Reply
Highlighted
Accepted Solution

IPAM with AD read-only account

Posts: 10
9209     0

Hi,

 

we want to set up an Infoblox as IPAM node. The AD server is acting as DHCP/DNS  server managed by another company. We can only get a read-only account to set the IPAM up. Are there any best practices for this?

 

Kind regards,

Kris

Re: IPAM with AD read-only account

Adviser
Posts: 121
9210     0

Hi Kris,

 

From what I understand, you are interested in syncing Microsoft (MS) DNS and DHCP data into the Infoblox GUI but would like to do so with least amount of permissions on the configured user account. I also assume that you would be using IPAM as 'READ-ONLY' for the synced data. i.e. The sync is in read-only mode and no add/delete/modify operations are intended from the Infoblox end.

 

First thing to note is that, regardless of the permissions/privileges you may have on the user account configured for this purpose, If the sync is configured in Read-Only, the GUI itself prevents ALL add/delete/modify capabilities to ANY/EVERY MS synced DNS/DHCP data objects.

 

If you are still concerned and want to use only a AD user account that holds minimal permissions for syncing DNS AND DHCP data, I would suggest the following.

 

SYNCAD User permissions
For DHCPAD User part of the predefined AD group named 'DHCP Users'
For DNSAD User, AD User group that has 'Read' permission configured in the concerned DNS Server's Properties

 

NOTE:
While there is a predefined group named 'DHCP Users' who already have Read-Only access to DHCP servers in the AD environment there may or may not be a predefined User-Group that has Read-Only access to DNS servers in your AD environment. If there isn't one, then I would suggest simply creating a group, add the group to the user account configured for MSsync purpose and then navigate to the AD DNS server properties-->Security settings and add this newly created user group for ONLY 'Read' access.

 

Additionally, for Guidelines, Documentation on Best Practices, Initial configuration and Implementation, I would suggest getting in touch with your Infoblox Account Team

Best Regards,
Bibin Thomas

Re: IPAM with AD read-only account

Posts: 10
9210     0

Hi Bibin,

 

not completely.

We have to setup an IPAM for a customer, the AD is maintained by another 3th party who is willing to give us an Read-only account, they don't want us to touch the AD since it is their responsibility.

The customer has one company responsible for their systems and us for their network/security.

 

Kind regards,

Kris

Re: IPAM with AD read-only account

Adviser
Posts: 121
9210     0

Hi Kris,

 

I am still a bit confused about the requirement because I am not certain how this differs from my understanding in the previous update.

Is the below accurate enough?

- AD with Microsoft DNS/DHCP is completely managed by a 3rd party AD team who wouldn't provide user accounts on a per user basis to logon to their AD servers/environment.
- The customer has an Infoblox appliance which he wishes to use for IPAM and also have a Read-Only AD user account


So are you discussing about Microsoft Management using Infoblox and the least privileges you would require to manage MS DNS/DHCP in Read-Write/Read-Only via the Infoblox GUI?

 

If YES, my previous update should help. 
If I am missing something, request you to fill in the gaps.

 

Best Regards,

 

Bibin

Re: IPAM with AD read-only account

Posts: 10
9210     0

Hi Bibin,

 

we want to use the Infoblox for IPAM only but we need the data from the DHCP servers as input.

We can get an AD account that has read-only rights.

 

 

Kind regards,

Kris

Re: IPAM with AD read-only account

[ Edited ]
Adviser
Posts: 121
9210     0

Hi Kris,

 

Gotcha.

So Infoblox would be syncing DHCP data from MS DHCP servers which is expected to populate in IPAM.


An AD User part of the predefined AD group named 'DHCP Users' would suffice for this purpose. Just any AD user would not be enough as they are only expected to be part of 'Domain Users' group and would not have sufficient privileges to read DHCP data. So adding that user to the 'DHCP Users' group should be enough.

Additionally, you would need a Microsoft Management license on your Infoblox IPAM node.

 

Thank you,

Bibin Thomas

Re: IPAM with AD read-only account

Posts: 3
9210     0

Hi Kris,

 

Bkoshy is totally right, you need first to install microsoft Management license, where you can add from Grid tab your microsft servers.

In this section, you can specify your servers, infoblox appliance that you need to have integration with these servers and creditionals with admin privileges( read-only access), synch intervals ( 2 min by default)

After finishing, IPAM can see all the networks configured on your microsft servers.

 

It is better to add the widget of microsoft server status to your dashboard

 

Thank you

Racha

Re: IPAM with AD read-only account

Posts: 10
9210     0
Spoiler
 

Hi Racha an Bibin,

 

I tried this with a standard Read-only account but it doesn't work.

I get the following errors:

Could not open Service Control Manager: the requested operation failed

Couldn't open RPC interface <MS-DNSP>: the transport-connection attempt was refused by the remote system

The documentation is confusing about rights:

one document describes that you need admin rights ( we don't get them)

https://community.infoblox.com/t5/Support-Central-Blog/Support-Central-KB-296-Getting-the-status-as-...

other documents claim you need read-only rights:

https://www.infoblox.com/wp-content/uploads/infoblox-solution-note-read-only-access-ms-dns.pdf

https://www.infoblox.com/wp-content/uploads/infoblox-solution-note-read-only-access-ms-dhcp.pdf

 

How can we get this to work with a read-only account?

