Configuring the Microsoft Dns Plugin v2.1

I wanted to go through some of the configuration options for the Microsoft Dns Plugin version 2.1 and later. This version of the plugin now supports Zone Filters and supports intermediate servers using a cached credential process to overcome the NTLM second hop restrictions.

Directly connecting to DNS Server

In this option the serviceUrl is the target DNS Server and no intermediate server is required

In this option a WinRm connection is established to the serviceUrl. The Morpheus RPC Process will establish an NTLM login with the credentials provided. Domain credentials should be in UserPrincipalName format (user@domain.com for example)

WinRm connectivity to serviceUrl is required required on port 5985. This will be validated on SAVE

  • The Service Account must be a member of Remote Management Users as a minimum Winrm Requirement.
  • The Service Account must also be a member of DNS Admins domain security group for access to DNS.
  • The Service Account must have access to WMI namespace for CIMv2, Microsoft and MicrosoftDNS WMI Namespaces

Clicking the SAVE button on the integration runs a check to verify the credentials provided can access the server over WinRm and that the credentials are able to access the DNS WMI namespace. A message Cannot access DNS Services with the Credentials provided is displayed if the credentials provided do not meet the requirements.

Using an Intermediate Server

In this option Morpheus connects to an Intermediate server and uses this server to remotely execute the DNS Powershell cmdlets. The Intermediate server must be able to establish a PSRemoting (WinRm) session with the final DNS Server. The intermediate server and final DNS server use the same Service Account credentials and so both servers must be able to accept the Service Account credentials

The Morpheus RPC Process will establish an NTLM login on the intermediate server (serviceUrl) with the credentials provided. WinRm connectivity to serviceUrl is required required on port 5985. This will be validated on SAVE. On the intermediate server, Morpheus will create a set of cached credentials for the Service Account in the Service Account users local profile. Windows Data Protection API ensures that these credentials can only be used by the user who created them and only on the Computer they were created.

The cached credentials are used to then Invoke the DNS commands on the final DNS Server (servicePath) using the cached credentials to create a Kerberos session over PSRemoting

  • The Service Account must be a member of Remote Management Users (Intermediate and final DNS Server) as a minimum Winrm Requirement.
  • The Service Account must also be a member of DNS Admins domain security group for access to DNS.
  • The Service Account must have access to WMI namespace for CIMv2, Microsoft and MicrosoftDNS WMI Namespaces on the final DNS Server

Clicking the SAVE button on the integration runs a check to verify the credentials provided can access the server over WinRm and that the credentials are able to access the DNS WMI namespace. A message Cannot access DNS Services with the cached Credentials provided is displayed if the credentials provided do not meet the requirements.

Using Zone Filters

Zone Filters if set, perform a glob style match on the discovered Zones only importing those zones which match the pattern. The single wildcard character * is used in each level of the zone name. Separate filters with a comma. If Zone Filter is left blank all zones are imported.

For example a Zone Filter of:

*.morpheus.com would match zone test.morpheus.com and dev.morpheus.com but NOT my.test.morpheus.com or morpheus.com

*.10.in-addr.arpa would match zone 32.10.in-addr.arpa but not 180.32.10.in-addr.arpa or 10.in-addr.arpa

t*.example.com would match test.example.com and trial.example.com but not dev.example.com or dev.test.example.com (more than 3 levels)

*.t*.example.com would match dev.test.example.com but NOT test.example.com (not 4 levels)

2 Likes

Update: I am working on version 2.2 of the plugin and testing is in progress.

I wanted to share some improvements prior to the release.

  • AWS Directory Services hosted DNS is now supported as of 2.2.

  • A custom Powershell Module is now generated and managed by the plugin. The module contains Powershell functions responsible for interfacing with the plugin. The module is stored in the Windows host in the integration service account local profile (%LOCALAPPDATA). The module is dynamically loaded by the Morpheus winRm rpc process making the required functions available to the plugin. The module provides an interface between Morpheus and Microsoft DNS providing a standard json response structure and comprehensive error handling.

  • Improved Credential caching when using an Intermediate server to access DNS Services

  • Improved Validation. The DNS Integration undergoes validation for basic connectivity over winRm and access to the DNS Services using the credentials provided. The integration form will not save unless all validation is passed. The integration is also tested on every sync cycle to ensure the integration is healthy.

I will issue a new post when 2.2 is available

Hello,

If I interpret correctly the sentence “The cached credentials are used to then Invoke the DNS commands on the final DNS Server (servicePath) using the cached credentials to create a Kerberos session over PSRemoting” and the code at “https://github.com/gomorpheus/morpheus-msdns-plugin/blob/master/src/main/groovy/com/morpheusdata/msdns/MicrosoftDnsProvider. groovy”, a WinRM connection between JumpHost (serviceUrl) and the final DNS server (servicePath) is mandatory for the plugin, as it was decided to execute all DNS commandlets (e.g. Get-DnsServerResourceRecord or Add-DnsServerResourceRecord) remotely via Invoke-Command.
This WinRM connection is not permitted in our company. Wouldn’t it also be possible to call the commandlets with the -Computername parameter and not use a PSSession?

Best regards
Marvin

Hi Marvin

In 2.1 this is not possible however I have added this as an option in 2.2 of the plugin.

In Version 2.2 , if using a Jump server the plugin tries both winRm and RPC (wmi access) when using a jump server. I am in final testing for 2.2 and hope to release soon.

Steve Potts