I wanted to go through some of the configuration options for the Microsoft Dns Plugin version 2.1 and later. This version of the plugin now supports Zone Filters and supports intermediate servers using a cached credential process to overcome the NTLM second hop restrictions.
Directly connecting to DNS Server
In this option the serviceUrl is the target DNS Server and no intermediate server is required
In this option a WinRm connection is established to the serviceUrl. The Morpheus RPC Process will establish an NTLM login with the credentials provided. Domain credentials should be in UserPrincipalName format (user@domain.com for example)
WinRm connectivity to serviceUrl is required required on port 5985. This will be validated on SAVE
- The Service Account must be a member of Remote Management Users as a minimum Winrm Requirement.
- The Service Account must also be a member of DNS Admins domain security group for access to DNS.
- The Service Account must have access to WMI namespace for CIMv2, Microsoft and MicrosoftDNS WMI Namespaces
Clicking the SAVE button on the integration runs a check to verify the credentials provided can access the server over WinRm and that the credentials are able to access the DNS WMI namespace. A message Cannot access DNS Services with the Credentials provided is displayed if the credentials provided do not meet the requirements.
Using an Intermediate Server
In this option Morpheus connects to an Intermediate server and uses this server to remotely execute the DNS Powershell cmdlets. The Intermediate server must be able to establish a PSRemoting (WinRm) session with the final DNS Server. The intermediate server and final DNS server use the same Service Account credentials and so both servers must be able to accept the Service Account credentials
The Morpheus RPC Process will establish an NTLM login on the intermediate server (serviceUrl) with the credentials provided. WinRm connectivity to serviceUrl is required required on port 5985. This will be validated on SAVE. On the intermediate server, Morpheus will create a set of cached credentials for the Service Account in the Service Account users local profile. Windows Data Protection API ensures that these credentials can only be used by the user who created them and only on the Computer they were created.
The cached credentials are used to then Invoke the DNS commands on the final DNS Server (servicePath) using the cached credentials to create a Kerberos session over PSRemoting
- The Service Account must be a member of Remote Management Users (Intermediate and final DNS Server) as a minimum Winrm Requirement.
- The Service Account must also be a member of DNS Admins domain security group for access to DNS.
- The Service Account must have access to WMI namespace for CIMv2, Microsoft and MicrosoftDNS WMI Namespaces on the final DNS Server
Clicking the SAVE button on the integration runs a check to verify the credentials provided can access the server over WinRm and that the credentials are able to access the DNS WMI namespace. A message Cannot access DNS Services with the cached Credentials provided is displayed if the credentials provided do not meet the requirements.
Using Zone Filters
Zone Filters if set, perform a glob style match on the discovered Zones only importing those zones which match the pattern. The single wildcard character * is used in each level of the zone name. Separate filters with a comma. If Zone Filter is left blank all zones are imported.
For example a Zone Filter of:
*.morpheus.com would match zone test.morpheus.com and dev.morpheus.com but NOT my.test.morpheus.com or morpheus.com
*.10.in-addr.arpa would match zone 32.10.in-addr.arpa but not 180.32.10.in-addr.arpa or 10.in-addr.arpa
t*.example.com would match test.example.com and trial.example.com but not dev.example.com or dev.test.example.com (more than 3 levels)
*.t*.example.com would match dev.test.example.com but NOT test.example.com (not 4 levels)