在 Active Directory 模式下部署 SQL Server 大数据群集SQL Server Big Data Clusters:PrerequisitesDeploy SQL Server 大数据群集SQL Server Big Data Clusters in Active Directory mode: Prerequisites

适用于:Applies to: 是SQL Server 2019 (15.x)SQL Server 2019 (15.x)yesSQL Server 2019 (15.x)SQL Server 2019 (15.x)适用于:Applies to: 是SQL Server 2019 (15.x)SQL Server 2019 (15.x)yesSQL Server 2019 (15.x)SQL Server 2019 (15.x)

本文档介绍如何准备在 Active Directory 身份验证模式下部署 SQL Server 大数据群集 (BDC)。This document explains how to prepare to deploy a SQL Server big data cluster (BDC) in the Active Directory authentication mode. 群集使用现有 AD 域进行身份验证。The cluster uses an existing AD domain for authentication.

备注

在 SQL Server 2019 CU5 版本之前,对大数据群集进行了限制,以便只能针对 Active Directory 域部署一个群集。Before SQL Server 2019 CU5 release, there is a restriction in big data clusters so that only one cluster could be deployed against an Active Directory domain. 此限制已在 CU5 版本中删除,若要了解新功能的详细信息,请参阅概念:在 Active Directory 模式下部署 SQL Server 大数据群集SQL Server Big Data ClustersThis restriction is removed with the CU5 release, see Concept: deploy SQL Server 大数据群集SQL Server Big Data Clusters in Active Directory mode for details on the new capabilities. 本文中的示例进行了调整以适应两种部署用例。Examples in this article are adjusted to accommodate both deployment use cases.

背景Background

要启用 Active Directory (AD) 身份验证,BDC 会自动创建群集中各种服务所需的用户、组、计算机帐户和服务主体名称 (SPN)。To enable Active Directory (AD) authentication, the BDC automatically creates the users, groups, machine accounts, and service principal names (SPN) that the various services in the cluster need. 要提供对这些帐户的某些控制并允许范围内权限,我们建议在群集部署之前创建一个组织单位 (OU)。To provide some containment of these accounts and allow scoping permissions, we suggest create an organizational unit (OU) before cluster deployment. 将在部署期间创建所有与 BDC 相关的 AD 对象。All BDC-related AD objects will be created during deployment.

先决条件Pre-requisites

组织单位 (OU)Organizational Unit (OU)

组织单位 (OU) 是 Active Directory 中放置用户、组,甚至其他组织单位的细分。An organizational unit (OU) is a subdivision within an Active Directory into where place users, groups, and even other organizational units. 大图组织单位可用于镜像组织的功能或业务结构。Big picture Organizational units can be used to mirror an organization's functional or business structure. 本文将创建一个名为 bdc 的 OU 作为示例。This article we'll create an OU called bdc as an example.

备注

组织单位 (OU) 表示管理边界,并使客户能够控制数据管理员的授权范围。The organizational unit (OU) represents administrative boundaries and enable customers to control the scope of authority of data administrators.

可以按照 OU 设计原则来决定使用组织中的 OU 的最佳结构。You can follow OU Design Principles to decide on the best structure on working with OUs within your organization.

BDC 域服务帐户的 AD 帐户AD account for BDC domain service account

为了能够自动在 Active Directory 中创建所有必需对象,BDC 需要具有在提供的组织单位 (OU) 内创建用户、组和计算机帐户的特定权限的 AD 帐户。To be able to create all the required objects in Active Directory automatically, the BDC needs an AD account which have specific permissions to create users, groups, and machine accounts inside the provided organizational unit (OU). 本文将介绍如何配置此 AD 帐户的权限。This article will explain how to configure the permission of this AD account. 我们使用名为 bdcDSA 的 AD 帐户作为本文中的示例。We use an AD Account call bdcDSA as an example in this article.

