Windows Certificate Authority.
- Generate a self-signed certificate from your own certificate authority.
- Import a previously generated self-signed certificate
Instructions for each:
- See Active Directory documentation.
- Generate a self-signed certificate from your AD server, or other Windows Certificate Authority.
- On your Windows Server: Install Active Directory Certificate Services
- Ensure to configure as "Enterprise CA" not "Standalone CA".
- Once it's installed:
- Server Manager -> Tools -> Certificate Authority
- Action -> Properties
- General Tab -> View Certificate -> Details -> Copy to File
- Choose the format: "Base-64 encoded X.509 (.CER)"
- Save as 'activedirectory.cer' (or whatever you like)
- Open with Notepad -> Copy Contents
- This is your public CA to be distributed to all of your client hosts.
- Reboot the Active Directory server for it to load the certificate.
- Generate a self-signed certificate however you like.
- Many options for this. I prefer OpenSSL (run from wherever you like):
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
-subj '/CN=lab.hortonworks.net/O=Hortonworks Testing/C=US'
openssl genrsa -out wildcard-lab-hortonworks-net.key 2048
openssl req -new -key wildcard-lab-hortonworks-net.key -out wildcard-lab-hortonworks-net.csr \
-subj '/CN=*.lab.hortonworks.net/O=Hortonworks Testing/C=US'
openssl x509 -req -in wildcard-lab-hortonworks-net.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out wildcard-lab-hortonworks-net.crt -days 3650
openssl pkcs12 -export -name "PEAP Certificate" -CSP 'Microsoft RSA SChannel Cryptographic Provider' -LMK -inkey wildcard-lab-hortonworks-net.key -in wildcard-lab-hortonworks-net.crt -certfile ca.crt -out wildcard-lab-hortonworks-net.p12
- Copy wildcard-lab-hortonworks-net.p12 to the Active Directory server
- On your Active Directory server:
- Run "mmc"
- Open the "Certificates snap-in".
- Expand the "Certificates" node under "Personal".
- Select "All Tasks" -> "Import...", and import the the "p12".
- Reboot the Active Directory server for it to load the certificate.
- Step by step instructions here
- For example to use the same certificate as the one used in the security lab:
- Copy wildcard-lab-hortonworks-net.p12 to the Active Directory server from here
- On your Active Directory server:
- Run "mmc"
- Open the "Certificates snap-in".
- Expand the "Certificates" node under "Personal".
- Select "All Tasks" -> "Import...", and import the the "p12".
- Reboot the Active Directory server for it to load the certificate.
- Step by step instructions here
$my_base = "DC=lab,DC=hortonworks,DC=net"
$my_ous = "CorpUsers","HadoopNodes","HadoopServices","ServiceUsers"
$my_groups = "hadoop-users","ldap-users","legal","hr","sales","hadoop-admins"
$my_ous | ForEach-Object {
NEW-ADOrganizationalUnit $_;
}
$my_groups | ForEach-Object {
NEW-ADGroup –name $_ –groupscope Global –path "OU=CorpUsers,$my_base";
}
$UserCSV = @"
samAccountName,Name,ParentOU,Group
hadoopadmin,"hadoopadmin","OU=CorpUsers,DC=lab,DC=hortonworks,DC=net","hadoop-admins"
rangeradmin,"rangeradmin","OU=ServiceUsers,DC=lab,DC=hortonworks,DC=net","hadoop-users"
ambari,"ambari","OU=ServiceUsers,DC=lab,DC=hortonworks,DC=net","hadoop-users"
keyadmin,"keyadmin","OU=ServiceUsers,DC=lab,DC=hortonworks,DC=net","hadoop-users"
ldap-reader,"ldap-reader","OU=ServiceUsers,DC=lab,DC=hortonworks,DC=net","ldap-users"
registersssd,"registersssd","OU=ServiceUsers,DC=lab,DC=hortonworks,DC=net","ldap-users"
