MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 5 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 5 additions & 0 deletions
diff --git a/‎articles/azure-arc/data/active-directory-introduction.md
Lines changed: 34 additions & 45 deletions b/‎articles/azure-arc/data/active-directory-introduction.md
Lines changed: 34 additions & 45 deletions
diff --git a/‎articles/azure-arc/data/active-directory-prerequisites.md
Lines changed: 146 additions & 0 deletions b/‎articles/azure-arc/data/active-directory-prerequisites.md
Lines changed: 146 additions & 0 deletions
@@ -6313,6 +6313,11 @@
       "redirect_url": "/azure/azure-app-configuration/quickstart-azure-functions-csharp",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/azure-arc/data/deploy-byok-active-directory-connector.md",
+      "redirect_url": "/azure/azure-arc/data/deploy-customer-managed-keytab-active-directory-connector",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/azure-arc/data/reference/reference-az-sql-mi-arc-dag.md",
       "redirect_url": "/azure/azure-arc/data/reference/reference-az-sql-instance-failover-group-arc",
 
@@ -7,25 +7,28 @@ ms.subservice: azure-arc-data
 author: cloudmelon
 ms.author: melqin
 ms.reviewer: mikeray
-ms.date: 04/05/2022
+ms.date: 04/15/2022
 ms.topic: how-to
 ---
 
 # Azure Arc-enabled SQL Managed Instance with Active Directory authentication 
+Azure Arc-enabled data services support Active Directory (AD) for Identity and Access Management (IAM). The Arc-enabled SQL Managed Instance uses an existing on-premises Active Directory (AD) domain for authentication. 
 
-This article describes how to enable Azure Arc-enabled SQL Managed Instance with Active Directory (AD) Authentication. The article demonstrates two possible integration modes: 
--  Bring your own keytab mode 
--  Automatic mode 
+This article describes how to enable Azure Arc-enabled SQL Managed Instance with Active Directory (AD) Authentication. The article demonstrates two possible AD integration modes: 
+-  Customer-managed keytab (CMK) 
+-  System-managed keytab (SMK)  
 
-In Active Directory, the integration mode describes the management the keytab file.
+The notion of Active Directory(AD) integration mode describes the process for keytab management including: 
+- Creating AD account used by SQL Managed Instance
+- Registering Service Principal Names (SPNs) under the above AD account.
+- Generating keytab file 
 
 ## Background
-
-Azure Arc-enabled data services support Active Directory (AD) for Identity and Access Management (IAM). The Arc-enabled SQL Managed Instance uses an existing on-premises Active Directory (AD) domain for authentication. Users need to do the following steps to enable Active Directory authentication for Arc-enabled SQL Managed Instance: 
+To enable Active Directory authentication for SQL Server on Linux and Linux containers, use a [keytab file](/sql/linux/sql-server-linux-ad-auth-understanding#what-is-a-keytab-file). The keytab file is a cryptographic file containing service principal names (SPNs), account names and hostnames. SQL Server uses the keytab file for authenticating itself to the Active Directory (AD) domain and authenticating its clients using Active Directory (AD). Do the following steps to enable Active Directory authentication for Arc-enabled SQL Managed Instance: 
 
 - [Deploy data controller](create-data-controller-indirect-cli.md) 
-- [Deploy a bring your own keytab AD connector](deploy-byok-active-directory-connector.md) or [Deploy an automatic AD connector](deploy-automatic-active-directory-connector.md)
-- [Deploy managed instances](deploy-active-directory-sql-managed-instance.md)
+- [Deploy a customer-managed keytab AD connector](deploy-customer-managed-keytab-active-directory-connector.md) or [Deploy a system-managed keytab AD connector](deploy-system-managed-keytab-active-directory-connector.md)
+- [Deploy SQL managed instances](deploy-active-directory-sql-managed-instance.md)
 
 The following diagram shows how to enable Active Directory authentication for Azure Arc-enabled SQL Managed Instance:
 
@@ -34,53 +37,39 @@ The following diagram shows how to enable Active Directory authentication for Az
 
 ## What is an Active Directory (AD) connector?
 
-In order to enable Active Directory authentication for SQL Managed Instance, the managed instance must be deployed in an environment that allows it to communicate with the Active Directory domain. 
-
-To facilitate this, Azure Arc-enabled data services introduces a new Kubernetes-native [Custom Resource Definition (CRD)](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) called `Active Directory Connector`, it provides Azure Arc-enabled managed instances running on the same data controller the ability to perform Active Directory authentication.
+In order to enable Active Directory authentication for SQL Managed Instance, the instance must be deployed in an environment that allows it to communicate with the Active Directory domain. 
 
