Alcatel-Lucent VitalQIP Technology White Paper
  1. Manuals
  2. Brands
  3. Alcatel-Lucent Manuals
  4. Software
  5. VitalQIP
  6. Technology white paper
Alcatel-Lucent VitalQIP Technology White Paper

Alcatel-Lucent VitalQIP Technology White Paper

Integration with microsoft windows 2003 networking/active directory
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
T E C H N O L O G Y W H I T E P A P E R
Integration of VitalQIP® with Microsoft
Windows 2003 Networking/Active
Directory
Use Alcatel-Lucent VitalQIP® to centrally manage your Windows 2003 deploy-
ment.
This white paper addresses:
- Terms and concepts of Microsoft Windows 2003 networking
- How to add Windows 2003 components to an existing VitalQIP
installation
- How to add VitalQIP to an existing Microsoft network
- How to use either Lucent or Microsoft DHCP and DNS in Windows 2003 envi-
ronments
- Methods of ensuring the security of DNS

Advertisement

Table of Contents
loading

Related Manuals for Alcatel-Lucent VitalQIP

Summary of Contents for Alcatel-Lucent VitalQIP

  • Page 1 This white paper addresses: - Terms and concepts of Microsoft Windows 2003 networking - How to add Windows 2003 components to an existing VitalQIP installation - How to add VitalQIP to an existing Microsoft network - How to use either Lucent or Microsoft DHCP and DNS in Windows 2003 envi-...
  • Page 2 The purpose of this document is to discuss integration of Active Directory and other Microsoft networking concepts with VitalQIP. It is important to understand that the use of the Windows 2003 OS with VitalQIP is a separate matter from the integration of Active Directory and other Microsoft networking concepts with VitalQIP.

  • Page 3: Table Of Contents

    Alcatel-Lucent components Solution 3: Modification of Solution 2 using Alcatel-Lucent DNS instead • of MS-DNS Solution 4: Modification of Solution 2 using VitalQIP 6.2 instead of • VitalQIP 6.1 SP1 Alcatel-Lucent | Integration of VitalQIP® with Microsoft Windows 2003 Networking/Active Directory...

  • Page 4: Overview

    Windows 2000. SRV records need to get into DNS quickly – not by manual entry to the VitalQIP GUI – and they need to propagate to all other DNS servers quickly. Microsoft networking uses special child domains such as “_ldap._tcp.domain”, and so on.
  • Page 5 VitalQIP database does not know about – the data flow needs to be from the DNS server to VitalQIP as well. If the DNS servers are receiving updates from Domain Controllers and/or Windows 2003 clients, but Vi- talQIP does not have this data, the DNS Generation will replace the zones that have the current SRV records with new zones that lack the current information.
  • Page 6 The DNS and DHCP design needs to ensure that the data gets into DNS, but that criti- cal resource records don’t get deleted or overwritten with incorrect information from unauthorized sources. With a classical VitalQIP design, this is simple matter of VitalQIP administrator rights, but it is more complicated once dynamic updates are involved. This can be handled by an Access-Control List for allow-update (discussed in detail in Solu- tion 1), or by GSS-TSIG secure updates (discussed in detail in Solution 2).

  • Page 7: Overview Of Solution

    Solution 3 comprises a small modification of Solution 2 that uses Alcatel-Lucent DNS rather than MS-DNS, but still uses MS-DHCP and GSS-TSIG secure updates. Like Solution 2, it is intended for an organization that is new to VitalQIP but is already using Microsoft networking.

  • Page 8: Solution 1: Adding Windows 2003 Support To An Existing Vitalqip

    If Windows 2003 networking is being added to an existing VitalQIP installation, a primary concern is how to get the SRV records into DNS and then into the VitalQIP database. The Windows 2003 clients need to be able to locate network services by performing queries of SRV records in DNS, and resolving those server hostnames to IP addresses.
  • Page 9 External Update mechanism. Certain changes in VitalQIP (for example, changes on the Resource Records tab) would need to be pushed to all DNS primary servers, but those changes in VitalQIP would generally be for the parent domain, and not for the under- score child domains.
  • Page 10 1. Qip-syncexternal: This is a command line interface utility, which is similar to the previous “qipminiddma” utility of VitalQIP 5.x. In brief, it works by requesting a zone transfer from a particular DNS server, then comparing the contents of that zone or zones with the VitalQIP database and updating the database as necessary.
  • Page 11 DHCP server. Importing of A and PTR records, therefore, would not be useful since VitalQIP would already have all the A and PTR records of the DNS server. Only SRV and CNAME records should be enabled in this case, not A and PTR (nor TXT or AAAA records, which normally would not occur in a Windows 2003 network.)
  • Page 12 The default setting is “Suppress”, which tells the DHCP server to ignore the client’s domain name and use the one that is configured in VitalQIP. This suits the needs of most customers, where each subnet is in only one domain, and where the users who configure desktop systems do not necessarily understand the DNS infrastructure.
  • Page 13 All zones should allow updates from the Enterprise server and VitalQIP client GUIs. If you have a long list of VitalQIP client GUIs, you can configure Vi- talQIP so that GUIs send updates via the DNS Update Service on the Enterprise server...
  • Page 14 Windows 2003, beyond what already exists in your VitalQIP infrastructure. In the VitalQIP GUI, enter the Windows 2003 DCs as static IP addresses. Set the options on the domains and reverse zones as mentioned above: suitable...

