07-12-2020 07:46 PM
Any expert here can help me verify below steps and provide some advise?
Customer have multiple branches, some locations have Infoblox and some doesn’t. They also have multiple ADDC and RODC in different locations.
Migrate all the domains/zones in ADDC into Infoblox. After successful migration, all AD will convert into secondary zone.
- create an authoritative zone
- configure ACL to allow updates from AD DNS
- configure AD DNS integration and underscore (_) zone will create automatically
- login into AD server
- configure DNS and point to Infoblox
- restart DNS service
- net stop netlogon
- net start netlogon
- ipconfig /registerdns
- Infoblox will sync all the SRV zone records (_ldap, _kerberos)
- Configure allow zone transfer from AD DNS to Infoblox
- Initiate import zone in Infoblox to import static A record and dynamic records
- Delete all dynamic records (because it will import as static into Infoblox)
**Since the project is big, we will let AD DNS running as normal but the AD DNS server DNS setting will point to Infoblox as prefer DNS
Migration for branches that have Infoblox
- Through DHCP server, dynamic client DNS setting will point to Infoblox
- User will update the dynamic record directly to Infoblox
- However, there is many servers are using static setting which we will migrate slowly.
- In this case, servers DNS are pointing to AD DNS however the AD DNS is pointing to Infoblox as prefer DNS. ** will this causing issue to the servers to operate as normal?
Migration for branches that do not have Infoblox
- The AD in the branches will convert to secondary zones
- Infoblox will zones transfer to AD DNS
- Client DNS will still be pointing to local AD DNS
- As our research, DHCP client will update their dynamic record to grid master directly. Therefore, we need to open UDP & TCP 53 from branches network to Grid master
Solved! Go to Solution.
07-15-2020 05:48 AM
I've migrated multiple ADs to Infoblox-DNS just recently.
Mostly I concure with your steps, but did it that way:
1.) Enabled Zone-Transfer on the Windows-DNS
2.) Created an ACL with the DCs in that are allowed to update the zone
3.) Created a new authoritive zone on Infoblox (NIOS)
4.) Imported the Zone to Infoblox and did the same for all subzones like _msdcs....
5.) Set the DC to use the infoblox as dns
6.) executed "net stop netlogon && net start netlogon" - that triggers the verification / registration of the SRV-Records, etc.
7.) Checked the syslog on the Infoblox-DNS to see possible errors
8.) If everything's good, set the Windows-DNS to forward all queries to the Infoblox
9.) Did the same on all DCS (Writeable and Readable).
10.) As soon as all the DCs have been migrated I deleted the AD-Integrated DNS-Zones transforming the Windows-DNS to be caching-only servers.
07-17-2020 07:30 AM
Thank you so much for your sharing. I have 1 question regarding your migration:
1. For steps 9 and 10, do you do it one shot for all DCs or phase by phase, FYI, my customer got 60++ DC servers, we are thinking to do it phase by phase but we worry problem will occur in the period.
03-21-2022 05:19 AM
Hi Philipp / Team,
Here i would like to know how you converted Infoblox from Secondary Name server to Primary ?
10-08-2022 11:55 PM
I have done the same steps, when I test AD replication to synch with each other it fails( I have 4 AD in different DCs).
I checked on the MS side that some record _ type are missing.
On the infoblox, I believed that the sub-zones are created but inside that zones there is nothing.
My question is: on the AD side zone is there and on top of that zone, there are sub-zone _msdcs. test. local This zone and sub-zone record are not coming.
It will be highly appreciated if some one have experience and how to fix this.
10-11-2022 08:26 AM - edited 10-11-2022 09:06 AM
We did MS DNS zones migration into InfoBlox but we are facing a problem with DDNS updates. All servers have static IP address from subnets not woned by infoblox.
When we do any change on any server (hostname, IP address, rebooting ..et) the server does not sent DDNS updates to infoblox. When we use ipconfig /registerdns it works fine and also after 24 hours the server sends DNS update.
Anyne has faced this problem before? How we can get the servers to send the updates automatically? Is there a specific configuration we need to do on InfoBlox ?
Thanks for your help!
10-12-2022 06:44 AM
If you are using secure AD zones you'll need to configure Infoblox to use GSS-TSIG. You'll need to create a user account in AD for Infoblox to use and add it to the DNSUpdateProxy group. You'll need to run ktpass to generate a keytab file and load it into Infoblox so that it can authenticate with AD. Then you'll need to specify which zones use GSS-TSIG updates. There's quite a few things to do but it does work quite well once all set up. Best place to start is the manuals.
PCN (UK) Ltd
All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
10-12-2022 08:42 AM - edited 10-12-2022 08:43 AM
- We configure GSS-TSIG on the migrated zones.
- Allowed updates from the subnets ACL.
- Allowed updates from DCs.
And infoblox is receiving DNS updates from the servers and DCs in two cases :
- Issuing ipconfig /registerdns
- Every 24 hours (The default refresh interval)
The problem is when doing changes on the servers such as (join to the domain, change hostname, ip address) they should send updates to infoblox as it's the normal behavior with AD integrated DNS zones, however, the servers don't do that.
From packet capture we saw that the servers are sending query request querying SOA and then they stop.
Much appreciate your help!