Merge pull request #17024 from cloudmelon/20200915-ad-deployment

add AD security

Author: PRMerger9

docs/big-data-cluster/deploy-active-directory.md

@@ -5,7 +5,7 @@ description: Learn how to upgrade SQL Server Big Data Clusters in an Active Dire
 author: mihaelablendea
 ms.author: mihaelab
 ms.reviewer: mikeray
-ms.date: 08/04/2020
+ms.date: 09/15/2020
 ms.topic: conceptual
 ms.prod: sql
 ms.technology: big-data-cluster
@@ -20,12 +20,31 @@ authentication mode. The cluster uses an existing AD domain for authentication.
 
 >[!Note]
 >Before SQL Server 2019 CU5 release, there is a restriction in big data clusters so that only one cluster could be deployed against an Active Directory domain. This restriction is removed with the CU5 release, see [Concept: deploy [!INCLUDE[big-data-clusters-2019](../includes/ssbigdataclusters-ss-nover.md)] in Active Directory mode](active-directory-deployment-background.md) for details on the new capabilities. Examples in this article are adjusted to accommodate both deployment use cases.
+>
 
 ## Background
 
-To enable Active Directory (AD) authentication, the BDC automatically creates the users, groups, machine accounts, and service principal names (SPN) that the various services in the cluster need. To provide some containment of these accounts and allow scoping permissions, choose an organizational unit (OU) during deployment where all BDC-related AD objects will be created. Create this OU before cluster deployment.
+To enable Active Directory (AD) authentication, the BDC automatically creates the users, groups, machine accounts, and service principal names (SPN) that the various services in the cluster need. To provide some containment of these accounts and allow scoping permissions, we suggest create an organizational unit (OU) before cluster deployment. All BDC-related AD objects will be created during deployment. 
+
+## Pre-requisites
+
+### Organizational Unit (OU)
+An organizational unit (OU) is a subdivision within an Active Directory into where place users, groups, and even other organizational units. Big picture Organizational units can be used to mirror an organization's functional or business structure. This article we'll create an OU called `bdc` as an example. 
+
+>[!Note]
+The organizational unit (OU) represents administrative boundaries and enable customers to control the scope of authority of data administrators. 
+>
+
+You can follow [OU Design Principles](/windows-server/identity/ad-ds/plan/reviewing-ou-design-concepts.md) to decide on the best structure on working with OUs within your organization. 
+
+### AD account for BDC domain service account
+
+To be able to create all the required objects in Active Directory automatically, the BDC needs an AD account which have specific permissions to create users, groups, and machine accounts inside the provided organizational unit (OU). This article will explain how to configure the permission of this AD account. We use an AD Account call `bdcDSA` as an example in this article.
+
+### Auto generated Active Directory objects
+BDC deployment automatically generates account and group names. Each of the accounts represents a service in BDC and will be managed by BDC throughout the lifetime where BDC cluster is in use. Those accounts own the Service Principal Names (SPNs) are required by each service.  For a full list of AD auto-generated accounts, groups, and service that they managed, see [Auto generated Active Directory objects](active-directory-objects.md).
+
 
-To automatically create all the required objects in Active Directory, the BDC needs an AD account during deployment. This account needs to have permissions to create users, groups, and machine accounts inside the provided OU.
 
 >[!IMPORTANT]
 >Depending on the password expiration policy set in the Domain Controller, passwords for these accounts can expire. The default expiration policy is 42 days. There is no mechanism to rotate credentials for all accounts in BDC, so the cluster will become inoperable once the expiration period is met. To workaround this issue, update the expiration policy for the BDC service accounts to “Password never expires” in the Domain Controller. This action can be done before or after the expiration time. In the latter case, Active Directory will reactivate the expired passwords.
@@ -34,16 +53,16 @@ To automatically create all the required objects in Active Directory, the BDC ne
 >
 >:::image type="content" source="media/deploy-active-directory/image25.png" alt-text="Set password expiration policy":::
 
-For a list of AD accounts and groups, see [Auto generated Active Directory objects](active-directory-objects.md).
 
 The steps below assume you already have an Active Directory domain controller. If you don't have a domain controller, the following [guide](https://social.technet.microsoft.com/wiki/contents/articles/37528.create-and-configure-active-directory-domain-controller-in-azure-windows-server.aspx) includes steps that can be helpful.
 
+
 ## Create AD objects
 
 Do the following things before you deploy a BDC with AD integration:
 
-1. Create an organizational unit (OU) where all BDC AD objects will be stored. Alternatively you can choose an existing OU upon deployment.
-1. Create an AD account for BDC, or use an existing account, and provide this BDC AD account the right permissions.
+1. Create an organizational unit (OU) where all BDC-related AD objects will be stored. Alternatively you can choose an existing OU upon deployment.
+1. Create an AD account for BDC, or use an existing account, and provide this BDC AD account the right permissions inside the provided organizational unit (OU).
 
 ### Create a user in AD for BDC domain service account