DNS DHCP IPAM

Reply
Highlighted

Active Directory Integration

[ Edited ]
Posts: 3
22009     1

Does anyone have the steps to change from an Active Directory DNS to just infoblox.

 

I have followed the white papers but the domain controller will not write the AD DNS information to the infoblox system. Any help would be appreciated.

 

Jose

Re: Active Directory Integration

Adviser
Posts: 84
22010     1

In my experience there is not a simple, definitive answer to your question because "it depends". From what you have written, I am assuming that you are looking to move the zone's primary master from AD DNS to Infoblox. Assuming you have created the zone in Infoblox and moved the records, converted AD DNS to a forwarder or secondary pointing to Infoblox, I can offer the following advice:

 

  • Have you enabled AD integration for the zone? There's a button on the right hadn toolbar that enables AD integration and allows the creation of underscore zones (_tcp, _ldap, _udp, etc...) which AD requires
  • I'm assuming that your AD DC cannot register itself to the zone in Infoblox, for example when you initiate a "ipconfig /registerdns" command in the domain controller. If so, have you checked if GSS-TSIG is a requirement?
  • If GSS-TSIG is a requirement, you need to follow the steps to generate the TSIG keys and upload it to Infoblox

Those are the basics that I can think of, off the top of my head for now. Other than that, you really need to gain some visibility into the reason why it is not registering the records. For this, I can suggest that you check logs in your DC, check the syslogs in Infoblox, and perhaps even take a traffic capture from Infoblox (it is built in) so you can view exactly what the error messages are. Once you pinpoint the specific error, it's likely you'll be able to address it successfully and move forward from there.

Re: Active Directory Integration

Posts: 3
22010     1

Yes, I went through the whitepaper.

 

1. I have a test environment with an infoblox appliance.

2. I have a windows 2012 R2 server called SERVER-A  that I wanted to promote to a domain controller WITHOUT installing DNS.

3. I pointed the DNS configuration for SERVER-A to go to the infoblox appliance under Primary DNS Server in network connections.

4. Before promoting SERVER-A to a domain controller, I created a zone, "alone.com".

5. I added the acls for the soon to be domain controller SERVER-A into the infoblox appliance under the updates section.

5. Under Active Directory, I checked the allow unsigned updated from these domain controllers, added the domain controller IP, checked automatically create underscores, and checked allow gss-tsig-signed updates to all underscores.

6. I then promoted the Windows Server 2012 R2 to a Domain Controller.

 

This didn't add any records to the Infoblox appliance. I though netlogon would update the infoblox appliance --> No dice.

 

In the end, I did this:

1. I added the DNS to the domain controller

2. I pointed the network DNS configuration on SERVER-A to use itself as the secondary DNS.

3. I populated the AD DNS information on the domai controller by stopping and starting the netlogon service.

4. I then imported the AD zone alone.com into infoblox from the domain controller server-a.

5. I removed DNS from the domain controller.

6. Everything but one record imported. I had to manually create the _ldap._tcp.dc._msdcs.alone.com record to allow computers to join the domain alone.com.

7. I then added a member Windows Server 2012 R2 server called server-b to the domain.

 

Don't know if this is the right way to do it but so far so good. It added the Server-b record into DNS and into Active Directory users and computers.

 

Next step will be to promote this server to a Domain Controller and see if that works.

 

Thanks for your help,

 

Jose

 

 

My issue is that when stopping and starting the netlogon service, the records where not populating.

 

I checked the boxes to allow domain controllers to do updates and added the IP addresses of the domain controllers to the ACL's --> Still no dice.

Re: Active Directory Integration

Adviser
Posts: 84
22010     1

Glad you are making progress. The reason why the underscore zones don't import is because they are actually files/directories in Microsoft. These get created automatically in Infoblox if you check the box to allow it to do so.

 

When in the zone in Infoblox, did you click on the "Configure Active Directory" button on the right hand toolbar? 

