You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The following instructions expect that the users can bring in the Active Directory domain and provide to the AD system-managed keytab deployment.
43
43
44
44
* A unique name of an Active Directory user account for SQL
45
-
* DNS record for the endpoint DNS name for SQL
45
+
* DNS A (forward) record for the primary (and optionally, secondary) endpoint of SQL
46
46
47
47
---
48
48
49
49
## Before you deploy SQL Managed Instance
50
50
51
-
1. Identify a DNS name for the SQL endpoint.
51
+
1. Identify a DNS name for the SQL endpoints.
52
52
53
-
Choose a unique DNS name for the SQL endpoint that clients will connect to from outside the Kubernetes cluster.
53
+
Choose unique DNS names for the SQL endpoints that clients will connect to from outside the Kubernetes cluster.
54
54
55
-
This DNS name should be in the Active Directory domain or its descendant domains.
55
+
These DNS names should be in the Active Directory domain or its descendant domains.
56
56
57
-
The examples in these instructions use `sqlmi.contoso.local` for the DNS name.
57
+
The examples in these instructions use `sqlmi-primary.contoso.local` for the primary DNS name and `sqlmi-secondary.contoso.local` for the secondary DNS name.
58
58
59
-
2. Identify the port number for the SQL endpoint.
59
+
2. Identify the port numbers for the SQL endpoints.
60
60
61
-
You provide a port number for the SQL endpoint.
61
+
You provide a port number for each of the SQL endpoints.
62
62
63
-
This port number must be in the acceptable range of port numbers for Kubernetes cluster.
63
+
These port numbers must be in the acceptable range of port numbers for Kubernetes cluster.
64
64
65
-
The examples in these instructions use `31433` for the port number.
65
+
The examples in these instructions use `31433` for the primary port number and `31434` for the secondary port number.
@@ -88,17 +88,17 @@ The following instructions expect that the users can bring in the Active Directo
88
88
89
89
---
90
90
91
-
4. Create a DNS record for the SQL endpoint in the Active Directory DNS servers.
91
+
4. Create DNS records for the SQL endpoints in the Active Directory DNS servers.
92
92
93
-
In one of the Active Directory DNS servers, create an A record (forward lookup record) for the DNS name chosen in step 1. This DNS record should point to the IP address that the SQL endpoint will listen on for connections from outside the Kubernetes cluster.
93
+
In one of the Active Directory DNS servers, create A records (forward lookup records) for the DNS names chosen in step 1. These DNS records should point to the IP address that the SQL endpoint will listen on for connections from outside the Kubernetes cluster.
94
94
95
-
You do not need to create a PTR record (reverse lookup record) in association with the A record.
95
+
You do not need to create PTR records (reverse lookup records) in association with the A records.
In order for SQL to be able to accept AD authentication against the SQL endpoint DNS name, we need to register two SPNs under the account generated in the previous step. These two SPNs should be of the following format:
101
+
In order for SQL to be able to accept AD authentication against the SQL endpoints, we need to register two SPNs under the account generated in the previous step. SPNs must be registered for the primary endpoint and optionally for the secondary endpoint if AD authentication is desired on the secondary endpoint. The SPNs should be of the following format:
102
102
103
103
```output
104
104
MSSQLSvc/<DNS name>
@@ -112,11 +112,18 @@ The following instructions expect that the users can bring in the Active Directo
112
112
setspn -S MSSQLSvc/<DNS name>:<port> <account>
113
113
```
114
114
115
-
With the chosen example DNS name, port number and the account name in this document, the commands should look like the following:
115
+
With the chosen example primary endpoint DNS name, port number and the account name in this document, the commands should look like the following:
Additionally, if AD authentication is needed on the secondary endpoint, the following commands will add SPNs for the secondary endpoint using the chosen example DNS name and port number:
6. Generate a keytab file containing entries for the account and SPNs
@@ -148,12 +155,14 @@ The following instructions expect that the users can bring in the Active Directo
148
155
149
156
The input parameters are expecting the following values:
150
157
*`--realm` expects the uppercase of the AD domain, such as CONTOSO.LOCAL
151
-
*`--account` expects the AD account under where the SPNs are registered, such sqlmi-account
152
-
*`--port` expects the SQL endpoint port number 31433
153
-
*`--dns-name` expects the DNS name for the SQL endpoint
158
+
*`--account` expects the AD account under where the SPNs are registered, such as sqlmi-account
159
+
*`--port` expects the primary SQL endpoint port number, such as 31433
160
+
*`--dns-name` expects the DNS name for the primary SQL endpoint
154
161
*`--keytab-file` expects the path to the keytab file
155
162
*`--secret-name` expects the name of the keytab secret to generate a specification for
156
163
*`--secret-namespace` expects the Kubernetes namespace containing the keytab secret
164
+
*`--secondary-port` expects the secondary SQL endpoint port number, such as 31434 (optional)
165
+
*`--secondary-dns-name` expects the DNS name for the secondary SQL endpoint (optional)
157
166
158
167
Choose a name for the Kubernetes secret hosting the keytab. The namespace should be the same as what SQL will be deployed in.
159
168
@@ -211,14 +220,18 @@ To support Active Directory authentication on SQL, the deployment specification
211
220
Name of the Active Directory account for this managed instance.
212
221
- `spec.security.activeDirectory.keytabSecret`
213
222
Name of the Kubernetes secret hosting the pre-created keytab file by users. This secret must be in the same namespace as the managed instance. This parameter is only required for the AD deployment in customer-managed keytab mode.
214
-
- `spec.services.primary.dnsName`
223
+
- `spec.services.primary.dnsName`
215
224
You provide a DNS name for the primary SQL endpoint.
216
-
- `spec.services.primary.port`
225
+
- `spec.services.primary.port`
217
226
You provide a port number for the primary SQL endpoint.
Kubernetes namespace of the pre-existing Active Directory connector to join for AD authentication. When not provided, system will assume the same namespace as SQL.
231
+
- `spec.services.readableSecondaries.dnsName`
232
+
You provide a DNS name for the secondary SQL endpoint.
233
+
- `spec.services.readableSecondaries.port`
234
+
You provide a port number for the secondary SQL endpoint.
Kubernetes namespace of the pre-existing Active Directory connector to join for AD authentication. When not provided, system will assume the same namespace as SQL.
238
-
- `spec.security.activeDirectory.encryptionTypes`
239
-
List of Kerberos encryption types to allow for the automatically generated AD account provided in `spec.security.activeDirectory.accountName`. Accepted values are RC4, AES128 and AES256. It defaults to allow all encryption types when there is no value provided. You can disable RC4 by providing only AES128 and AES256 as encryption types.
251
+
- `spec.security.activeDirectory.encryptionTypes`
252
+
List of Kerberos encryption types to allow for the automatically generated AD account provided in `spec.security.activeDirectory.accountName`. Accepted values are RC4, AES128 and AES256. It defaults to allow all encryption types when there is no value provided. You can disable RC4 by providing only AES128 and AES256 as encryption types.
253
+
- `spec.services.readableSecondaries.dnsName`
254
+
You provide a DNS name for the secondary SQL endpoint.
255
+
- `spec.services.readableSecondaries.port`
256
+
You provide a port number for the secondary SQL endpoint.
0 commit comments