You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The following instructions expect that the users can bring in the Active Directory domain and provide to the AD system-managed keytab deployment.
41
41
42
42
* A unique name of an Active Directory user account for SQL
43
-
* DNS record for the endpoint DNS name for SQL
43
+
* DNS A (forward) record for the primary (and optionally, secondary) endpoint of SQL
44
44
45
45
---
46
46
47
47
## Before you deploy SQL Managed Instance
48
48
49
-
1. Identify a DNS name for the SQL endpoint.
49
+
1. Identify a DNS name for the SQL endpoints.
50
50
51
-
Choose a unique DNS name for the SQL endpoint that clients will connect to from outside the Kubernetes cluster.
51
+
Choose unique DNS names for the SQL endpoints that clients will connect to from outside the Kubernetes cluster.
52
52
53
-
This DNS name should be in the Active Directory domain or its descendant domains.
53
+
These DNS names should be in the Active Directory domain or its descendant domains.
54
54
55
-
The examples in these instructions use `sqlmi.contoso.local` for the DNS name.
55
+
The examples in these instructions use `sqlmi-primary.contoso.local` for the primary DNS name and `sqlmi-secondary.contoso.local` for the secondary DNS name.
56
56
57
-
2. Identify the port number for the SQL endpoint.
57
+
2. Identify the port numbers for the SQL endpoints.
58
58
59
-
You provide a port number for the SQL endpoint.
59
+
You provide a port number for each of the SQL endpoints.
60
60
61
-
This port number must be in the acceptable range of port numbers for Kubernetes cluster.
61
+
These port numbers must be in the acceptable range of port numbers for Kubernetes cluster.
62
62
63
-
The examples in these instructions use `31433` for the port number.
63
+
The examples in these instructions use `31433` for the primary port number and `31434` for the secondary port number.
@@ -86,17 +86,17 @@ The following instructions expect that the users can bring in the Active Directo
86
86
87
87
---
88
88
89
-
4. Create a DNS record for the SQL endpoint in the Active Directory DNS servers.
89
+
4. Create DNS records for the SQL endpoints in the Active Directory DNS servers.
90
90
91
-
In one of the Active Directory DNS servers, create an A record (forward lookup record) for the DNS name chosen in step 1. This DNS record should point to the IP address that the SQL endpoint will listen on for connections from outside the Kubernetes cluster.
91
+
In one of the Active Directory DNS servers, create A records (forward lookup records) for the DNS names chosen in step 1. These DNS records should point to the IP address that the SQL endpoint will listen on for connections from outside the Kubernetes cluster.
92
92
93
-
You do not need to create a PTR record (reverse lookup record) in association with the A record.
93
+
You do not need to create PTR records (reverse lookup records) in association with the A records.
In order for SQL to be able to accept AD authentication against the SQL endpoint DNS name, we need to register two SPNs under the account generated in the previous step. These two SPNs should be of the following format:
99
+
In order for SQL to be able to accept AD authentication against the SQL endpoints, we need to register two SPNs under the account generated in the previous step. SPNs must be registered for the primary endpoint and optionally for the secondary endpoint if AD authentication is desired on the secondary endpoint. The SPNs should be of the following format:
100
100
101
101
```output
102
102
MSSQLSvc/<DNS name>
@@ -110,11 +110,18 @@ The following instructions expect that the users can bring in the Active Directo
110
110
setspn -S MSSQLSvc/<DNS name>:<port> <account>
111
111
```
112
112
113
-
With the chosen example DNS name, port number and the account name in this document, the commands should look like the following:
113
+
With the chosen example primary endpoint DNS name, port number and the account name in this document, the commands should look like the following:
Additionally, if AD authentication is needed on the secondary endpoint, the following commands will add SPNs for the secondary endpoint using the chosen example DNS name and port number:
6. Generate a keytab file containing entries for the account and SPNs
@@ -146,12 +153,14 @@ The following instructions expect that the users can bring in the Active Directo
146
153
147
154
The input parameters are expecting the following values:
148
155
*`--realm` expects the uppercase of the AD domain, such as CONTOSO.LOCAL
149
-
*`--account` expects the AD account under where the SPNs are registered, such sqlmi-account
150
-
*`--port` expects the SQL endpoint port number 31433
151
-
*`--dns-name` expects the DNS name for the SQL endpoint
156
+
*`--account` expects the AD account under where the SPNs are registered, such as sqlmi-account
157
+
*`--port` expects the primary SQL endpoint port number, such as 31433
158
+
*`--dns-name` expects the DNS name for the primary SQL endpoint
152
159
*`--keytab-file` expects the path to the keytab file
153
160
*`--secret-name` expects the name of the keytab secret to generate a specification for
154
161
*`--secret-namespace` expects the Kubernetes namespace containing the keytab secret
162
+
*`--secondary-port` expects the secondary SQL endpoint port number, such as 31434 (optional)
163
+
*`--secondary-dns-name` expects the DNS name for the secondary SQL endpoint (optional)
155
164
156
165
Choose a name for the Kubernetes secret hosting the keytab. The namespace should be the same as what SQL will be deployed in.
157
166
@@ -209,14 +218,18 @@ To support Active Directory authentication on SQL, the deployment specification
209
218
Name of the Active Directory account for this managed instance.
210
219
- `spec.security.activeDirectory.keytabSecret`
211
220
Name of the Kubernetes secret hosting the pre-created keytab file by users. This secret must be in the same namespace as the managed instance. This parameter is only required for the AD deployment in customer-managed keytab mode.
212
-
- `spec.services.primary.dnsName`
221
+
- `spec.services.primary.dnsName`
213
222
You provide a DNS name for the primary SQL endpoint.
214
-
- `spec.services.primary.port`
223
+
- `spec.services.primary.port`
215
224
You provide a port number for the primary SQL endpoint.
Kubernetes namespace of the pre-existing Active Directory connector to join for AD authentication. When not provided, system will assume the same namespace as SQL.
229
+
- `spec.services.readableSecondaries.dnsName`
230
+
You provide a DNS name for the secondary SQL endpoint.
231
+
- `spec.services.readableSecondaries.port`
232
+
You provide a port number for the secondary SQL endpoint.
Kubernetes namespace of the pre-existing Active Directory connector to join for AD authentication. When not provided, system will assume the same namespace as SQL.
236
-
- `spec.security.activeDirectory.encryptionTypes`
237
-
List of Kerberos encryption types to allow for the automatically generated AD account provided in `spec.security.activeDirectory.accountName`. Accepted values are RC4, AES128 and AES256. It defaults to allow all encryption types when there is no value provided. You can disable RC4 by providing only AES128 and AES256 as encryption types.
249
+
- `spec.security.activeDirectory.encryptionTypes`
250
+
List of Kerberos encryption types to allow for the automatically generated AD account provided in `spec.security.activeDirectory.accountName`. Accepted values are RC4, AES128 and AES256. It defaults to allow all encryption types when there is no value provided. You can disable RC4 by providing only AES128 and AES256 as encryption types.
251
+
- `spec.services.readableSecondaries.dnsName`
252
+
You provide a DNS name for the secondary SQL endpoint.
253
+
- `spec.services.readableSecondaries.port`
254
+
You provide a port number for the secondary SQL endpoint.
0 commit comments