Among the biggest gaps in XenServer versions before 5.5 was the lack of Active Directory support. To administer XenServer in the past, you had to log in as root, locally, on the XenServer machine and use difficult Linux commands. Solutions providers will find that Active Directory authentication and integration are enormous benefits in XenServer 5.5.
One of the first things you can take advantage of after XenServer 5.5 Active Directory integration is that you can have Active Directory (AD) users execute tasks from either the XenServer host or XenCenter. This new capability makes administration more flexible because it allows you to give users access to specific resources (such as virtual machines) in XenCenter. To specify what a user can do in the XenServer 5.5 environment, you need to create subjects in XenCenter. Subjects are entities in Xen that match user or group accounts in Active Directory.
The only condition you have to meet to enable Active Directory authentication for a XenServer host is that both Active Directory and XenServer are using the same domain name server (DNS). This condition must be met because AD relies heavily on DNS. The easiest approach to meet this condition is to use the AD DNS server; it is an AD requirement, so you will already have this DNS server anyway. It's also a good idea to have a Dynamic Host Configuration Protocol (DHCP) server that takes care of distributing host names. Having a DHCP server makes it easier to match the Citrix environment with the Active Directory environment.
Enabling Active Directory authentication
To enable AD authentication, you can work through the XenCenter interface or from the command line. If using the latter option, this would be the command to enter:
xe pool-enable-external-auth auth-type=AD service-name=<fully-qualified-domain-name> config:user=<username> config:pass=<password>
The best approach is to use a user account that is already configured as a domain administrator, because this user will have privileges to add/remove computer objects, or they will have administrator privileges on the local workstation, which is a requirement for setting up the XenServer 5.5 environment.
After enabling Active Directory authentication in this way, you must add a subject in XenCenter. This subject must represent either a user or a group in AD. The subject must represent either an AD user or group so that you can create a subject for every single user account you want to grant access rights to and so you can also use Group Objects in AD as a subject in XenCenter. The benefit of using groups is that all users assigned to the group in AD will have credentials in Xen. Connecting XenServer 5.5 to AD in this way doesn't mean that AD will be the only source of authentication. In all cases, the credentials are first checked against the local root account on XenServer, which allows you access to the XenServer 5.5 environment at all times, even if AD is down.
Adding a subject is an easy task that you can accomplish from XenCenter or the command line interface. The following command would add a subject called "xenuser" that is a part of the Windows domain, xendomain. Note that the use of a domain name is optional:
xe subject-add subject-name=xendt\xenuser.
After adding subjects to the XenServer 5.5 environment, you may get an overview of all existing subjects using the xe subject-list command.
One of the key benefits of XenServer 5.5 Active Directory integration is that it makes administering XenServer an easier task. Instead of managing XenServer 5.5 credentials through hard to use Linux commands that are executed by the Linux root user, solutions providers can now authenticate through AD to administer the pool they are responsible for. This recent development in XenServer 5.5 will definitely help XenServer's presence in new markets, especially in large enterprise environments.
About the expert
Sander van Vugt is an independent trainer and consultant living in the Netherlands. Van Vugt is an expert in Linux high availability, virtualization and performance and has completed several projects that implement all three. He is also the writer of various Linux-related books, such as Beginning the Linux Command Line, Beginning Ubuntu Server Administration and Pro Ubuntu Server Administration.