+To facilitate this, Azure Arc-enabled data services introduces a new Kubernetes-native [Custom Resource Definition (CRD)](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) called `Active Directory Connector`. It provides Azure Arc-enabled SQL managed instances running on the same data controller the ability to perform Active Directory authentication.
 
 ## Compare AD integration modes
 
-What is the difference between the two AD integration modes?
-
-To enable Active Directory Authentication for Arc-enabled SQL Managed Instances, you need an Active Directory (AD) connector where you determine the mode of the AD deployment. The two modes are:
-
-- Bring your own keytab
-- Automatic 
-
-The following sections describe the compare these modes.
-
-### Bring your own keytab mode
-
-In this mode, you provide:
- 
-- An Active Directory account
-- Service Principal Names (SPNs) under that AD account
-- Your own [keytab file](/sql/linux/sql-server-linux-ad-auth-understanding#what-is-a-keytab-file)
-
-When you deploy the bring your own keytab AD connector, you need to create the AD account, register the service principal names (SPN), and create the keytab file. You can create the account using [Active Directory utility (`adutil`)](/sql/linux/sql-server-linux-ad-auth-adutil-introduction).
+What is the difference between the two Active Directory integration modes?
 
-For more information, see [deploy a bring your own keytab Active Directory (AD) connector](deploy-automatic-active-directory-connector.md)
+To enable Active Directory authentication for Arc-enabled SQL Managed Instance, you need an Active Directory connector where you specify the Active Directory integration deployment mode. The two Active Directory integration modes are:
 
-### AD automatic integration mode
+- Customer-managed keytab
+- System-managed keytab 
 
-In automatic mode, you need an automatic Active Directory (AD) connector. You will bring an Organizational Unit (OU) and an AD domain service account has sufficient permissions in the Active Directory. 
+The following section compares these modes.
 
-Furthermore, the system:
+|                  |Customer-managed keytab|System-managed keytab -  Preview|
+|------------------|---------|--------|
+|**Use cases**|Small and medium size businesses who are familiar with managing Active Directory objects and want flexibility in their automation process |All sizes of businesses - seeking to highly automated Active Directory management experience|
+|**User provides**|An Active Directory account and SPNs under that account, and a [keytab file](/sql/linux/sql-server-linux-ad-auth-understanding#what-is-a-keytab-file) for Active Directory authentication |An [Organizational Unit (OU)](../../active-directory-domain-services/create-ou.md) and a domain service account has [sufficient permissions](deploy-system-managed-keytab-active-directory-connector.md?#prerequisites) on that OU in Active Directory.|
+|**Characteristics**|User managed. Users bring the Active Directory account, which impersonates the identity of the managed instance and the keytab file. |System managed. The system creates a domain service account for each managed instance and sets SPNs automatically on that account. It also, creates and delivers a keytab file to the managed instance. |
+|**Deployment process**| 1. Deploy data controller <br/> 2. Create keytab file <br/>3. Set up keytab information to Kubernetes secret<br/> 4. Deploy AD connector, deploy SQL managed instance<br/><br/>For more information, see [Deploy a customer-managed keytab Active Directory connector](deploy-customer-managed-keytab-active-directory-connector.md)  | 1. Deploy data controller, deploy AD connector<br/>2. Deploy SQL managed instance<br/><br/>For more information, see [Deploy a system-managed keytab Active Directory connector](deploy-system-managed-keytab-active-directory-connector.md) |
+|**Manageability**|You can create the keytab file by following the instructions from [Active Directory utility (`adutil`)](/sql/linux/sql-server-linux-ad-auth-adutil-introduction). Manual keytab rotation. |Managed keytab rotation.|
+|**Limitations**|We do not recommend sharing keytab files among services. Each service should have a specific keytab file. As the number of keytab files increases the level of effort and complexity increases. |Managed keytab generation and rotation. The service account will require sufficient permissions in Active Directory to manage the credentials. |
 
-- Creates a domain service AD account for each managed instance.
-- Sets SPNs automatically on that AD account.
-- Creates and delivers a keytab file to the managed instance.
+For either mode, you need a specific Active Directory account, keytab, and Kubernetes secret for each SQL managed instance.
 
