Merge pull request #182999 from MicrosoftDocs/release-arc-data

Publish Arc Data August release

Author: MikeRayMSFT

articles/azure-arc/data/active-directory-introduction.md

@@ -0,0 +1,49 @@
+---
+title: Introduction to Azure Arc-enabled data services with Active Directory authentication
+description: Introduction to Azure Arc-enabled data services with Active Directory authentication
+services: azure-arc
+ms.service: azure-arc
+ms.subservice: azure-arc-data
+author: cloudmelon
+ms.author: melqin
+ms.reviewer: mikeray
+ms.date: 12/15/2021
+ms.topic: how-to
+---
+
+# Introduction to Azure Arc-enabled SQL Managed Instance with Active Directory authentication 
+
+This article describes Azure Arc-enabled SQL Managed Instance with Active Directory (AD) Authentication by bring your own keytab (BYOK) where the user is expected to provide a pre-created Active Directory account, Service Principal Names and Keytab.
+
+## Background
+
+In order to support Active Directory authentication for SQL Managed Instance, a SQL Managed Instance must be deployed in an environment that allows it to communicate with the Active Directory domain.
+To facilitate this, Azure Arc introduces a new Kubernetes-native [custom resource definition (CRD)](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) called `Active Directory Connector`. You can specify this kind of resource in the CRD. An Active Directory Connector custom resource stores the information needed to enable connections to DNS and AD for purposes of authenticating users and service accounts.
+
+This custom resource deploys a DNS proxy service that mediates between the SQL Managed Instance DNS resolver and the two upstream DNS servers:
+
+1. Kubernetes DNS servers
+2. Active Directory DNS servers
+
+When a SQL Managed Instance is deployed with Active Directory Authentication enabled, it will reference the Active Directory Connector instance it wants to use. Referencing the Active Directory Connector in SQL MI spec will automatically set up the needed environment in the SQL Managed Instance container for SQL MI to perform Active Directory authentication.
+
+## Active Directory Connector and SQL Managed Instance
+
+![Actice Directory Connector](media/active-directory-deployment/active-directory-connector-byok.png)
+
+## Bring Your Own Keytab (BYOK) 
+
+The following are the steps for user to set up:
+
+1. Creating and providing an Active Directory account for each SQL Managed Instance that must accept AD authentication.
+1. Providing a DNS name belonging to the Active Directory DNS domain for the SQL Managed Instance endpoint.
+1. Creating a DNS record in Active Directory for the SQL endpoint.
+1. Providing a port number for the SQL Managed Instance endpoint.
+1. Registering Service Principal Names (SPNs) under the AD account in Active Directory domain for the SQL endpoint.
+1. Creating and providing a keytab file for SQL Managed Instance containing entries for the AD account and SPNs.
+
+## Next steps
+
+* [Deploy Active Directory (AD) connector](deploy-active-directory-connector.md)
+* [Deploy Azure Arc-enabled SQL Managed Instance in Active Directory (AD)](deploy-active-directory-sql-managed-instance.md)
+* [Connect to AD-integrated Azure Arc-enabled SQL Managed Instance](connect-active-directory-sql-managed-instance.md)

