Active Directory Overview

  • Updated on Jan 30, 2026
  • Published on Jan 28, 2026
  • 5 minute(s) read
Prev Next

VAST Cluster leverages Active Directory in two ways:

  • By running direct Active Directory queries using native Active Directory APIs.

  • By running LDAP queries using LDAP APIs (since Active Directory is also an LDAP server).

Depending on the client access protocol, Active Directory setup includes:

  • Joining an Active Directory domain (which means adding VAST Cluster to an Active Directory domain as a new directory object) and configuring LDAP connectivity to Active Directory. This is relevant for SMB and NFSv4.1 with Kerberos authentication and NFSv4.1 ID mapping.

  • Configuring LDAP connectivity to Active Directory. This is relevant for NFSv3 and NFSv4.1 when used without Kerberos authentication and NFSv4.1 ID mapping.

Active Directory Setup for SMB Access

  1. Ensure that the following prerequisites are met:

    • Active Directory running on Windows Server 2008R2 or newer.

    • A domain name served by Active Directory, and a DNS setup to resolve the domain name.

    • User credentials for an admin user with permission to create and modify machine accounts within the Organizational Unit (OU) in the Active Directory domain to which you want to add the new machine object for the cluster.

  2. Complete this procedure to join the Active Directory domain and configure LDAP connectivity to Active Directory.

    Note

    Views exposed as SMB shares work only if the cluster is joined to Active Directory. This includes both SMB-only and multiprotocol views.

Active Directory Setup for NFSv4.1 Access

If Kerberos authentication and/or NFSv4.1 ID mapping are used with NFSv4.1 access:

For NFSv4.1 access without Kerberos authentication and/or NFSv4.1 ID Mapping:

  • Configure LDAP connectivity to Active Directory.

Active Directory Setup for NFSv3

If you're using Active Directory as an LDAP server for NFSv3 access:

  • Configure LDAP connectivity to Active Directory.

Active Directory Domain Auto-Discovery

VAST Cluster supports client user access from multiple automatically discovered Active Directory domains, with automatic discovery of domain controllers (DCs).

Auto-discovery is an optional setting that can be enabled or disabled in VAST Cluster's Active Directory configuration settings. When creating a new Active Directory configuration, auto-discovery is enabled by default.

When auto-discovery is enabled, VAST Cluster automatically discovers all domains and domain controllers that reside in the Active Directory forest of the cluster's joined domain and are trusted by the joined domain. If multi-forest authentication is enabled, it also discovers domains in other forests that have a two-way transitive trust relationship with the cluster's forest. When the cluster queries Active Directory for users and groups, all discovered domains are queried. After initial discovery is complete, you can view discovered Active Directory objects, including Active Directory global catalog servers. The information is updated periodically, with indication of the time to the next refresh of the global catalog that is currently used by the cluster.

You can choose whether to use LDAPS for Active Directory domain auto-discovery. If set to use LDAPS, VAST Cluster connects to port 636 for the domain controller or port 3269 for the global catalog and initiates a TLS handshake immediately afterwards.

When auto-discovery is disabled, VAST Cluster contacts only manually configured domain controllers and does not process requests from users in other domains. You have to specify LDAP URIs and the search base DN in the LDAP configuration for Active Directory.

Tip

Before disabling auto-discovery, ensure that multi-forest authentication is disabled.

Active Directory Multi-Forest Authentication

VAST Cluster can authorize client access by querying users and groups from one or more trusted domains across multiple forests, in addition to the forest of the cluster's joined domain. When multi-forest authentication is enabled, VAST Cluster automatically discovers all domains in the forest of the cluster's joined domain, and also all domains in forests that have a two-way transitive trust relationship with the cluster's forest.

Note

If your environment includes one-way trust domains, consider using SMB native authentication for SMB users.Authentication by Kerberos, NTLM

When multi-forest authentication is enabled, VAST Cluster uses a user account in the cluster's joined domain to establish an LDAP bind as follows:  

  • For the LDAP bind to domain controllers in the forest of the cluster's joined domain, the authentication method (Simple or SASL) is determined by the Authentication method option in VAST Cluster LDAP settings.

  • For the LDAP bind to domain controllers in other trusted forests, SASL authentication is used, regardless of the Authentication method option in VAST Cluster LDAP settings.

    SASL authentication requires that the bind DN is specified in username@domain or DOMAIN\username format.

The requirements for multi-forest authentication are as follows:

  • Active Directory and DNS configuration:

    • Each domain name is unique across all forests where VAST Cluster runs the discovery.

    • There are no duplicate UIDs or GIDs defined on the provider that is selected as the POSIX attribute source for the VAST cluster.

    • A user account is configured in the joined domain that will be used to establish LDAP binds across the forests, with the bind DN specified in username@domain or DOMAIN\username format.

    • There is a single DNS setup that can be used to reach all domains in all trusted forests.

  • VAST Cluster configuration:

To enable or disable multi-forest authentication for a new Active Directory configuration:

  • In VAST Web UI, create a new Active Directory configuration record (User Management -> Active Directory -> click + Create Active Directory) and in the General tab, toggle Enable trusted domains on other forests on or off.

  • In VAST CLI:

    1. Create a new LDAP configuration with the ldap create command.

    2. Create a new Active Directory configuration that uses the the newly created LDAP configuration, with the activedirectory create command.

    3. Run the ldap modify command against the LDAP configuration with the --enable-multi-forest or --disable-multi-forest option specified.

To enable or disable multi-forest authentication for an existing Active Directory configuration:

  • In VAST Web UI, open an LDAP configuration record that corresponds to your Active Directory configuration (User Management -> LDAP -> open the Actions menu for the record and choose Edit) and in the General tab, toggle Enable trusted domains on other forests on or off.

  • In VAST CLI, run the ldap modify command against the underlying LDAP configuration with the --enable-multi-forest or --disable-multi-forest option specified.

Related articles
  • Active Directory Overview
    VAST Cluster > Version 5.3 > VAST Cluster 5.3 Administrator's Guide > Managing Users > Active Directory
  • Active Directory Overview
    VAST Cluster > Version 5.2 > VAST Cluster 5.2 Administrator's Guide > Managing Users > Active Directory
  • Active Directory Overview
    VAST Cluster > Version 5.1 > VAST Cluster 5.1 Administrator's Guide > Managing Users > Active Directory