11-14-2018 02:59 PM
We have a small company that is 99% a Microsoft environment and the decision was made to move to Infoblox for DDI. We currently use Microsoft Active Directory integrated DNS, and have already moved DHCP and IPAM to the Infoblox appliance. In Microsoft DNS we have always used the feature that only authenticated devices can perform a secure DDNS update. My plan was to allow the Infoblox DHCP to perform DDNS updates as well as setup the two domain controllers to perform GSS-TSIG updates as well. I can't for the life of me to get that to work correctly!
How dangerous would it be to just restrict the DDNS to only the domain controllers and Infoblox DHCP server? What about allowing all any device to make DDNS updates? (The Infoblox only servers internal domain clients, no guests).
What is the best practice for DDNS when running a Microsoft company fully from an Infoblox DDI?
11-14-2018 10:30 PM
When using Infoblox DHCP to update External Domains, Microsoft DNS in your case, you would have to set up the “Configure DDNS” with the Forward and Reverse mapping zone details as well as the GSS-TSIG key. Please refer to the “Sending Updates for Zones on an External Name Server” section of the NIOS Administrator Guide.
Since your Microsoft DNS is set to accept Secure updates only, you would also have to configure GSS-TSIG in Infoblox DHCP Server, as the Infoblox DHCP server needs the GSS-TSIG keytab to have the DDNS Updates authenticated by Microsoft DNS server. You can refer to the “About GSS-TSIG” section of the NIOS Administrator Guide.
You can also go through the following community article with regards to DDNS GSS-TSIG Updates, it discusses GSS-TSIG Keytabs.
If you have done the above set up and are still unable to get the DDNS Updates through, perhaps you could share with us the Error message that you are receiving in the Syslog of Infoblox DHCP Server? You could also create a ticket with Infoblox Support to expedite resolution.
Ideally, you only need to allow either the DHCP Server to perform the updates or the Clients as there might be potential conflicts that could occur while both the Client and the DHCP Server tries to update the same record. As you are using Secure updates, it would be more convenient to just let the DHCP Server do the updates.