articles/azure-arc/data/connect-active-directory-sql-managed-instance.md

@@ -0,0 +1,74 @@
+---
+title: Connect to AD-integrated Azure Arc-enabled SQL Managed Instance
+description: Connect to AD-integrated Azure Arc-enabled SQL Managed Instance
+services: azure-arc
+ms.service: azure-arc
+ms.subservice: azure-arc-data
+author: cloudmelon
+ms.author: melqin
+ms.reviewer: mikeray
+ms.date: 12/15/2021
+ms.topic: how-to
+---
+
+# Connect to AD-integrated Azure Arc-enabled SQL Managed Instance
+
+This article describes how to connect to SQL Managed Instance endpoint using Active Directory (AD) authentication. Before you proceed, make sure you have an AD-integrated Azure Arc-enabled SQL Managed Instance deployed already.
+
+See [Tutorial – Deploy AD-integrated SQL Managed Instance (Bring Your Own Keytab)](deploy-active-directory-sql-managed-instance.md) to deploy a Azure Arc-enabled SQL Managed Instance with Active Directory (AD) Authentication enabled.
+
+## Create Active Directory logins in SQL Managed Instance
+
+Once SQL Managed Instance is successfully deployed, you will need to provision AD logins in SQL Server.
+In order to do this, first connect to the SQL Managed Instance using the SQL login with administrative privileges and run the following TSQL:
+
+```console
+CREATE LOGIN [<NetBIOS domain name>\<AD account name>] FROM WINDOWS;
+GO
+```
+
+For an AD domain `contoso.local` with NetBIOS domain name as `CONTOSO`, if you want to create a login for AD account `admin`, the command should look like the following:
+
+```console
+CREATE LOGIN [CONTOSO\admin] FROM WINDOWS;
+GO
+```
+
+## Connect to Azure Arc-enabled SQL Managed Instance
+
+From your domain joined Windows-based client machine or a Linux-based domain aware machine, you can use `sqlcmd` utility, or open [SQL Server Management Studio](/sql/ssms/download-sql-server-management-studio-ssms) or [Azure Data Studio (ADS)](/sql/azure-data-studio/download-azure-data-studio) to connect to the Azure Arc-enabled SQL Managed Instance using AD authentication.
+
+A domain-aware Linux-based machine is one where you are able to use Kerberos authentication using kinit. Such machine should have /etc/krb5.conf file set to point to the Active Directory domain (realm) being used. It should also have /etc/resolv.conf file set such that one can run DNS lookups against the Active Directory domain.
+
+
+### Connect from Linux/Mac OS
+
+To connect from a Linux/Mac OS client, authenticate to Active Directory using the kinit command and then use sqlcmd tool to connect to the SQL Managed Instance.
+
+```bash
+kinit <username>@<REALM>
+sqlcmd -S <Endpoint DNS name>,<Endpoint port number> -E
+```
+
+For connecting using the CONTOSO\admin AD account to the SQL Managed Instance with endpoint sqlmi.contoso.local at port 31433, the commands should look like the following. The -E argument is used to perform Integrated Authentication.
+
+```bash
+kinit [email protected]
+sqlcmd -S sqlmi.contoso.local,31433 -E
+```
+
+## Connect to SQL MI instance from Windows
+
+From Windows, when you run the following command, the AD identity you are logged in to Windows with should be picked up automatically for connecting to SQL Managed Instance.
+
+```bash
+sqlcmd -S <DNS name for master instance>,31433 -E
+```
+
+## Connect to SQL MI instance from SSMS
+
+![Connect with SSMS](media/active-directory-deployment/connect-with-ssms.png)
+
+## Connect to SQL MI instance from ADS
+
+![Connect with ADS](media/active-directory-deployment/connect-with-ads.png)

articles/azure-arc/data/create-data-controller-using-kubernetes-native-tools.md

@@ -216,15 +216,21 @@ First, create a copy of the [template file](https://raw.githubusercontent.com/mi
 
 Edit the following as needed:
 