 

Kind regards,

Kris

Re: IPAM with AD read-only account

Adviser
Posts: 121
9210     0

Hi Kris,

 

Based on the errors, it sounds like you are trying to do too many things with a limited user account.

 

1- Could not open Service Control Manager: the requested operation failed

 

The above error means that the user in question does not have privileges to SCMR which is expected because by default such a privilege only comes with Domain Admin User accounts in AD.  BUT, the good news is that , these errors usually does not have anything to do with the synchronization of DNS/DHCP data. Permissions to SCMR is only required for purposes such as starting and stopping Microsoft DNS/DHCP services from Infoblox GUI.

 

Suggestion:
Since I am sure there is no way you can use a domain admin user account Ignore that error message and additionally try diabling your selections for "Monitor and Control DNS Services" and "Monitor and Control DNS Services".

 

2 - Couldn't open RPC interface <MS-DNSP>

 

This is related to synchronization of DNS data. Since you had earlier mentioned about only requiring to sync DHCP data, may I know whether you have enabled synchronization for DNS as well, whilst either pointing to an MS DHCP server not running DNS OR whilst using a user account only provileged to read DHCP data?

 

Additionally, please review your firewall rules (including the windows firewall) to ensure that the Infoblox member can communicate with the MS server over TCP ports 445 and 135.

 

Best Regards,
Bibin Thomas

Re: IPAM with AD read-only account

Posts: 10
9210     0

Hi guys,

 

it still not working and I'm not sure if it is on the infoblox part or the Microsoft server.

What I see in the logs:

Established initial RPC connection.
Presented version: <Windows Server 2012 R2 Standard 6.3>
Opened RPC interface <MS-DSSP> as user 'bogus.local\svc.ipam'
Established initial RPC connection.
Established additional RPC connection.
Opened RPC interface <MS-WKST> as user 'bogus.local\svc.ipam'
Established initial RPC connection.
Established additional RPC connection.
Opened RPC interface <MS-SRVS> as user 'bogus.local\svc.ipam'
Server information synchronization end: success
Starting synchronization.
Forcing read-only synchronization due to stale data.
Couldn't open RPC interface <MS-DHCPM-dhcpsrv>: the transport-connection attempt was refused by the remote system
Aborted DHCP server synchronization.
Aborting synchronization.
Summary of operations on NIOS/Microsoft (added, updated, deleted, ignored): scopes (0/0, 0/0, 0/0, 0/0), reservations (0/0, 0/0, 0/0, 0/0), server options (0/0, 0/0, 0/0, 0/0), scope options (0/0, 0/0, 0/0, 0/0), reservation options (0/0, 0/0, 0/0, 0/0), failover relationships (0/0, 0/0, 0/0, 0/0), exclusions (0/0, 0/0, 0/0, 0/0).

 

For a test we gave the user temporary admin rghts for DHCP, but that didn't solve it.

It does not look like a firewall/ routing issue since the RPC connection gets established.

When I test the server I get:

the transport-connection attempt was refused by the remote system

 

So something seems to be missing.

 

Kind regards,

Kris

 

 

Re: IPAM with AD read-only account

Posts: 10
9210     0

Hi guys,

 

thank you for all the effort but it is still not working.

When I look at the logs:

Established initial RPC connection.
Presented version: <Windows Server 2012 R2 Standard 6.3>
Opened RPC interface <MS-DSSP> as user 'bogus.local\svc.ipam'
Established initial RPC connection.
Established additional RPC connection.
Opened RPC interface <MS-WKST> as user 'bogus.local\svc.ipam'
Established initial RPC connection.
Established additional RPC connection.
Opened RPC interface <MS-SRVS> as user 'bogus.local\svc.ipam'
Server information synchronization end: success
Starting synchronization.
Forcing read-only synchronization due to stale data.
Couldn't open RPC interface <MS-DHCPM-dhcpsrv>: the transport-connection attempt was refused by the remote system
Aborted DHCP server synchronization.
Aborting synchronization.
Summary of operations on NIOS/Microsoft (added, updated, deleted, ignored): scopes (0/0, 0/0, 0/0, 0/0), reservations (0/0, 0/0, 0/0, 0/0), server options (0/0, 0/0, 0/0, 0/0), scope options (0/0, 0/0, 0/0, 0/0), reservation options (0/0, 0/0, 0/0, 0/0), failover relationships (0/0, 0/0, 0/0, 0/0), exclusions (0/0, 0/0, 0/0, 0/0).

 

You see that the Microsoft server is refusing the connection, we switched of the windows FireWall ans elevated the user to DHCP-admin with the same result.

What am I missing ?

 

Kind regards,

Kris

Re: IPAM with AD read-only account

Adviser
Posts: 121
9210     0

Hi Kris,

 

Are you sure that there aren't any other firewalls between the Infoblox and MS server?

Per the logs and as per your troubleshooting, this is not a permissions issue. Have you tried syncing with an other DHCP server in the domain?

 

This may require packet capture analysis and a support session to troubleshoot better.

 

I would recommend opening a case with Infoblox Support.

 

Best Regards,
Bibin Thomas

Showing results for 
Search instead for 
Do you mean 

Recommended for You

Demo: Infoblox IPAM plug-in integration with OpenStack Newton