自动生成的 Active Directory 对象Auto generated Active Directory objects

BDC 部署会自动生成帐户名和组名。BDC deployment automatically generates account and group names. 每个帐户都代表 BDC 中的一个服务,并将在使用 BDC 群集的整个生存期内通过 BDC 进行管理。Each of the accounts represents a service in BDC and will be managed by BDC throughout the lifetime where BDC cluster is in use. 这些帐户拥有每个服务所需的服务主体名称 (SPN)。Those accounts own the Service Principal Names (SPNs) are required by each service. 有关所管理的 AD 自动生成的帐户、组和服务的完整列表,请参阅自动生成的 Active Directory 对象For a full list of AD auto-generated accounts, groups, and service that they managed, see Auto generated Active Directory objects.

重要

这些帐户的密码可能会过期,具体取决于域控制器中设置的密码过期策略。Depending on the password expiration policy set in the Domain Controller, passwords for these accounts can expire. 默认的过期策略为 42 天。The default expiration policy is 42 days. 没有任何机制可以轮换 BDC 中所有帐户的凭据,因此一到过期时间,群集将变为不可操作。There is no mechanism to rotate credentials for all accounts in BDC, so the cluster will become inoperable once the expiration period is met. 若要解决此问题,请在域控制器中将 BDC 服务帐户的过期策略更新为“密码永不过期”。To workaround this issue, update the expiration policy for the BDC service accounts to “Password never expires” in the Domain Controller. 此操作可在过期时间之前或之后完成。This action can be done before or after the expiration time. 在后一种情况下,Active Directory 将重新激活过期的密码。In the latter case, Active Directory will reactivate the expired passwords.

下图显示了在“Active Directory 用户和计算机”中设置此属性的位置。The following image shows where to set this property in in Active Directory Users and Computers.

设置密码过期策略

以下步骤假设已有一个 Active Directory 域控制器。The steps below assume you already have an Active Directory domain controller. 如果没有域控制器,以下指南包含可提供帮助的步骤。If you don't have a domain controller, the following guide includes steps that can be helpful.

创建 AD 对象Create AD objects

在部署具有 AD 集成的 BDC 之前,请执行以下操作:Do the following things before you deploy a BDC with AD integration:

  1. 创建一个将在其中存储所有与 BDC 相关的 AD 对象的组织单位 (OU)。Create an organizational unit (OU) where all BDC-related AD objects will be stored. 还可以选择在部署时选择现有 OU。Alternatively you can choose an existing OU upon deployment.
  2. 为 BDC 创建 AD 帐户或使用现有帐户,并在提供的组织单位 (OU) 中向此 BDC AD 帐户提供正确的权限。Create an AD account for BDC, or use an existing account, and provide this BDC AD account the right permissions inside the provided organizational unit (OU).

为 BDC 域服务帐户在 AD 中创建用户Create a user in AD for BDC domain service account

大数据群集需要具有特定权限的帐户。The big data cluster requires an account with specific permissions. 在继续操作之前,请确保已有 AD 帐户或创建一个新帐户,大数据群集可以使用该帐户来设置必要的对象。Before you proceed, make sure that you have an existing AD account or create a new account, which the big data cluster can use to set up the necessary objects.

若要在 AD 中创建新用户,可以右键单击域或 OU,然后选择“新建” > “用户” :To create a new user in AD, you can right-click the domain or the OU and select New > User:

Active Directory 用户对话框

此用户在本文中将称为 BDC 域服务帐户。This user will be referred to as the BDC domain service account in this article.

创建 OUCreate an OU

在域控制器上,打开“Active Directory 用户和计算机”。On the domain controller, open Active Directory Users and Computers. 在左侧面板上,右键单击要在其下创建 OU 的目录,然后选择“新建”>“组织单位”,然后按照向导中的提示创建 OU 。On the left panel, right-click the directory under which you want to create your OU and select New > Organizational Unit, then follow the prompts from the wizard to create the OU. 或者,可以使用 PowerShell 创建 OU:Alternatively, you can create an OU with PowerShell:

New-ADOrganizationalUnit -Name "<name>" -Path "<Distinguished name of the directory you wish to create the OU in>"

本文中的示例使用 bdc 作为 OU 名称。The examples in this article use bdc for the OU name.

Active Directory 组织单位

新建对象 - 组织单位

设置 AD 帐户的权限Set permissions for an AD account

无论是创建新的 AD 用户还是使用现有的 AD 用户,用户都需要具有某些权限。Whether you have created a new AD user or using an existing AD user, there are certain permissions the user needs to have. 此帐户是 BDC 控制器在将群集加入 AD 时将使用的用户帐户。This account is the user account that the BDC controller will use when joining the cluster to AD.

