Table of Contents
Advertisement
Alcatel-Lucent | Integration of VitalQIP® with Microsoft Windows 2003 Networking/Active Directory
Handling Windows 2003 systems in the parent domain
Other Windows 2003 systems with static IP addresses can be handled in a few different
ways, and the domain properties would need to be adjusted accordingly:
As external objects: If the Windows 2003 systems were previously registering
•
in MS-DNS secure zones via secure updates and this is working fine, it can be
left in place for the VitalQIP migration. The domain would be defined in VitalQIP
as allow-update="Yes", with settings for GSS-TSIG secure updates on the
DNS Server Profile. Those IP addresses should not be defined in VitalQIP as
static IP addresses. Instead, they would be created as type "External" when
qip syncexternal is run against that zone for the first time. The qip-syncexternal
CLI would make any necessary changes in those external objects when run
periodically thereafter.
As static objects: The most secure way to handle these IP Addresses is to define
•
everything in the parent domain as a static IP address, and set the zone to "allow-
update=None". Then DNS Generation, using Changed Records only, would be the
recommended way to make changes. Since the zone is not dynamic, the use of
qip-syncexternal is not necessary.
As partially-managed objects: Important IP addresses other than VitalQIP
•
managed servers can be defined in VitalQIP as "Partially Managed". In this case,
the initial DNS Generation would have the necessary records, but the client could
later update them as necessary. In this case, as with external objects, the domain
needs to be defined as allow-update="Yes", and qipsyncexternal needs to be run
periodically.
The choice between the three approaches would depend on the security needs, the
percentage of the hosts that are capable of registering themselves in DNS, and how
dynamic the data is. Having lots of clients register themselves in DNS would be less
work in some cases, and also is closer to the Microsoft reference design. But having all
addresses defined as static IP objects is straightforward and simple if the parent domain
contains only a few Windows 2003 systems and their IP addresses and hostnames
seldom change. A static domain is also the best solution when the parent domain has a
large number of devices and systems which are not Windows 2003 and which are not
capable of updating DNS directly.
Maintaining security for DNS zones (secure updates in MS-DNS)
Why secure zones are needed
If all clients are allowed to update DNS, security is needed to prevent any client from
"taking over" the resource records of critical network resources, such as web servers.
You would not want to allow a normal user to post an A record for "www.example.com"
when that name is already in use and associated with a static IP address. In Solution 1,
that was prevented by setting allow-update to not allow general users to update DNS di-
rectly; and by the fact that the QIP Update Service checks for such duplicates and gives
preference to the static IP address before sending the dynamic updates on to DNS. In
Solution 2, this is prevented by the use of secure zones. The use of secure zones is a
stronger solution, which prevents hostile attacks not just accidents, although it is more
complicated to set up and use.
20
Advertisement
Table of Contents