  • Page 15: Solution 2: Adding Vitalqip To An Existing Microsoft Network With

    If your organization is already running a Microsoft Windows 2003 network using Micro- soft DHCP (MSDHCP), Microsoft DNS (MS-DNS), and all of Microsoft’s recommenda- tions, you can add VitalQIP to provide a central point of management. VitalQIP has a high interoperability with third-party software such as MS-DNS and MS-DHCP, so it is easy for it to provide centralized management of these systems.
  • Page 16 Updates. The records are replicated to all primary DNS servers. In this case there are no secondary DNS servers. When the data is configured in VitalQIP, the special underscore domains need to be con- figured with the Windows 2000 Zone Option Allow-Update set to “Yes”, and the domains need to be assigned to all the correct DNS servers.
  • Page 17 DNS: A records, PTR records, CNAME records, and SRV records. This data needs to be in the VitalQIP database as well, so they can be man- aged and so that VitalQIP can perform DNS Generation when needed. For MS-DNS, this process is performed by the qip-syncexternal CLI command.
  • Page 18 The DNS Generation must also involve qip-syncexternal, as explained in “Getting records from DNS into VitalQIP”. A new feature of VitalQIP 6.1 SP1 is very important for this scenario of performing DNS Generation to AD-integrated MS-DNS servers. A full DNS Generation to replace an entire zone in MS-DNS will trigger the LDAP replication of the entire zone with all other DNS servers.
  • Page 19 DNS via qipsyncexternal or External Updates, VitalQIP might need to create new IP Objects. If VitalQIP receives an A record or PTR record for an IP address which is within a known subnet and with a hostname within a known domain, it will create a new IP object whose Object Class is “External”.
  • Page 20 DHCP clients into a separate child domain. Any DDNS updates from VitalQIP would be redundant. The qip.pcy file of the system that is running VitalQIP QIP Update Service should have the UpdateDNS policy set to False. This will cause the QIP Update Service to update the database for these entries but not forward the updates to the DNS Update Service.
  • Page 21 Getting DHCP Lease information into VitalQIP – VitalQIP DHCP Monitor Server VitalQIP has a service to monitor MS-DHCP’s leases and send them to the VitalQIP Enterprise server. In brief, the VitalQIP MS-DHCP Monitor Service works by monitor- ing the logs of the MS-DHCP service. It restarts MS-DHCP and turns this logging on automatically, if necessary.
  • Page 22 DNS/DHCP remote servers or Domain Controllers managed by VitalQIP, need to be defined in VitalQIP as static IP objects of type “Server”. Router IP addresses need to be defined in VitalQIP as Static objects of class “Router” for DHCP to work correctly.
  • Page 23 • in MS-DNS secure zones via secure updates and this is working fine, it can be left in place for the VitalQIP migration. The domain would be defined in VitalQIP as allow-update=“Yes”, with settings for GSS-TSIG secure updates on the DNS Server Profile.
  • Page 24 VitalQIP uses this account to cre- ate the records for Static IP objects, so that only VitalQIP can update them. The Proxy account is used for creation of External or Partially Managed Objects. This allows the clients themselves or the MS-DHCP server to take over ownership of these records, and be able to update the records as changes occur.
  • Page 25 True on the Primary/Secondary DNS Servers tab of the Domain profile. Please refer to the chapter on Advanced DNS Configurations in the VitalQIP Administrator Refer- ence Manual for more details – this is Chapter 11 for VitalQIP 6.1SP1 and Chapter 7 for VitalQIP 6.2.
  • Page 26 Alcatel-Lucent | Integration of VitalQIP® with Microsoft Windows 2003 Networking/Active Directory...
  • Page 27 Implementation Steps Review the design decisions discussed above. Install and test VitalQIP in the lab but do not connect it to the production network yet. Decide the role of VitalQIP – which servers, networks, domains, subnets, and reverse zones will be managed by VitalQIP and which, if any, will be unmanaged.
  • Page 28 Update Service, set UpdateDNS to False. Perform VitalQIP Remote Service installation on any DNS or DHCP servers that are to be managed by VitalQIP, and apply any necessary patches so that they are the same build as the Enterprise server.

  • Page 29: Solution 3: Modification Of Solution 2 Using Alcatel-Lucent Dns Instead

    MS-DNS secure zones and wants to make only minimal changes for it to be man- aged by VitalQIP 6.1 SP1. Performance benefits can be obtained, however, if you are willing to make a further change and use Alcatel-Lucent DNS instead of Microsoft Win- dows 2003 DNS.
  • Page 30 Getting data from VitalQIP into Alcatel-Lucent DNS VitalQIP 6.1 SP1 cannot perform DDNS updates to Secure Zones on MS-DNS, but it can perform DDNS updates to secure zones on Alcatel-Lucent DNS. These can come from the DNS Update Service, the VitalQIP client GUIs, CLI commands, or the VitalQIP web client.
  • Page 31 Figure 8: MS-DHCP Client Updates for Alcatel-Lucent DNS Using static IP objects and getting them into DNS As in Solution 2, at least some static IP addresses need to be defined in VitalQIP. The difference is that VitalQIP can send these to Alcatel-Lucent DNS secure zones via DDNS updates, whereas for MS-DNS secure zones, DNS Generation with “Changed...

  • Page 32: Solution 4: Modification Of Solution 2 Using Vitalqip 6.2 Instead Of Vitalqip 6.1 Sp1

    Solution 4: Modification of Solution 2 using VitalQIP 6.2 instead of VitalQIP 6.1 SP1 Solutions 2 and 3 are quite similar except in how they deal with the inability of VitalQIP 6.1 SP1 to send secure DDNS updates to a Windows 2003 DNS server. To resolve this...
  • Page 33 Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. Alcatel-Lucent assumes no responsibility for the accuracy of the information presented, which is subject to change without notice.

Table of Contents