在同一 Active Directory 域中部署多个 SQL Server 大数据群集SQL Server Big Data ClustersDeploy multiple SQL Server 大数据群集SQL Server Big Data Clusters in the same Active Directory domain

适用于:Applies to: 是SQL Server 2019 (15.x)SQL Server 2019 (15.x)yesSQL Server 2019 (15.x)SQL Server 2019 (15.x)适用于:Applies to: 是SQL Server 2019 (15.x)SQL Server 2019 (15.x)yesSQL Server 2019 (15.x)SQL Server 2019 (15.x)

本文介绍 SQL Server 2019 CU5 的更新,这些更新支持将多个 SQL Server 2019 大数据群集部署并集成到同一 Active Directory 域。This article explains the updates to SQL Server 2019 CU5 that enables the capability for multiple SQL Server 2019 Big Data Clusters to be deployed and integrated with the same Active Directory Domain.

在 SQL 2019 CU5 之前,存在两个问题阻止在 AD 域中部署多个 BDC。Prior to SQL 2019 CU5 there were two issues preventing deployment of multiple BDCs in an AD domain.

  • 服务主体名称和 DNS 域的命名冲突Naming conflict for service principal names and DNS domain
  • 域帐户主体名称Domain account principal names

对象名称冲突Object name collisions

服务主体名称 (SPN) 和 DNS 域命名冲突Service principal names (SPN) and DNS domain naming conflict

部署时提供的域名用作 AD DNS 域。The domain name provided at deployment time is used as AD DNS domain. 这意味着,在内部网络中 Pod 可以使用此 DNS 域连接到彼此。This means the pods can connect to each other in the internal network using this DNS domain. 此外,用户使用此 DNS 域连接到 BDC 终结点。Additionally, users connect to the BDC endpoints using this DNS domain. 因此,为 BDC 中服务创建的任何服务主体名称 (SPN) 都具有使用此 AD DNS 域限定的 Kubernetes Pod、服务或终结点名称。As a result, any Service Principal Name (SPN) created for a service within BDC is going to have the Kubernetes pod, service, or endpoint name qualified with this AD DNS domain. 如果用户在域中部署第二个群集,则生成的 SPN 具有相同的 FQDN,因为在这两个群集之间 Pod 名称和 DNS 域名相同。If a user deploys a second cluster in the domain, the SPNs being generated will have the same FQDN since the pod names as well as the DNS domain name do not differ between the two clusters. 例如 AD DNS 域是 contoso.localAs an example, consider a case where the AD DNS domain is contoso.local. 为 Pod master-0 中主池 SQL Server 生成的某个 SPN 为 MSSQLSvc/master-0.contoso.local:1433One of the SPNs generated for master pool SQL Server in pod master-0 would be MSSQLSvc/master-0.contoso.local:1433. 在用户尝试部署的第二个群集中,master-0 的 Pod 名称相同,并且用户将提供相同的 AD DNS 域 (contoso.local),导致相同的 SPN 字符串。In the second cluster the user would attempt to deploy, the pod name for master-0 is the same and the user will provide the same AD DNS domain (contoso.local) resulting in the same SPN string. Active Directory 禁止创建冲突的 SPN,导致第二个群集的部署失败。Active Directory would forbid creation of a conflicting SPN leading to a deployment failure for the second cluster.

域帐户主体名称Domain account principal names

在 Active Directory 域的 BDC 部署过程中,将为在 BDC 内运行的服务生成多个帐户主体。During a deployment of BDC with an Active Directory domain, multiple account principals are generated for services running inside the BDC. 它们实质上是 AD 用户帐户。These are essentially AD user accounts. 在 SQL 2019 CU5 之前,这些帐户的名称在群集之间不唯一。Prior to SQL 2019 CU5 the names for these account would not be unique between clusters. 尝试使用此清单在两个不同的群集中为 BDC 中的特定服务创建相同的用户帐户名。This manifests in an attempt to create the same user account name for a particular service in BDC in two different clusters. 第二个部署的群集将在 AD 中遇到冲突,无法创建其帐户。The cluster that is being deployed second will run into a conflict in AD and cannot create their account.

解决冲突Resolution for collisions

SPN 和 DNS 域问题的解决方案 - SQL 2019 CU5Solution to solve the problem with SPNs and DNS domain - SQL 2019 CU5

由于任意两个群集中的 SPN 必须不同,因此部署时传入的 DNS 域名必须不同。Since SPNs must differ in any two clusters, the DNS domain name passed in at deployment time must be different. 可以使用部署配置文件中新引入的设置指定不同的 DNS 名称:subdomainYou can specify different DNS names using the newly introduced setting in the deployment configuration file: subdomain. 如果这两个群集之间的子域不同,并且可以通过此子域进行内部通信,则 SPN 包括实现所需唯一性的子域。If the subdomain differs between two clusters and internal communication can happen over this subdomain, the SPNs will include the subdomain achieving the required uniqueness.

备注

通过子域设置传递的值不是新的 AD 域,而是内部使用的 DNS 域。The value passed through the subdomain setting is not a new AD domain, but a DNS domain that is used internally.