 

 

Re: Active Directory Integration

Posts: 3
22010     1

In the end I was able to make it work by doing the following:

 

  1. Configure DNS and Start the service: Go to Grid (1)-> Grid Manager (2) -> DNS (3) -> Edit Grid Properties (4)

  2. Configure DNS to allow updates from AD Domain Controllers by putting the domain controller addresses into the set ACE of ACE’s. Go to Updates -> Advanced and click on the check box to allow secondary servers to forward updates and select success for the Updates to PTR records in bulk Dropdown.

    ****** This is critical as Domain Controllers use the netlogon service to forward Active Directory DNS information to the InfoBlox appliance. Without this, IT WILL NOT WORK!!!! ******

  3. Configure what subnets are allowed to query this DNS server for name resolution under Grid DNS Properties -> Queries (1): Configure your DNS server to accept zone transfers from the Domain Controllers: Click on save and close.
  4. Finally, enable the DNS Server by checking the InfoBlox appliance (1) and starting the DNS DAEMON (2).
  5. Your InfoBlox appliance is now ready to do the following:
    Accept Active Directory DNS updates from domain controllers through netlogon.

    So i then :
    1. Created the an authoritative DNS zone the matches what my AD domain would be with the underscores automatically created.

    2. Spun up a Windows Server 2012 VM and added the AD Services.

    3. In the network connection properties, I pointed the Windows VM to point to the InfoBlox appliaance to be the primary DNS server and the 127.0.0.1 to be secondary.

    4. Created a new AD forest that matched the name of the authoritative zone I created in the infoblox appliance.

    5. After the AD domain was created, netlogon took care of all of the SRV record population into infoblox. 

Re: Active Directory Integration

Adviser
Posts: 84
22010     1

That is good work jgonzalez35114! The only comment I would make is that in step 3, I typically leave the query ACLs blank (which by default accepts all queries) and control it via DNS views using match client rules. The reason being if you configure your internal subnet ACLs in the Grid DNS settings and you happen to run external/public DNS, it will block public resolution to your external DNS appliances.

 

In other words, be wary about the inheritance rules when configuring ACLs. Other than that, appreciate you sharing your solution!

Re: Active Directory Integration

Enigma
Techie
Posts: 1
22010     1

So to clarify, the infoblox appliance simply recieves DNS updates from the AD integrated DNS server?

 

Re: Active Directory Integration

Adviser
Posts: 84
22010     1

This post was about how to create a primary DNZ zone in Infoblox that accepts AD DC DDNS updates, including accepting underscore zone and records during a DC registration. The DC thus points DNS at Infoblox, rather than itself. Conversely, all other Windows clients therefore use Infoblox as the DNS authority.

Re: Active Directory Integration

[ Edited ]
half12
Techie
Posts: 1
22010     1

Hi,

 

I had to integrate Windows 2012R2 Datacentre edition with a Trinzic 2220 running Nios 7.2.4 so that all DNS was handled by the Trinzic appliance.  The steps that I followed were these

 

1. Configure the primary authoritive zone on the Trinzic appliance  eg corp.local and reverse zone

2. Editted the corp.local and reverse zone under the Active Directory settings  to permit unsigned authortive updates from the Windows 20012R2 server and for the automatic creation of underscore zones

3. Configured the Windows 2012R2 so that the IPv4 DNS server address is the Trinzic appliance

 

Result no updates, checking the Windows 2012R2 Datacentre edition the Netlogon process reports unable to update DNS server ::  (IPv6 address)

 

4 . Configured Trinzic appliance with IPv6 address (/64) and configured Windows 2012R2 Datacentre with IPv6 address in the same subnet (could use link local addresses) and then configured on Windows 2012R2 IPv6 DNS server using Trinzic IPv6 address

 

5. Logs show immediately the DDNS update of all Underscore Zone (_msdcs, _tcp etc)

6. However Trinzic reports that the Windows 2012R2 DDNS updates to corp.local updates are being denied, changed the corp.local Updates setting to include the Windows 2012R2 IPv4 address (in addition to Active Directory settings)

7. All Windows 2012R2 updates performing normally and zone correctly populated.

 

 

Showing results for 
Search instead for 
Do you mean 

Recommended for You