Active Directory

Integration with TCPWave IPAM
IPAM
Active Directory and DNS

Microsoft's Active Directory is a directory service developed by Microsoft and used to store objects like the user, computer, printer, and network information. It is primarily used for authentication and resource management within an active directory domain. The AD infrastructure relies heavily on the DNS infrastructure. It is mandatory to have a one-to-one mapping between an AD forest name to a DNS domain name. The domain controllers self-register their DNS resource records. It is a common misconception that Microsoft's AD requires Microsoft's DNS. The TCPWave DDI management is engineered to seamlessly integrate with Microsoft Active Directory. It can manage large AD environments, and it can also add stability by centralizing the DDI management. The content listed below provides common challenges in a large AD-integrated DNS environment, and it also lists the advantages of the TCPWave engineered design that fully supports the integration with active directory.

IPAM

TCPWave's DDI solution centralizes the DNS management in the enterprise. In the TCPWave managed DDI design, each domain controller will point to a cache-only TCPWave DDI appliance. The cache-only DNS appliances would fetch the DNS answers from the TCPWave authoritative DDI appliances. The TCPWave IPAM, running in a HA (High Availability) mode, will manage the authoritative and the cache DNS appliances. Each domain controller in each AD forest would update the authoritative DNS zone that is hosted on the TCPWave authoritative DDI remote. The TCPWave IPAM is capable of configuring an IP based ACL to accept the DNS updates from the domain controllers. Since a UDP based update controlled with an IP based ACL is subject to spoofing or hijacking, the TCPWave goes one step further and secures the DNS update using GSS-TSIG. GSS-API algorithm uses Kerberos for passing security tokens to provide authentication, integrity, and confidentiality. The web interface of the TCPWave IPAM provides a simplified method to manage the Kerberos configurations, Service Principal Names (SPN), secure DNS update policies, TSIG keys, etc. across all the AD-enabled DNS zones. The TCPWave design provides a seamless AD integration with auditing, reporting, disaster recovery, monitoring, role-based access control, and many more features.

The TCPWave DDI administrators can define the active directory enabled zones on the TCPWave IPAM. When a new Microsoft Active Directory Domain Controller is provisioned the AD installation wizard will create a file known as netlogon.dns. The contents of this file are taken by the netlogon process and an attempt is made by the domain controller to register those resource records into DNS. The TCPWave DNS infrastructure can be pre-configured to accept the updates from the domain controller. When the TCPWave DNS remote sees an incoming dynamic DNS registration from the domain controller, it accepts it and the slave DNS remotes are updated automatically. The TCPWave DNS remote management agent then sends the newly learned AD resource records to the TCPWave DDI Management. These records are then stored in the replicated database of the TCPWave DDI management. Since the TCPWave design adopts the use of DNS Zone templates, standards can easily be enforced and changes can be performed with consistency globally with a few mouse clicks. The overall size of the AD replicated database shrinks when DNS is decoupled from the domain controllers. This is another significant advantage of migrating the DDI management to TCPWave since it resolves AD replication delays.

IPAM
IPAM

It is common to see many enterprise-grade deployments utilizing Microsoft's in-built AD integrated DNS. These distributed deployments typically keep growing without following the best practices recommended by TCPWave. The failure to follow a common set of standards across a global infrastructure by a set of different individuals reporting to separate management chains is a reason why a large scale AD deployment is complex to maintain. The configuration of multiple conditional forwarders makes it extremely difficult to maintain, manage, monitor, scale, and troubleshoot. It is also common to see various large scale AD integrated DNS deployments to have frequent DNS blackouts because of improper designs. As the number of forests and the trusts grow, the environment becomes fragile. The Active Directory trusts require DNS resolution to the root forest, child forests, and possibly some standalone forests depending on the deployment of the AD forests. The resources in one AD domain can be used by the users in another AD domain as long as the DNS resolution is functioning properly. When data centers move or when a new network topology is designed, a single DNS change in one forest for a re-IP of a set of domain controllers could cause a blackout in other forests if multiple de-centralized administrators do not conduct the change properly with proper co-ordination. Forwarders will stop to work and delegations will become lame if all the distributed AD integrated DNS configurations are not updated accordingly.

Advantages of TCPWave For Active Directory DNS Services

Although Windows Server ships with the Microsoft DNS service, many network administrators use a non-Microsoft implementation of DNS. TCPWave provides a powerful enterprise grade management platform to manage the active directory DNS records and zones.

Interoperability with Existing DNS Architecture

The TCPWave DNS Appliance is based upon ISC's BIND, that is adopted as a global standard and widely used across the public Internet and many large enterprises. Existing AD deployments that rely on a BIND based design can interoperate easily with the TCPWave DNS Appliance.

Quick Migration

Existing BIND-based configurations can be quickly imported and deployed to TCPWave DNS Appliances using a powerful DIY (Do it Yourself) wizard.

Superior Configuration Management

The TCPWave DNS Appliance contains an elegant and user- friendly interface for manipulating DNS configurations and record data. Powerful features found in most applications include multi-level undo/redo, cut/copy/paste, and data checking functionality that is not present in the Microsoft DNS application.

Controlled Deployment

Changes are not visible on the DNS server until the user has deployed the configuration. The current implementation of the Microsoft DNS application applies the changes to the DNS server as they are made. This can create issues for applications when simple typos are introduced into a configuration because records can be cached for a defined duration. This can lead to network application/ service outages and stability issues. This issue is compounded by the fact that some applications do not respect DNS Time to Live (TTL) values and will hold onto invalid data until restarted. Changes in TCPWave can be staged so that a pre-staged change can take place automatically at a scheduled time.

Improved Security

DNS security is often overlooked for private networks because an internal network is seen as secure and separate from the outside world. The real problem lies with the sheer volume of exploits in the Windows operating system that plague network administrator. Worm viruses can unload payloads that attack internal systems and replicate while bringing a network to its knees. The SQL Slammer worm that exploited a known vulnerability in the Microsoft Data Engine (MSDE) attacked available root servers by generating bogus queries. These queries resulted in a large number of ICMP packets being sent out which eventually rendered some of the root servers to be offline. Many organizations also discovered that their internal DNS servers were being attacked similarly. The TCPWave DNS Appliance contains an integrated firewall, IP packet spoofing, and a hardened Linux operating system that resists these types of attacks. Indeed, it is common knowledge that heterogeneous networks are more resilient to effective attacks since only some of the servers will be vulnerable to system-specific exploits.

Total Cost of Ownership (TCO)

The total cost of the TCPWave DNS Appliance is considerably lower than that of a Microsoft DNS server solution. Considering the volume of Windows updates, vulnerabilities, and scheduled maintenance combined with the simplistic management surrounding the Windows solution, the TCPWave solution offers a lower cost of total ownership, even within the first year of deployment. For more detailed information about the TCO, see the TCPWave Inc documentation on the TCPWave DNS Appliance's Return on Investment (ROI).