Tutorial – Deploy Active Directory connector using Azure CLI

This article explains how to deploy an Active Directory (AD) connector using Azure CLI. The AD connector is a key component to enable Active Directory authentication on Azure Arc-enabled SQL Managed Instance.

Prerequisites

Install tools

Before you can proceed with the tasks in this article, install the following tools:

• The Azure CLI (az)
• The arcdata extension for Azure CLI

To know further details about how to set up OU and AD account, go to Deploy Azure Arc-enabled data services in Active Directory authentication - prerequisites

Deploy Active Directory connector in customer-managed keytab mode

Customer-managed keytab mode

Create an AD connector instance

Note

Make sure to wrap your password for the domain service AD account with single quote ' to avoid the expansion of special characters such as !.

To view available options for create command for AD connector instance, use the following command:

az arcdata ad-connector create --help

To create an AD connector instance, use az arcdata ad-connector create. See the following examples for different connectivity modes:

Indirectly connected mode

az arcdata ad-connector create
--name < name >
--k8s-namespace < Kubernetes namespace >
--realm < AD Domain name >
--nameserver-addresses < DNS server IP addresses >
--account-provisioning < account provisioning mode : manual or automatic > 
--prefer-k8s-dns < whether Kubernetes DNS or AD DNS Server for IP address lookup >
--use-k8s

Example:

az arcdata ad-connector create 
--name arcadc 
--k8s-namespace arc 
--realm CONTOSO.LOCAL 
--nameserver-addresses 10.10.10.11
--account-provisioning manual
--prefer-k8s-dns false
--use-k8s

# Setting environment variables needed for automatic account provisioning
DOMAIN_SERVICE_ACCOUNT_USERNAME='sqlmi'
DOMAIN_SERVICE_ACCOUNT_PASSWORD='arc@123!!'

# Deploying active directory connector with automatic account provisioning
az arcdata ad-connector create 
--name arcadc 
--k8s-namespace arc 
--realm CONTOSO.LOCAL 
--nameserver-addresses 10.10.10.11
--account-provisioning automatic
--prefer-k8s-dns false
--use-k8s

Directly connected mode

az arcdata ad-connector create 
--name < name >
--dns-domain-name < The DNS name of AD domain > 
--realm < AD Domain name >  
--nameserver-addresses < DNS server IP addresses >
--account-provisioning < account provisioning mode : manual or automatic >
--prefer-k8s-dns < whether Kubernetes DNS or AD DNS Server for IP address lookup >
--data-controller-name < Arc Data Controller Name >
--resource-group < resource-group >

Example:

az arcdata ad-connector create 
--name arcadc 
--realm CONTOSO.LOCAL 
--dns-domain-name contoso.local 
--nameserver-addresses 10.10.10.11
--account-provisioning manual
--prefer-k8s-dns false
--data-controller-name arcdc
--resource-group arc-rg

# Setting environment variables needed for automatic account provisioning
DOMAIN_SERVICE_ACCOUNT_USERNAME='sqlmi'
DOMAIN_SERVICE_ACCOUNT_PASSWORD='arc@123!!'

# Deploying active directory connector with automatic account provisioning
az arcdata ad-connector create 
--name arcadc 
--realm CONTOSO.LOCAL 
--dns-domain-name contoso.local 
--nameserver-addresses 10.10.10.11
--account-provisioning automatic
--prefer-k8s-dns false
--data-controller-name arcdc
--resource-group arc-rg

Update an AD connector instance

To view available options for update command for AD connector instance, use the following command:

az arcdata ad-connector update --help

To update an AD connector instance, use az arcdata ad-connector update. See the following examples for different connectivity modes:

Indirectly connected mode

az arcdata ad-connector update 
--name < name >
--k8s-namespace < Kubernetes namespace > 
--nameserver-addresses < DNS server IP addresses >
--use-k8s

Example:

az arcdata ad-connector update 
--name arcadc 
--k8s-namespace arc 
--nameserver-addresses 10.10.10.11
--use-k8s

