Active Directory

Authenticate and Update

Most IPAM and DNS solutions allow only one Domain Controller per name server for synchronizing the DNS data. Furthermore, the synchronization itself is mostly insecure when the IPAM providers often avoid the complex and error prone Kerberos authentication. TCPWave IPAM goes one step ahead to allow a seamless and secure integration of multiple Active Directory Domain Controllers per name server. This unique integration of Active Directory Forest with TCPWave IPAM managed DNS appliances helps the organizations to minimize their costs by spending only an optimum number of name servers. How does it work? First, define the enterprise's Active Directory servers in the TCPWave IPAM. Then, upload the Active Directory Kerberos keytab file to the IPAM Web Interface. Finally, map the Active Directory servers to the TCPWave DNS Appliances for synchronization.


GSS-TSIG (Generic Security Service Algorithm for Secret Key Transaction) is an extension to the TSIG DNS authentication protocol for secure key exchange. It is a GSS-API algorithm which uses Kerberos for passing security tokens to provide authentication, integrity and confidentiality. GSS-TSIG uses a mechanism like SPNEGO with Kerberos or NTLM. In Windows, this implementation is called Secure Dynamic Update as mentioned above. GSS-TSIG uses TKEY records for key exchange between the DNS client and appliance in GSS-TSIG mode. For authentication between the DNS client and Active Directory, the AS-REQ, AS-REP, TGS-REQ, TGS-REP exchanges must take place for ticket granting and establishing a security context. The security context has a limited lifetime during which dynamic updates to the DNS appliance can take place.

Business Advantages

TCPWave and Microsoft AD integration provides:

  • Bidirectional management of AD sites, network subnets, and AD site relationships
  • Auto-population of subnets from Microsoft AD Sites and Services into TCPWave
  • Ability to quickly move subnets between AD sites within TCPWave
  • Ability to create new AD sites within TCPWave
  • Ability to assign new network subnets created in TCPWave to a Microsoft AD site
  • Visibility into the domain and AD site relationships
  • Visibility into networks not assigned to an AD site
  • Logging of AD site-specific data