legal1,"Legal1 Legal","OU=CorpUsers,DC=lab,DC=hortonworks,DC=net","legal"
legal2,"Legal2 Legal","OU=CorpUsers,DC=lab,DC=hortonworks,DC=net","legal"
legal3,"Legal3 Legal","OU=CorpUsers,DC=lab,DC=hortonworks,DC=net","legal"
sales1,"Sales1 Sales","OU=CorpUsers,DC=lab,DC=hortonworks,DC=net","sales"
sales2,"Sales2 Sales","OU=CorpUsers,DC=lab,DC=hortonworks,DC=net","sales"
sales3,"Sales3 Sales","OU=CorpUsers,DC=lab,DC=hortonworks,DC=net","sales"
hr1,"Hr1 HR","OU=CorpUsers,DC=lab,DC=hortonworks,DC=net","hr"
hr2,"Hr2 HR","OU=CorpUsers,DC=lab,DC=hortonworks,DC=net","hr"
hr3,"Hr3 HR","OU=CorpUsers,DC=lab,DC=hortonworks,DC=net","hr"
"@
$UserCSV > Users.csv
$AccountPassword = "BadPass#1" | ConvertTo-SecureString -AsPlainText -Force
Import-Module ActiveDirectory
Import-Csv "Users.csv" | ForEach-Object {
$userPrincinpal = $_."samAccountName" + "@lab.hortonworks.net"
New-ADUser -Name $_.Name `
-Path $_."ParentOU" `
-SamAccountName $_."samAccountName" `
-UserPrincipalName $userPrincinpal `
-AccountPassword $AccountPassword `
-ChangePasswordAtLogon $false `
-Enabled $true
add-adgroupmember -identity $_."Group" -member (Get-ADUser $_."samAccountName")
add-adgroupmember -identity "hadoop-users" -member (Get-ADUser $_."samAccountName")
}
-
Delegate OU permissions to
hadoopadmin
forOU=HadoopServices
. In 'Active Directory Users and Computers' app:- right click HadoopServices
- Delegate Control
- Next
- Add
- hadoopadmin
- checknames
- OK
- Select "Create, delete, and manage user accounts"
- OK
-
Give registersssd user permissions to join workstations to OU=HadoopNodes (needed to run 'adcli join' successfully). In 'Active Directory Users and Computers' app:
- Click on View > Advanced features
- Right Click on HadoopNodes
- Properties
- Security
- Advanced
- Permissions
- Add > 'Select a principal' > registersssd > Check names > Ok >
- Set 'Applies to' to: 'This object and all descendant objects. Select below checkboxes > OK
- Create Computer Objects
- Delete Computer Objects
- Set 'Applies to' to: 'This object and all descendant objects. Select below checkboxes > OK
- Add > 'Select a principal' > registersssd > Check names > Ok >
- Set 'Applies to' to: 'Descendant Computer Objects' > select below checkboxes > Ok > Apply
- Read All Properties
- Write All Properties
- Read Permissions
- Modify Permissions
- Change Password
- Reset Password
- Validated write to DNS host name
- Validated write to service principle name
- Set 'Applies to' to: 'Descendant Computer Objects' > select below checkboxes > Ok > Apply
For more details on steps above see reference material here
- Also make sure that the time on the Windows machine is correct and timezone setting automatically adjusts for DST
- e.g For PST: Windows is -0800 and Linux is -0700.
- if clock skew between Linux hosts and Windows AD is greater than 5 min, services will not start with below error:
KrbException: Clock skew too great
- No longer needed create keytab for Ambari. This will be used later to kerborize Ambari before setting up views
ktpass -out ambari.keytab -princ ambari@LAB.HORTONWORKS.NET -pass BadPass#1 -mapuser ambari@LAB.HORTONWORKS.NET -mapop set -crypto All -ptype KRB5_NT_PRINCIPAL
- To test the LDAP connection from a Linux node
sudo yum install openldap-clients
ldapsearch -h ad01.lab.hortonworks.net -p 389 -D "ldap-reader@lab.hortonworks.net" -w BadPass#1 -b "OU=CorpUsers,DC=lab,DC=hortonworks,DC=net" "(&(objectclass=person)(sAMAccountName=sales1))"