Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Getting Started

Reply

Active Directory Integration

New Member
Posts: 4
33328     0

 

Can anyone share some of  your experience for the Active Directory Integration with Infoblox? 

 

We are creating a new Forest and use Infoblox as the Authortative DNS service. 

The zone has been created in the Infoblox. All the underscore folder been created as well.,

We make the host record of  the domain controller in IPAM and it populates to the subzone record. 

 

When I run DCDIAG on the domain controller, it gives me an error ,

"*._msdcs.mydomain could not be resolved to an IP address, Check the DNS , DHCP , serve name, etc. Got error while checking LDAP and RPC connectivity. Please check your firewall setting., .. failed test connectivity " 

 

The domain controller can be resolved via forwad and reverse lookup. so where should I start for troubleshooting?any advise are much appreicated,  

 

Thanks

 

Ken 

Re: Active Directory Integration

Adviser
Posts: 11
33329     0

If you look at _msdcs.mydomain, do you see any records?

 

Make sure your DC Resolver settings are pointing to the IB DNS Primary.

Did you add the DCs IP addresses to 'Allow Update' or 'Active Directory' in the Grid or Zone Settings?

(or do you use GSS-TSIG?).

 

You don't need to add a Host-Record for the DC. The DC will register itself, when Updates are allowed.

 

Test Updates via 'ipconfig /registerdns' for the A Record of the DC. Review the Logs of the Grid DNS Primary.

Use 'nltest /dsregdns' to force the DC to send the SRV Records to DNS. Also review logs for error or success messages.

 

 

 

 

Re: Active Directory Integration

New Member
Posts: 4
33329     0

Hi  SSieber, 

 

We did allow the DC to update and we are not using GSS-TSIG

I  " ipconfig / registerdns" and force the DC to send SRV records to DNS several times. 

Is there any log file I can find from Windows (other than the eventlog) for further investigation ?

 

Thanks 

 

Re: Active Directory Integration

Adviser
Posts: 11
33329     0

If it is not working, MS writes something to the Eventlog (not exactly sure in which). You also should be able to see something in the Infoblox Syslog (Administration / Log / Syslog).

Best if you could post a snippet here. If it does not show any log, then it is not cofigured correctly.

 

Re: Active Directory Integration

New Member
Posts: 4
33329     0

Thanks SSieber, 

 

your advise are very helpful. 

We ended up by re-create the Forest for some other issues. 

This time the dcdiag is showing the connestion being established. 

 

 

Re: Active Directory Integration

New Member
Posts: 1
33329     0

We also are creating a new Forest and use Infoblox as the Authortative DNS service. 

The zone was created in the Infoblox. All the underscore zones were created as well.

We also 'Allow unsigned updates from these conrollers'.

The controllers are able to populate the subzone records, e.g. 

 

[...] adding an RR at '_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.[...]

 

However the DC cannot add their IP to the host record, e.g. 

 

show log syslog 1 | /10.167.32.207/
251654:2018-01-17T15:27:01+00:00 daemon [primary-ns] named[41572]: info client 10.167.32.207#53625: updating zone '[zone-name]/IN': update unsuccessful: [zone-name]: 'name not in use' prerequisite not satisfied (YXDOMAIN)

 

I could manually update the zone record with the DC IP addresses, but the Windows group wants to be able to do this themselves as other records.

Re: Active Directory Integration

New Member
Posts: 4
33329     0

you can probably try to re-register

on the dc 

net stop netlogon

net start netlogon

ipconfig /registerdns 

Re: Active Directory Integration

Moderator
Moderator
Posts: 72
33329     0

Hi John,

 

The log message you've posted indicates that the prerequisite, which is 'name not in use' is not satisfied. This means that the DC is attempting to update DNS but DNS does not allow it because there is already a record present by that name.

 

Usually this should result in the existing A/PTR record deletion and update new records or in the case of a HOST record it should split into A and PTR but not if the existing records are protected.

 

Things to check:
- Look for the record (dc-name) that is failing to update inside the zone in question.

- Edit the A/HOST record and navigate to the "Updates" sidetab and verify whether the record is protected

- If the record is not protected and if it is a HOST record, edit the record and look for any MAC address asssociations in the "General" sidetab which in an indirect way of making a HOST record protected.

 

Additonally:
If the record exists and if it is protected and if its data is correct I would suggest leaving it the way it is and ignore the error.

 

Best Regards,
Bibin Thomas

Re: Active Directory Integration

New Member
Posts: 1
33329     0

Hi All,

 

I'm wondering, is it common and recommended to host MS Domain Integrated DNS zone on Infoblox DNS servers as Authoritative zone and the Grid primary is one of the IB servers while MS DCs & DHCP servers are dynamically updating the required DNS records of the zone?

 

The second question is if the above architecture preferred, which MS Domain members has to allowed for Dynamic DNS Updates? Is just allowing DCs and DHCP servers enough or are MS Domain member clients necessary (Please consider usage of Static IP address on some of the Domain members)?

 

Best regards,

Kazim Bozkurt

Showing results for 
Search instead for 
Did you mean: 

Recommended for You