-The mode of the AD connector is determined by the value of `spec.activeDirectory.serviceAccountProvisioning`. Set to either `manual` for bring your own keytab, or `automatic`. Once this parameter is set to automatic, the following parameters become mandatory: 
-- `spec.activeDirectory.ouDistinguishedName`
-- `spec.activeDirectory.domainServiceAccountSecret`
+## Enable Active Directory authentication in Arc-enabled SQL Managed Instance
 
-When you deploy SQL Managed Instance with the intention to enable Active Directory Authentication, the deployment needs to reference the Active Directory Connector instance to use. Referencing the Active Directory Connector in managed instance specification automatically sets up the needed environment in the SQL Managed Instance container for the managed instance to authenticate with Active Directory. 
+When you deploy SQL Managed Instance with the intention to enable Active Directory authentication, the deployment needs to reference an Active Directory connector instance to use. Referencing the Active Directory connector in managed instance specification automatically sets up the needed environment in the SQL Managed Instance container for the managed instance to authenticate with Active Directory.
 
 ## Next steps
 
-* [Deploy and bring your own keytab Active Directory (AD) connector](deploy-byok-active-directory-connector.md)
-* [Deploy an automatic Active Directory (AD) connector](deploy-automatic-active-directory-connector.md)
-* [Deploy Azure Arc-enabled SQL Managed Instance in Active Directory (AD)](deploy-active-directory-sql-managed-instance.md)
-* [Connect to AD-integrated Azure Arc-enabled SQL Managed Instance](connect-active-directory-sql-managed-instance.md)
+* [Deploy a customer-managed keytab Active Directory (AD) connector](deploy-customer-managed-keytab-active-directory-connector.md)
+* [Deploy a system-managed keytab Active Directory (AD) connector](deploy-system-managed-keytab-active-directory-connector.md)
+* [Deploy an Azure Arc-enabled SQL Managed Instance in Active Directory (AD)](deploy-active-directory-sql-managed-instance.md)
+* [Connect to Azure Arc-enabled SQL Managed Instance using Active Directory authentication](connect-active-directory-sql-managed-instance.md)
@@ -0,0 +1,146 @@
+---
+title: Deploy Azure Arc-enabled data services in Active Directory authentication - prerequisites
+description: Deploy Azure Arc-enabled data services in Active Directory authentication - prerequisites
+services: azure-arc
+ms.service: azure-arc
+ms.subservice: azure-arc-data
+author: cloudmelon
+ms.author: melqin
+ms.reviewer: mikeray
+ms.date: 04/21/2022
+ms.topic: how-to
+---
+
+# Azure Arc-enabled SQL Managed Instance in Active Directory authentication with system-managed keytab - prerequisites
+
+This document explains how to prepare to deploy Azure Arc-enabled data services with Active Directory (AD) authentication. Specifically the article describes Active Directory objects you need to configure before the deployment of Kubernetes resources.
+
+[The introduction](active-directory-introduction.md#compare-ad-integration-modes) describes two different integration modes:
+- *System-managed keytab* mode allows the system to create and manage the AD accounts for each SQL Managed Instance.
+- *Customer-managed keytab* mode allows you to create and manage the AD accounts for each SQL Managed Instance.
+
+The requirements and recommendations are different for the two integration modes.
+
+
+|Active Directory Object|Customer-managed keytab       |System-managed keytab  |
+|---------|------------------------------|---------|
+|Organizational unit (OU)                |Recommended|Required         |
+|Active Directory domain service account (DSA) for Active Directory Connector |Not required|Required         |
+|Active directory account for SQL Managed Instance        |Created for each managed instance|System creates AD account for each managed instance|
+
+### DSA account - system-managed keytab mode
+
+To be able to create all the required objects in Active Directory automatically, AD Connector needs a domain service account (DSA). The DSA is an Active Directory account that has specific permissions to create, manage and delete users accounts inside the provided organizational unit (OU). This article explains how to configure the permission of this Active Directory account. The examples call the DSA account `arcdsa` as an example in this article.
+
+### Auto generated Active Directory objects
+
+An Arc-enabled SQL Managed Instance deployment automatically generates accounts in system-managed keytab mode. Each of the accounts represents a SQL Managed Instance and will be managed by the system throughout the lifetime of SQL. These accounts own the Service Principal Names (SPNs) required by each SQL.  
+
+The steps below assume you already have an Active Directory domain controller. If you don't have a domain controller, the following [guide](https://social.technet.microsoft.com/wiki/contents/articles/37528.create-and-configure-active-directory-domain-controller-in-azure-windows-server.aspx) includes steps that can be helpful.