再次考虑使用主池 SQL Server SPN 的例子。As an example, consider the case of a master pool SQL Server SPN again. 如果子域是 bdc,则前面讨论的 SPN 将更改为 MSSQLSvc/master-0.bdc.contoso.local:1433If the subdomain is bdc, the previously discussed SPN will change to MSSQLSvc/master-0.bdc.contoso.local:1433.

对 active directory 配置规范中新引入的子域参数的值进行自定义是可选的。Customizing the value of the newly introduced subdomain parameter in the active directory configuration spec is optional. 默认情况下,BDC 群集名称或命名空间名称将用于计算子域设置的值。By default, the BDC cluster name or namespace name will be used to compute the value of subdomain setting. 当用户想要替代子域名称时,可以使用 active directory 配置规范中引入的新子域参数来进行。When users want to override the subdomain name, they can do so using the new subdomain parameter being introduced in the active directory configuration spec.

有关帐户名称唯一性问题的解决方案Solution to solve the problem regarding account names uniqueness

为了将帐户名称更新为保证唯一性的方案,引入了帐户前缀的概念。In order to update the account names to a scheme that guarantees uniqueness we introduced the concept of account prefix. 帐户前缀是在任何两个群集之间都具唯一性的帐户名称的一部分。The account prefix is a portion of the account name that is unique between any two clusters. 帐户名称的剩余部分对于给定服务是不变的。The remaining portion of the account name is constant for a given service. 帐户名的新格式类似于 <prefix>-<name>-<podId>The new format of the account name will look like <prefix>-<name>-<podId>.

备注

Active Directory 要求帐户名称限制在 20 个字符以内。Active Directory requires the account names to be limited to 20 characters. BDC 群集需要使用 8 个字符来区分 Pod 和 StatefulSets。BDC cluster needs to use 8 of the characters for distinguishing pods and StatefulSets. 这使得帐户前缀有 12 个字符的限制This leaves us 12 characters as a limit for the account prefix

对帐户名称进行自定义是可选的。Customizing the account name is optional. 使用 active directory 配置规范中的 accountPrefix 参数。SQL Server 2019 CU5 在配置规范中引入 accountPrefix。默认情况下,子域名称用作帐户前缀。Use the accountPrefix parameter in the active directory configuration spec. SQL Server 2019 CU5 introduces accountPrefix in the configuration spec. By default, the subdomain name is used as the account prefix. 如果子域名称长度超过 12 个字符,则将子域名的前 12 个字符的子字符串用作帐户前缀。If the subdomain name is longer than the 12 characters, the initial 12-characters substring of the subdomain name are used as account prefix.

子域仅适用于 DNS。The subdomain only applies to DNS. 因此,新的 LDAP 用户帐户名为 bdc-ldap@contoso.localHence the new LDAP user account name is bdc-ldap@contoso.local. 帐户名称不会是 bdc-ldap@bdc.contoso.localThe account name would not be not bdc-ldap@bdc.contoso.local.

语义Semantics

总的来说,以下是在 SQL 2019 CU5 中为域中多个群集添加的参数的语义:In summary, these are the semantics of the parameters added in SQL 2019 CU5 for multiple clusters in a domain:

subdomain

  • 可选字段Optional field
  • 数据类型:字符串Data type: string
  • 定义:用于此 BDC 群集的唯一 DNS 子域。Definition: A unique DNS subdomain to use for this BDC cluster. 对于部署在 Active Directory 域中的每个群集而言,此值应有所不同。This value should be different for each cluster deployed in the Active Directory domain.
  • 默认值:如未提供,则群集名称将用作默认值Default value: When not provided, cluster name will be used as the default value
  • 最大长度:每个标签 63 个字符(标签是用点分隔的每个字符串)。Maximum length: 63 characters per label (label being each string separated by a dot).
  • 备注:终结点 DNS 名称应在其 FQDN 中使用子域。Remarks: The endpoint DNS names should use the subdomain in their FQDN.

accountPrefix

  • 可选字段Optional field
  • 数据类型:字符串Data type: string
  • 定义:AD 帐户 BDC 群集将生成唯一的前缀。Definition: A unique prefix for AD accounts BDC cluster will generate. 对于部署在 Active Directory 域中的每个群集而言,此值应有所不同。This value should be different for each cluster deployed in the Active Directory domain.
  • 默认值:如未提供,则子域名称将用作默认值。Default value: When not provided, subdomain name will be used as the default value. 如未提供子域,群集名称将用作子域名称,因此群集名称也将成为 accountPrefix。When subdomain is not provided, cluster name will be used as the subdomain name, and hence cluster name will be inherited as accountPrefix as well. 如果提供子域并且它是多部分名称(包含一个或多个点),则用户必须提供 accountPrefix。If the subdomain is provided and is a multipart name (contains one or more dots), user must provide an accountPrefix.
  • 最大长度:12 个字符Maximum length: 12 characters

对 AD 域和 DNS 服务器的影响Impact on AD domain and DNS server

为了适应针对同一 Active Directory 域部署多个 BDC,AD 域或域控制器中无需进行任何更改。There are no change required in the AD domain or domain controller to accommodate deploying multiple BDCs against the same Active Directory domain. 注册外部终结点 DNS 名称时,DNS 子域将自动在 DNS 服务器中创建。The DNS subdomain will be automatically created in the DNS server when registering external endpoint DNS names.

