Domain Health Check and Domain Authentication Automatic Configuration
This section describes domain health check and domain authentication automatic configuration and includes the following topics:
Domain Health CheckDomain Authentication Automatic ConfigurationTo optimize secure Windows traffic using SteelHeads, you:
need to configure NTP- and DNS-related settings.must join the server-side SteelHead to the Windows domain.must configure the necessary RiOS features based on the type of protocols you want optimize: for example, Encrypted MAPI, signed SMB, signed SMB2, and signed SMB3.must deploy one or more service accounts configured for delegation (if using constrained delegation) or replication (if using end-to-end Kerberos).The domain health check comprises of a series of tests related to Active Directory configuration settings. These tests and checks provide troubleshooting help for domain-related problems that might occur between the server-side SteelHead and the Active Directory environment.
The domain authentication automatic configuration includes a series of graphical widgets to assist you in performing the relevant configuration tasks associated with both the SteelHead and the Active Directory setup.
Domain Health Check
In RiOS v8.5 or later, the domain health check feature is available in the SteelHead Management Console and the CLI. Prior to RiOS v8.5, domain health check was only available in the CLI. You can use the domain health check feature to execute a variety of tests that provide diagnostic reports about the status of domain membership, end-to-end Kerberos replication, both manual and automatic constrained delegation, and DNS resolution. This information enables you to resolve issues quickly.
Riverbed recommends that you use domain health check from the SteelHead Management Console rather than the CLI.
For a full description of how to use domain health check, see the SteelHead Management Console User’s Guide and the Riverbed Command-Line Interface Reference Manual.
Using the SteelHead Management Console to Test Domain Health Check
Use the Domain Health Check page to run tests on domain health. You can create test parameters by entering specific information into certain fields. Click Test to run the relevant test. You receive feedback on whether the test succeeds or fails, along with the option to display a detailed log file of the test as it progresses. The output of the log file can aid in troubleshooting issues that might be found during testing.
Figure 3‑5. Domain Health Check Page
You can access the same tests by choosing Optimization > Active Directory: Domain Join and Optimization > Active Directory: Service Accounts pages of the SteelHead Management Console.
The following examples describe several ways to confirm that the domain health check feature is functioning correctly.
To test the DNS setting using the SteelHead Management Console
From the Management Console, choose either Reports > Diagnostics: Domain Health Check or Optimization > Active Directory: Domain Join.Figure 3‑6 shows the check for Test DNS. In this particular example, the test has failed. You can choose to display or hide the logs for the test.
Figure 3‑6. Failed DNS Test in the Management Console
To test Domain Join using the SteelHead Management Console
From the Management Console, select either Reports > Diagnostics: Domain Health Check or Optimization > Active Directory: Domain Join.Figure 3‑7 shows the check for Test Join. In this particular example, the test has passed. You can choose to display or hide the logs for the test.
Figure 3‑7. Successful Test Join in the Management Console
Using the RiOS CLI Commands to Test Domain Health Check
To use the RiOS domain health check CLI commands, you must understand that each command performs a test or configuration task, but the result of the command is displayed only by executing a follow-on command. This second command is displayed as part of the output of the previous command and is usually a show command.
For example, the command protocol domain-auth test dns is followed by show protocol domain-auth test dns to display the results of the test.
The main reason for this two-stage process is that the tests themselves perform a request or look-up that is outside of the SteelHead: for example, a DNS query to a DNS server can take a few moments to complete. The two-stage process means the SteelHead CLI does not hang while waiting for the test to execute. As each test is executed, the results are saved to a temporary log file on the SteelHead. After a test is complete, the contents of the log file are displayed in a more user-friendly format when you use the relevant show command.
The following table lists the test or configuration tasks and the associated commands.
Task | CLI Commands |
Check DNS settings. | protocol domain-auth test dns show protocol domain-auth test dns |
Confirm that the SteelHead is correctly joined to the Windows domain. | protocol domain-auth test join show protocol domain-auth test join |
Ensure that the SteelHead can authenticate client connections. | protocol domain-auth test authentication username * password * show protocol domain-auth test authentication |
Auto-configure a previously created account in Active Directory with replication privileges over the entire domain. | protocol domain-auth auto-conf replication adminuser * adminpass * domain * dc * show protocol domain-auth auto-conf replication |
Determine if end-to-end Kerberos replication is correctly configured. | protocol domain-auth test replication try-repl domain * shortdom * rserver * show protocol domain-auth test replication try-repl |
The following example describes how to confirm that the domain health check feature is functioning correctly.
To check the DNS settings using the CLI
Connect to the SteelHead CLI in and enter the following commands:protocol domain-auth test dns
show protocol domain-auth test dns
Figure 3‑8 shows a successful DNS test and
Figure 3‑9 shows a failed DNS test.
Figure 3‑8. Successful DNS Test in the CLI
Figure 3‑9. Failed DNS Test in the CLI
Domain Authentication Automatic Configuration
Domain authentication automatic configuration is available in the SteelHead Management Console in RiOS v8.5 or later. Domain authentication automatic configuration is a powerful set of widgets designed to help you easily configure the server-side SteelHead and Active Directory. In RiOS versions prior to v8.5, you can configure the server-side SteelHead and Active Directory using only the CLI.
For example,
Figure 3‑10 shows how, in RiOS v8.5 or later, the domain authentication automatic configuration guides you through the steps to join the SteelHead to the domain and enable the relevant Windows features (Encrypted MAPI, signed SMB, signed SMB2, and signed SMB3).
Figure 3‑10. Domain Authentication Automatic Configuration
You can use the domain authentication automatic configuration to configure a Windows user account that you can use for delegation or replication purposes. The domain authentication automatic configuration on the SteelHead does not create the delegate or replication user; the Windows domain administrator must create the account in advance, using the preferred standard Active Directory procedures.
After you create the basic user account in Active Directory, you can complete the remaining configuration steps using domain authentication automatic configuration on the SteelHead.
Along with configuring the delegation and replication user accounts, domain authentication automatic configuration enables you to add and remove entries in the lists of delegation servers.
For information about how to use domain authentication automatic configuration, see the SteelHead Management Console User’s Guide.