Elyse ACTIVE DIRECTORY DOMAIN SETUP
OVERVIEW
This document describes the Active Directory (AD) configuration required for an Elyse server deployment. It covers:
- Organisational Unit (OU) structure
- Service account creation
- Security group for Elyse users
- DNS records
These instructions are written for a production environment. If you are building a lab or test environment from scratch, refer to Appendix A: Domain in a Box first to create the domain infrastructure, then return to this document to configure AD for Elyse.
After completing this document, proceed to:
PREREQUISITES
- An Active Directory domain at Windows Server 2016 functional level or later
- Domain Administrator credentials (or delegated OU admin rights)
- Access to Active Directory Users and Computers (ADUC). To open ADUC: log on to the Domain Controller, open Server Manager (it opens automatically on login; if not, click Start and type Server Manager), then click Tools (top-right) > Active Directory Users and Computers.
- The following server hostnames identified and DNS-resolvable:
- SQL Server host (e.g., ELYSE-SQL01)
- Backend application host (e.g., ELYSE-BE01)
- Frontend web server host (e.g., ELYSE-FE01)
NOTE ON NAMING CONVENTIONS
This document uses prescribed names for service accounts and groups. These are recommended defaults and may be replaced with names that conform to your organisation's naming standards. If you change them, apply the change consistently across all Elyse deployment documents and configuration files.
| Prescribed Name | Purpose |
|---|---|
svc_sql | SQL Server service account |
svc_elyse_be | Backend application service account |
Elyse_Users | Security group for Elyse users |
STEP 1: CREATE THE ORGANISATIONAL UNIT (OPTIONAL)
Creating a dedicated OU for Elyse service accounts and groups is recommended for organisational clarity and to allow targeted Group Policy application.
- Log on to the Domain Controller and open Active Directory Users and Computers (ADUC). ADUC is found in Server Manager > Tools > Active Directory Users and Computers.
- In the left panel of ADUC, right-click your domain name (e.g.,
yourdomain.com) and select New > Organizational Unit. - In the “New Object – Organizational Unit” dialog, type the name:
Elyse - Click OK.
If your organisation has an existing OU structure for service accounts, you may use that instead. Adjust the instructions below accordingly.
STEP 2: CREATE THE SQL SERVER SERVICE ACCOUNT
This account will be used as the Log On identity for the SQL Server database engine service. It must be a domain account so that Kerberos authentication works correctly.
- Open ADUC if it is not already open (Server Manager > Tools > Active Directory Users and Computers).
- In the left panel of ADUC, expand your domain name (e.g.,
yourdomain.com) by clicking the arrow next to it. - Click on the Elyse OU (or your chosen OU) to select it.
- Right-click the OU and select New > User.
- In the “New Object – User” dialog, enter the following:
Full Name SQL Service Account User logon name svc_sql - Click Next.
- Set a strong password and record it securely (you will need this password later during SQL Server installation).
- Password options:
- ☐ User must change password at next logon — UNCHECK
- ☑ Password never expires — CHECK
- Click Next, review the summary, then click Finish.
STEP 3: CREATE THE BACKEND SERVICE ACCOUNT
This account will be used as the IIS Application Pool identity for the Elyse backend. It is the account that Kerberos Constrained Delegation (KCD) will be configured on, allowing it to impersonate authenticated users when connecting to SQL Server.
- In the ADUC window (still open from Step 2), ensure the Elyse OU (or your chosen OU) is selected in the left panel.
- Right-click the OU and select New > User.
- In the “New Object – User” dialog, enter the following:
Full Name Backend Service Account User logon name svc_elyse_be - Click Next.
- Set a strong password and record it securely (you will need this password later when configuring the IIS Application Pool).
- Password options:
- ☐ User must change password at next logon — UNCHECK
- ☑ Password never expires — CHECK
- Click Next, review the summary, then click Finish.