对设置用于 BDC 部署的部署配置文件的影响Impact on setting up the deployment configuration file used for the BDC deployment

控制平面配置 control.json 中的 activeDirectory 部分将有两个新的可选参数:subdomainaccountPrefixThe activeDirectory section in the control plane configuration control.json will have two new optional parameters: subdomain and accountPrefix. 仅在想要替代默认行为(为每个设置使用群集名称)时才提供这些设置的值。Only provide values for these settings if you want to override the default behavior, which is to use the cluster name for each of them. 群集名称与命名空间名称相同。The cluster name is the same as namespace name.

此外,可以使用所选终结点 DNS 名称,只要它们是完全限定的,并且在部署在同一域中的任何两个大数据群集之间不会发生冲突。Additionally, you can use endpoint DNS names of your choice as long as they are fully qualified and do not conflict between any two big data clusters deployed in the same domain. 可以根据需要使用子域参数值来确保 DNS 名称在群集之间不同。Optionally, you can use the subdomain parameter value to ensure DNS names are different across clusters. 考虑使用网关终结点的例子。As an example, consider the gateway endpoint. 如果要将名称 gateway 用于终结点,并将其作为 BDC 部署的一部分自动注册到 DNS 服务器,请使用 gateway.bdc1.contoso.local 作为 DNS 名称。If you want to use the name gateway for the endpoint and register it in the DNS server automatically as part of BDC deployment, use gateway.bdc1.contoso.local as the DNS name. 如果 bdc1 是子域,并且 contoso.local 是 AD DNS 域名的话。If bdc1 is the subdomain and contoso.local is the AD DNS domain name. 其他可接受的值为 gateway-bdc1.contoso.local 或者就是 gateway.contoso.localOther acceptable values are: gateway-bdc1.contoso.local or simply gateway.contoso.local.

示例Examples

如果想要替代子域和 accountPrefix,下面是 active directory 安全配置的示例。Below is an example of active directory security configuration, in case you want to override subdomain and accountPrefix.

    "security": { 
        "activeDirectory": { 
            "ouDistinguishedName":"OU=contosoou,DC=contoso,DC=local", 
            "dnsIpAddresses": [ "10.10.10.10" ], 
            "domainControllerFullyQualifiedDns": [ "contoso-win2016-dc.contoso.local" ], 
            "domainDnsName":"contoso.local", 
            "subdomain": "bdc", 
            "accountPrefix": "myprefix", 
            "clusterAdmins": [ "contosoadmins" ], 
            "clusterUsers": [ "contosousers1", "contosousers2" ] 
        } 
    } 
  

下面是控制平面终结点的终结点规范的示例。Below is an example of endpoint spec for control plane endpoints. 可以对 DNS 名称使用任何值,前提是这些值是唯一的并且是完全限定的:You can use any values for DNS names, as long as they are unique and fully qualified:

        "endpoints": [ 
            { 
                "serviceType": "NodePort", 
                "port": 30080, 
                "name": "Controller", 
                "dnsName": "control-bdc1.contoso.local" 
            }, 
            { 
                "serviceType": "NodePort", 
                "port": 30777, 
                "name": "ServiceProxy", 
                "dnsName": "monitor-bdc1.contoso.local" 
            } 
        ] 
  

问题Questions

是否需要为不同群集创建不同的 OU?Do you need to create separate OUs for different clusters?

这不是必需的,但建议这样做。It is not required, but is recommended. 为不同的群集提供不同的 OU 有助于管理生成的用户帐户。Providing separate OUs for separate clusters helps you manage the generated user accounts.

如何在 SQL 2019 中还原到 CU5 之前的行为?How to revert back to the pre-CU5 behavior in SQL 2019?

在某些情况下,无法适应新引入的 subdomain 参数。There might be scenarios where you can't accommodate the newly introduced subdomain parameter. 例如,必须部署低于 CU5 的版本,并且已升级 Azure Data CLI (azdata)Azure Data CLI (azdata)For example you must deploy a pre-CU5 release and you already upgraded Azure Data CLI (azdata)Azure Data CLI (azdata). 这不太可能发生,但如果需要还原到 CU5 之前的行为,可以在 control.json 的 active directory 部分中将 useSubdomain 参数设置为 falseThis is highly unlikely, but if you need to revert to the pre-CU5 behavior you can set useSubdomain parameter to false in the active directory section of control.json.

以下示例针对这种情况将 useSubdomain 设置为 falseThe following example sets useSubdomain to false for this scenario.

azdata bdc config replace -c custom-prod-kubeadm/control.json -j "$.security.activeDirectory.useSubdomain=false" 

后续步骤Next steps

对 SQL Server 大数据群集 Active Directory 集成进行故障排除Troubleshoot SQL Server Big Data Cluster Active Directory integration