+
+## Create Active Directory objects
+
+Do the following things before you deploy an Arc-enabled SQL Managed Instance with AD authentication:
+
+1. Create an organizational unit (OU) for all Arc-enabled SQL Managed Instance related AD objects. Alternatively, you can choose an existing OU upon deployment.
+1. Create an AD account for the AD Connector, or use an existing account, and provide this account the right permissions on the OU created in the previous step.
+
+### Create an OU
+
+System-managed keytab mode requires a designated OU. For customer-managed keytab mode an OU is recommended.
+
+On the domain controller, open **Active Directory Users and Computers**. On the left panel, right-click the directory under which you want to create your OU and select **New**\> **Organizational Unit**, then follow the prompts from the wizard to create the OU. Alternatively, you can create an OU with PowerShell:
+
+```powershell
+New-ADOrganizationalUnit -Name "<name>" -Path "<Distinguished name of the directory you wish to create the OU in>"
+```
+
+The examples in this article use `arcou` for the OU name.
+
+![Screenshot of Active Directory Users and computers menu.](media/active-directory-deployment/start-new-organizational-unit.png)
+
+![Screenshot of new object - organizational unit dialog.](media/active-directory-deployment/new-organizational-unit.png)
+
+### Create the domain service account (DSA)
+
+For system-managed keytab mode, you need an AD domain service account.
+
+Create the Active Directory user that you will use as the domain service account. This account requires specific permissions. Make sure that you have an existing Active Directory account or create a new account, which Arc-enabled SQL Managed Instance can use to set up the necessary objects.
+
+To create a new user in AD, you can right-click the domain or the OU and select **New** > **User**:
+
+![Screenshot of user properties.](media/active-directory-deployment/start-ad-new-user.png)
+
+This account will be referred to as *arcdsa* in this article.
+
+### Set permissions for the DSA
+
+For system-managed keytab mode, you need to set the permissions for the DSA. 
+
+Whether you have created a new account for the DSA or are using an existing Active Directory user account, there are certain permissions the account needs to have. The DSA needs to be able to create users, groups, and computer accounts in the OU. In the following steps, the Arc-enabled SQL Managed Instance domain service account name is `arcdsa`.
+
+> [!IMPORTANT]
+> You can choose any name for the DSA, but we do not recommend altering the account name once AD Connector is deployed.
+
+1. On the domain controller, open **Active Directory Users and Computers**, click on **View**, select **Advanced Features**
+
+1. In the left panel, navigate to your domain, then the OU which `arcou` will use
+
+1. Right-click the OU, and select **Properties**.
+
+> [!NOTE]
+> Make sure that you have selected **Advanced Features** by right-clicking on the OU, and selecting **View**
+
+1. Go to the Security tab. Select **Advanced Features** right-click on the OU, and select **View**.
+
+    ![AD object properties](./media/active-directory-deployment/start-ad-new-user.png)
+
+1. Select **Add...** and add the **arcdsa** user.
+
+    ![Screenshot of add user dialog.](./media/active-directory-deployment/add-user.png)
+
+1. Select the **arcdsa** user and clear all permissions, then select **Advanced**.
+
+1. Select **Add**
+
+    - Select **Select a Principal**, insert **arcdsa**, and select **Ok**.
+
+    - Set **Type** to **Allow**.
+
+    - Set **Applies To** to **This Object and all descendant objects**.
+
+        ![Screenshot of permission entries.](./media/active-directory-deployment/set-permissions.png)
+
+    - Scroll down to the bottom, and select **Clear all**.
+
+    - Scroll back to the top, and select:
+       - **Read all properties**
+       - **Write all properties**
+       - **Create User objects**
+       - **Delete User objects**
+       - **Reset Password for Descendant User objects**
+
+    - Select **OK**.
+
+1. Select **Add**.
+
+    - Select **Select a Principal**, insert **arcdsa**, and select **Ok**.
+
+    - Set **Type** to **Allow**.
+
+    - Set **Applies To** to **Descendant User objects**.
+
+    - Scroll down to the bottom, and select **Clear all**.
+
+    - Scroll back to the top, and select **Reset password**.
+
+    - Select **OK**.
+
+- Select **OK** twice more to close open dialog boxes.
+
+## Next steps
+
+* [Deploy a customer-managed keytab Active Directory (AD) connector](deploy-customer-managed-keytab-active-directory-connector.md)
+* [Deploy a system-managed keytab Active Directory (AD) connector](deploy-system-managed-keytab-active-directory-connector.md)
+* [Deploy an Azure Arc-enabled SQL Managed Instance in Active Directory (AD)](deploy-active-directory-sql-managed-instance.md)
+* [Connect to Azure Arc-enabled SQL Managed Instance using Active Directory authentication](connect-active-directory-sql-managed-instance.md)