Directly connected mode

az arcdata ad-connector update 
--name < name >
--nameserver-addresses < DNS server IP addresses > 
--data-controller-name < Arc Data Controller Name >
--resource-group < resource-group >

Example:

az arcdata ad-connector update 
--name arcadc 
--nameserver-addresses 10.10.10.11
--data-controller-name arcdc
--resource-group arc-rg

system-managed keytab mode

To create an AD connector instance, use az arcdata ad-connector create. See the following examples for different connectivity modes:

Indirectly connected mode

az arcdata ad-connector create 
--name < name >
--k8s-namespace < Kubernetes namespace > 
--dns-domain-name < The DNS name of AD domain > 
--realm < AD Domain name >  
--nameserver-addresses < DNS server IP addresses >
--account-provisioning < account provisioning mode > 
--ou-distinguished-name < AD Organizational Unit distinguished name >
--prefer-k8s-dns < whether Kubernetes DNS or AD DNS Server for IP address lookup >
--use-k8s

Example:

az arcdata ad-connector create 
--name arcadc 
--k8s-namespace arc 
--realm CONTOSO.LOCAL 
--netbios-domain-name CONTOSO 
--dns-domain-name contoso.local 
--nameserver-addresses 10.10.10.11
--account-provisioning automatic 
--ou-distinguished-name “OU=arcou,DC=contoso,DC=local” 
--prefer-k8s-dns false
--use-k8s

Directly connected mode

az arcdata ad-connector create 
--name < name >
--dns-domain-name < The DNS name of AD domain > 
--realm < AD Domain name >  
--netbios-domain-name < AD domain NETBOIS name > 
--nameserver-addresses < DNS server IP addresses >
--account-provisioning < account provisioning mode > 
--ou-distinguished-name < AD domain organizational distinguished name >
--prefer-k8s-dns < whether Kubernetes DNS or AD DNS Server for IP address lookup >
--data-controller-name < Arc Data Controller Name >
--resource-group < resource-group >

Example:

az arcdata ad-connector create 
--name arcadc 
--realm CONTOSO.LOCAL 
--netbios-domain-name CONTOSO 
--dns-domain-name contoso.local 
--nameserver-addresses 10.10.10.11
--account-provisioning automatic 
--ou-distinguished-name “OU=arcou,DC=contoso,DC=local” 
--prefer-k8s-dns false
--data-controller-name arcdc
--resource-group arc-rg

Update an AD connector instance

To view available options for update command for AD connector instance, use the following command:

az arcdata ad-connector update --help

To update an AD connector instance, use az arcdata ad-connector update. See the following examples for different connectivity modes:

Indirectly connected mode

az arcdata ad-connector update 
--name < name >
--k8s-namespace < Kubernetes namespace > 
--nameserver-addresses < DNS server IP addresses >
--use-k8s

Example:

az arcdata ad-connector update 
--name arcadc 
--k8s-namespace arc 
--nameserver-addresses 10.10.10.11
--use-k8s

Directly connected mode

az arcdata ad-connector update 
--name < name >
--nameserver-addresses < DNS server IP addresses > 
--data-controller-name < Arc Data Controller Name>
--resource-group <resource-group>

Example:

az arcdata ad-connector update 
--name arcadc 
--nameserver-addresses 10.10.10.11
--data-controller-name arcdc
--resource-group arc-rg

Delete an AD connector instance

To delete an AD connector instance, use az arcdata ad-connector delete. See the following examples for both connectivity modes:

Indirectly connected mode

az arcdata ad-connector delete --name < AD Connector name >  --k8s-namespace < namespace > --use-k8s

Example:

az arcdata ad-connector delete --name arcadc --k8s-namespace arc --use-k8s

Directly connected mode

az arcdata ad-connector delete --name < AD Connector name >  --data-controller-name < data controller name > --resource-group < resource group > 

Example:

az arcdata ad-connector delete --name arcadc --data-controller-name arcdc --resource-group arc-rg

Next steps

• Tutorial – Deploy AD connector in customer-managed keytab mode
• Tutorial – Deploy AD connector in system-managed keytab mode
• Deploy Arc-enabled SQL Managed Instance with Active Directory Authentication.