-**REQUIRED**
-- **location**: Change this to be the Azure location where the _metadata_ about the data controller will be stored.  Review the [list of available regions](overview.md#supported-regions).
-- **resourceGroup**: the Azure resource group where you want to create the data controller Azure resource in Azure Resource Manager.  Typically this resource group should already exist, but it is not required until the time that you upload the data to Azure.
-- **subscription**: the Azure subscription GUID for the subscription that you want to create the Azure resources in.
-
-**RECOMMENDED TO REVIEW AND POSSIBLY CHANGE DEFAULTS**
-- **storage..className**: the storage class to use for the data controller data and log files.  If you are unsure of the available storage classes in your Kubernetes cluster, you can run the following command: `kubectl get storageclass`.  The default is `default` which assumes there is a storage class that exists and is named `default` not that there is a storage class that _is_ the default.  Note: There are two className settings to be set to the desired storage class - one for data and one for logs.
-- **serviceType**: Change the service type to `NodePort` if you are not using a LoadBalancer.
-- **Security** For Azure Red Hat OpenShift or Red Hat OpenShift Container Platform, replace the `security:` settings with the following values in the data controller yaml file.
+- **Required**
+   - **location**
+      Change this to be the Azure location where the _metadata_ about the data controller will be stored.  Review the [list of available regions](overview.md#supported-regions).
+   - **resourceGroup**
+      The Azure resource group where you want to create the data controller Azure resource in Azure Resource Manager.  Typically this resource group should already exist, but it is not required until the time that you upload the data to Azure.
+   - **subscription**
+      The Azure subscription GUID for the subscription that you want to create the Azure resources in.
+
+- **Recommend review and possibly change default values**
+   - **storage..className**
+      The storage class to use for the data controller data and log files.  If you are unsure of the available storage classes in your Kubernetes cluster, you can run the following command: `kubectl get storageclass`.  The default is `default` which assumes there is a storage class that exists and is named `default` not that there is a storage class that _is_ the default.  Note: There are two className settings to be set to the desired storage class - one for data and one for logs.
+   - **serviceType**
+      Change the service type to `NodePort` if you are not using a LoadBalancer.
+   - **Security**
+      For Azure Red Hat OpenShift or Red Hat OpenShift Container Platform, replace the `security:` settings with the following values in the data controller yaml file.
 
 ```yml
   security:

articles/azure-arc/data/deploy-active-directory-connector.md

@@ -0,0 +1,140 @@
+---
+title: Tutorial – Deploy Active Directory Connector
+description: Tutorial to deploy Active Directory Connector
+services: azure-arc
+ms.service: azure-arc
+ms.subservice: azure-arc-data
+author: cloudmelon
+ms.author: melqin
+ms.reviewer: mikeray
+ms.date: 12/10/2021
+ms.topic: how-to
+---
+
+
+# Tutorial – Deploy Active Directory Connector
+
+This article explains how to deploy Active Directory Connector Custom Resource.
+
+## What is an Active Directory (AD) connector?
+
+The Active Directory (AD) connector is a Kubernetes native custom resource definition (CRD) that allows you to provide 
+SQL Managed Instances running on the same Data Controller an ability to perform Active Directory Authentication.
+
+An Active Directory Connector instance deploys a DNS proxy service that proxies the DNS requests
+coming from the SQL Managed Instance to either of the two upstream DNS services:
+* Active Directory DNS Servers
+* Kubernetes DNS Servers
+
+## Prerequisites
+
+Before you proceed, you must have:
+
+* An instance of Data Controller deployed on a supported version of Kubernetes
+* An Active Directory domain
+
+## Input for deploying Active Directory (AD) Connector
+
+To deploy an instance of Active Directory Connector, several inputs are needed from the Active Directory domain environment.
+These inputs are provided in a YAML spec of AD Connector instance.
+
+Following metadata about the AD domain must be available before deploying an instance of AD Connector:
+* Name of the Active Directory domain
+* List of the domain controllers (fully-qualified domain names)
+* List of the DNS server IP addresses