STEP 4: CREATE THE ELYSE USERS SECURITY GROUP
This Active Directory security group controls which domain users are permitted to connect to the Elyse database. Users are granted access to Elyse by being added to this group.
- In the ADUC window (still open from Step 3), ensure the Elyse OU (or your chosen OU) is selected in the left panel.
- Right-click the OU and select New > Group.
- In the “New Object – Group” dialog, enter the following:
Group name Elyse_UsersGroup scope Global Group type Security - Click OK.
After the group is created, add the domain users who should have access to Elyse:
- In the right panel of ADUC, you should see the newly created
Elyse_Usersgroup. Double-click it to open its properties (or right-click it and select Properties). - In the Properties dialog, click the Members tab.
- Click the Add... button.
- In the “Select Users, Contacts, Computers, Service Accounts, or Groups” dialog, type the username of an Elyse user (e.g.,
jsmith). To add multiple users at once, separate them with semicolons (e.g.,jsmith; jdoe; ablock). - Click Check Names to verify the names resolve correctly (they will become underlined if found).
- Click OK to add the users.
- Click OK again to close the Properties dialog.
svc_sql or svc_elyse_be) to this group. The service accounts must not have direct database access.
STEP 5: DNS RECORDS
DNS (Domain Name System) is what allows computers to find each other by name instead of by IP address. We need to ensure that DNS records exist for each server that will host an Elyse component. In most environments, these records are created automatically when the servers are joined to the domain.
Verify the following records resolve correctly:
| Hostname | Expected IP |
|---|---|
ELYSE-SQL01.yourdomain.com | (IP of SQL Server host) |
ELYSE-BE01.yourdomain.com | (IP of backend host) |
ELYSE-FE01.yourdomain.com | (IP of frontend host) |
To verify, open a Command Prompt on the Domain Controller. To do this: click the Start button, type cmd, and click Command Prompt in the results. Then type each of the following commands (pressing Enter after each one):
nslookup ELYSE-SQL01.yourdomain.com
nslookup ELYSE-BE01.yourdomain.com
nslookup ELYSE-FE01.yourdomain.comEach command should return the correct IP address.
nslookup returns the correct IP address but also displays a message about a “2 second timeout” or “DNS request timed out”, this is normal in isolated or lab environments. It means the DNS server has forwarders configured (e.g. 8.8.8.8) that are unreachable because the network has no internet access. The local DNS lookup still succeeds. You can safely ignore the timeout as long as the correct IP address is returned.
If a record is missing (no IP address returned), create it in DNS Manager:
- Open DNS Manager: in Server Manager, click Tools (top-right) > DNS. A new window opens.
- In the left pane, click the arrow next to your server name to expand it. Then expand Forward Lookup Zones. Click on your domain name (e.g.,
yourdomain.com). - Right-click your domain name > New Host (A or AAAA)...
- In the Name field, enter the hostname only (e.g.,
ELYSE-SQL01— without the domain suffix). In the IP address field, enter the server’s IP address. - Click Add Host. Click OK on the confirmation. Repeat for each missing record.
Replace the hostnames and domain name above with your actual server names and domain.
STEP 6: VERIFY CONFIGURATION
Before proceeding to SQL Server installation, verify the following:
svc_sqlaccount exists in ADsvc_elyse_beaccount exists in ADElyse_Userssecurity group exists in AD- Elyse users are members of
Elyse_Users svc_sqlis NOT a member ofElyse_Userssvc_elyse_beis NOT a member ofElyse_Users- DNS records resolve for all Elyse server hostnames
To verify the accounts and group, open a Command Prompt on the Domain Controller (click Start, type cmd, click Command Prompt) and type each of the following commands, pressing Enter after each:
net user svc_sql /domain
net user svc_elyse_be /domain
net group Elyse_Users /domainNEXT STEPS
- Proceed to SQL Server & Database to install SQL Server and restore the Elyse database.
- After SQL Server is installed, proceed to KCD Configuration to register Service Principal Names (SPNs) and configure Kerberos Constrained Delegation.