DNS synchronization

Decimestrial
Decimestrial
in DNS, DHCP, IPAM (DDI)

Hello,

We have synchronization problems between our Microsoft and Infoblox servers, in both directions nothing happens during any modification.

We have our dedicated user for this service in the DNSAdmins group with special permissions but not full control because it is too permissive for our security service.

Ports 135 and 445 are open on the firewall, no trace of blocked flows inside.

If I rely on the Infoblox documentation, DHCP uses simple RPC requests, while DNS is apparently more complicated than that.

However, I don't see any mention of WMI or DCOM authorization in the documentation.

But, in a company with a huge amount of security recommendations, it is difficult to find the source of the problem without knowing the real Infoblox DNS synchronization process.

Today, i need to know how DNS synchronization works between Infoblox and a Microsoft server specifically.

Does it use WMI? DCOM? If anyone tell me that Infoblox uses it, then the source of the problem may be there.

Thanks

Comments

  • nic w
    nic w Infoblox Technical Expert

    What error are you seeing in NIOS during synchronization failure? MS_RPC_SCMR_DNS_STATUS?

    Which version of Microsoft server?

  • juskarazzi
    juskarazzi

    We have the same problem with DHCP: MS_RPC_SCMR_DHCP_STATUS .

    We use for privilege for Infoblox service account "DHCP Administrators"

    The version is Windows 2019

    Doing packet capture I see: svcctl.werror Windows Error: WERR_ACCESS_DENIED (0x00000005)

    Domain user and password are correct

    What do I have to check on the MS Server ?

    Thanks in advance

    Best Regards

  • juskarazzi
    juskarazzi
    image.png
  • juskarazzi
    juskarazzi

    SMB nEGOTIATE PROTOCOL Request
    SMB nEGOTIATE PROTOCOL ReSponse
    ok

    SMB NTLMSSP request user svc_infoblox
    SMB Setup Response accetpeted cmpleted
    ok

    Tree Connect request IPC
    Tree Connect ReSponse
    ok

    OpenSCManagerW Request
    OpenSCManagerW Response
    Windows Error: WERR_ACCESS_DENIED (0x00000005)
    KO

  • juskarazzi
    juskarazzi

    I have aleady read the two kb https://support.infoblox.com/s/article/3819 and https://support.infoblox.com/s/article/3811

    but I think there is a system firewall on the server

    Thanks in advance

    Best regards

  • juskarazzi
    juskarazzi

    These are the rights for the svc_infoblox user ont the MS test server

    image.png
  • nic w
    nic w Infoblox Technical Expert

    Within the service logs on NIOS you'd be able to get a more detailed message matching the error you described. Something like this:

    Could not query status for Service dhcpserver: 0x5: Access is denied. Could not open Service dhcpserver: the requested operation failed.

    Could not query status for Service dns: 0x5: Access is denied. Could not open Service dns: the requested operation failed.

Categories