+
+Following input fields are exposed to the users in the Active Directory Connector spec:
+
+- **Required**
+   - **spec.activeDirectory.realm**
+     Name of the Active Directory domain in uppercase. This is the AD domain that this instance of AD Connector will be associated with.
+
+   - **spec.activeDirectory.domainControllers.primaryDomainController.hostname**
+      Fully-qualified domain name of the Primary Domain Controller (PDC) in the AD domain.
+
+      If you do not know which domain controller in the domain is primary, you can find out by running this command on any Windows machine joined to the AD domain: `netdom query fsmo`.
+   
+   - **spec.activeDirectory.dns.nameserverIpAddresses**
+      List of Active Directory DNS server IP addresses. DNS proxy service will forward DNS queries in the provided domain name to these servers.
+
+
+- **Optional**
+   - **spec.activeDirectory.netbiosDomainName**
+      NETBIOS name of the Active Directory domain. This is the short domain name that represents the Active Directory domain.
+
+      This is often used to qualify accounts in the AD domain. e.g. if the accounts in the domain are referred to as CONTOSO\admin, then CONTOSO is the NETBIOS domain name.
+      
+      This field is optional. When not provided, it defaults to the first label of the `spec.activeDirectory.realm` field.
+
+      In most domain environments, this is set to the default value but some domain environments may have a non-default value.
+
+  - **spec.activeDirectory.domainControllers.secondaryDomainControllers[*].hostname** 
+      List of the fully-qualified domain names of the secondary domain controllers in the AD domain.
+
+      If your domain is served by multiple domain controllers, it is a good practice to provide some of their fully-qualified domain names in this list. This allows high-availability for Kerberos operations.
+
+      This field is optional and not needed if your domain is served by only one domain controller.
+
+  - **spec.activeDirectory.dns.domainName** 
+      DNS domain name for which DNS lookups should be forwarded to the Active Directory DNS servers.
+
+      A DNS lookup for any name belonging to this domain or its descendant domains will get forwarded to Active Directory.
+
+      This field is optional. When not provided, it defaults to the value provided for `spec.activeDirectory.realm` converted to lowercase.
+
+  - **spec.activeDirectory.dns.replicas** 
+      Replica count for DNS proxy service. This field is optional and defaults to 1 when not provided.
+
+  - **spec.activeDirectory.dns.preferK8sDnsForPtrLookups**
+      Flag indicating whether to prefer Kubernetes DNS server response over AD DNS server response for IP address lookups.
+
+      DNS proxy service relies on this field to determine which upstream group of DNS servers to prefer for IP address lookups.
+
+      This field is optional. When not provided, it defaults to true i.e. the DNS lookups of IP addresses will be first forwarded to Kubernetes DNS servers.
+
+      If Kubernetes DNS servers fail to answer the lookup, the query is then forwarded to AD DNS servers.
+
+
+## Deploy Active Directory (AD) connector
+To deploy an AD connector, create a YAML spec file called `active-directory-connector.yaml`.
+The following example uses an AD domain of name `CONTOSO.LOCAL`. Ensure to replace the values with the ones for your AD domain.
+
+```yaml
+apiVersion: arcdata.microsoft.com/v1beta1
+kind: ActiveDirectoryConnector
+metadata:
+  name: adarc
+  namespace: <namespace>
+spec:
+  activeDirectory:
+    realm: CONTOSO.LOCAL
+    domainControllers:
+      primaryDomainController:
+        hostname: dc1.contoso.local
+      secondaryDomainControllers:
+      - hostname: dc2.contoso.local
+      - hostname: dc3.contoso.local
+  dns:
+    preferK8sDnsForPtrLookups: false
+    nameserverIPAddresses:
+      - <DNS Server 1 IP address>
+      - <DNS Server 2 IP address>
+```
+
+The following command deploys the AD connector instance. Currently, only kube-native approach of deploying is supported.
+
+```console
+kubectl apply –f active-directory-connector.yaml
+```
+
+After submitting the deployment of AD Connector instance, you may check the status of the deployment using the following command.
+
+```console
+kubectl get adc -n <namespace>
+```
+
+## Next steps
+
+* [Deploy SQL Managed Instance with Active Directory Authentication](deploy-active-directory-sql-managed-instance.md).
+* [Connect to AD-integrated Azure Arc-enabled SQL Managed Instance](connect-active-directory-sql-managed-instance.md).
+