BDC 域服务帐户 (DSA) 需要能够在 OU 中创建用户、组和计算机帐户。The BDC domain service account (DSA) needs to be able to create users, groups, and computer accounts in the OU. 在下面的步骤中,我们将 BDC 域服务帐户命名为 bdcDSAIn the following steps, we have named the BDC domain service account bdcDSA. 你可以为此帐户选择任何名称。You can choose any name for this account.

  1. 在域控制器上,打开“Active Directory 用户和计算机”On the domain controller, open Active Directory Users and Computers

  2. 在左侧面板中,导航到你的域,然后导航到 bdc 将使用的 OUIn the left panel, navigate to your domain, then the OU which bdc will use

  3. 右键单击 OU,然后选择“属性”。Right-click the OU, and select Properties.

  4. 转到“安全性”选项卡(通过右键单击 OU 并选择“视图”,确保选择“高级功能” )Go to the Security tab (Make sure that you have selected Advanced Features by right-clicking on the OU, and selecting View)

    BDC 对象属性

  5. 单击“添加...”,然后添加“bdcDSA”用户 Click Add... and add the bdcDSA user

    添加 BDC 对象属性

    选择对象

  6. 选择 bdcDSA 用户并清除所有权限,然后单击“高级” Select the bdcDSA user and clear all permissions, then click Advanced

  7. 单击“添加”Click Add

    单击“添加”

    • 单击“选择主体”,插入 bdcDSA,然后单击“确定” Click Select a Principal, insert bdcDSA, and click Ok

    • 将“类型”设置为“允许” Set Type to Allow

    • 将“应用对象”设置为“此对象和所有后代对象” Set Applies To to This Object and all descendant objects

      为属性设置允许条件

    • 向下滚动到底部并单击“全部清除”Scroll down to the bottom, and click Clear all

    • 滚动回到顶部,然后选择:Scroll back to the top, and select:

      • “读取所有属性”Read all properties
      • “写入所有属性”write all properties
      • “创建计算机对象”Create Computer objects
      • “删除计算机对象”Delete Computer objects
      • “创建组对象”Create Group objects
      • “删除组对象”Delete Group objects
      • “创建用户对象”Create User objects
      • “删除用户对象”Delete User objects
    • 单击 “确定”Click OK

  • 单击“添加”Click Add

    • 单击“选择主体”,插入 bdcDSA,然后单击“确定” Click Select a Principal, insert bdcDSA, and click Ok

    • 将“类型”设置为“允许” Set Type to Allow

    • 将“应用对象”设置为“后代计算机对象” Set Applies To to Descendant Computer objects

    • 向下滚动到底部并单击“全部清除”Scroll down to the bottom, and click Clear all

    • 滚动回到顶部,然后选择“重置密码”Scroll back to the top, and select Reset password

    • 单击 “确定”Click OK

  • 单击“添加”Click Add

    • 单击“选择主体”,插入 bdcDSA,然后单击“确定” Click Select a Principal, insert bdcDSA, and click Ok

    • 将“类型”设置为“允许” Set Type to Allow

    • 将“应用对象”设置为“后代用户对象” Set Applies To to Descendant User objects

    • 向下滚动到底部并单击“全部清除”Scroll down to the bottom, and click Clear all

    • 滚动回到顶部,然后选择“重置密码”Scroll back to the top, and select Reset password

    • 单击 “确定”Click OK

  • 再单击“确定”两次以关闭打开的对话框Click OK twice more to close open dialog boxes

后续步骤Next steps

在 Active Directory 模式下部署 SQL Server 大数据群集SQL Server Big Data ClustersDeploy SQL Server 大数据群集SQL Server Big Data Clusters in Active Directory mode

对 SQL Server 大数据群集 Active Directory 集成进行故障排除Troubleshoot SQL Server Big Data Cluster Active Directory integration

概念:在 Active Directory 模式下部署 SQL Server 大数据群集SQL Server Big Data ClustersConcept: deploy SQL Server 大数据群集SQL Server Big Data Clusters in Active Directory mode