Microsoft DNS Morpheus Plugin
(Updated 7 May 2024)
This post has been updated to coincide with the release of the Morpheus supported Microsoft DNS plugin. This article covers specifically the following versions that target at the corresponding Morpheus versions.
Version 2.1.3 for Morpheus LTS 6.2.7 and above using plugin api 0.15.10
Version 2.3.3 for Morpheus LTS 7.0.1 and above using plugin api 1.1.0
This article covers some of the major changes and enhancements from the prevous release.
Introduction
This is the official Morpheus plugin for interacting with Microsoft DNS. This automates functions as it relates to automatically creating DNS Records and cleaning up DNS records both during workload provisioning and manually. It should be noted that if joining a Windows VM to an Active Directory Domain, this integration is not needed as the Domain joining typically auto creates a DNS record.
New with this release
Plugin Integration Controls
- Configure the Dns Integration via the MICROSOFT DNS INTEGRATION dialog. To Add a new integration use Administration → Integrations and click + NEW INTEGRATION then select Microsoft DNS from the list.
- To make changes to an existing integration use Administration → Integrations then click on the Integration NAME link to access the dialog
MS DNS Integration Dialog Options
- NAME - Enter a name for the Integration
- RPC SERVER - Enter the Name of the server brokering access to the Microsoft DNS Services. This is the Windows server Morpheus will connect to directly. In most cases the RPC SERVER will be a Windows domain joined server with the DNS Server tools installed. Morpheus will use this server to connect and manage DNS NOTE If not using an intermediate server the RPC SERVER will also be the DNS Server.
- RPC PORT - (Visible if USE AGENT FOR RPC is unchecked). The WinRm port number 5985/5986. Default is 5985
- USE AGENT FOR RPC checkbox. NEW Select this option to have the Plugin use a configured Agent to handle the Morpheus to Windows rpc connection. The RPC SERVER should be an instance or managed vm which is part of the same Morpheus environment where the integration is being added. The Morpheus Agent must also be configured to logon as the DNS Service user account. In most cases customers would only use this option when using an intermediate server to access DNS services.
- CREDENTIALS - Provide account credentials for the integration. You may use credentials already stored in Morpheus or create new Username/Password credentials. NOTE When USE AGENT FOR RPC is selected the Morpheus Windows Agent should be set to Logon using these credentials.
- ZONE FILTER - The ZONE FILTER is a comma separated list of glob style filters which can be used to specify the zones that Morpheus will import and sync.
- Glob style filters apply to the zone name ONLY and at a domain level.
- The * character matches any legal Dns character [a-zA-Z0-9_-] 0 or more times.
- Wildcarding stops at the . (period)
- Leave blank to import ALL forward and reverse zones
- DNS SERVER - If the RPC SERVER is not the server hosting DNS Services then add the FQDN name of the DNS server here. Leave blank if the RPC SERVER is also the DNS Server.
- SERVICE TYPE - NEW (Visible if the DNS SERVER is not blank). This option informs the plugin how the RPC SERVER should contact the DNS SERVER. There are 3 supported options
- local : When the RPC SERVER is the DNS Server (ie when DNS SERVER is blank), local is the default and ONLY option.
- wmi : Use wmi when the RPC SERVER contacts the DNS Server over wmi (windows rpc). This is the recommended and default option when using and intermediate RPC SERVER.
- winrm : Use this option when the RPC SERVER connects to DNS SERVER over a winrm session. This is not often used due to WinRm restrictions on Domain Controllers
- INVENTORY EXISTING - Have the integration import and sync all DNS records for the matching Zones. Using this option is not recommended for installations with large namespaces.
- CREATE POINTERS - have DNS create a PTR record when the forward record is created.
Using Zone Filters
In this example a ZONE FILTER string of
*.morpheus.com, *.10.in-addr.arpa, d*.us.morpheus.com
would
IMPORT test.morpheus.com, prod.morpheus.com but NOT mydomain.test.morpheus.com which has a 4th level
IMPORT 32.10.in-addr.arpa, 33.10.in-addr.arpa but NOT 12.11.in-addr.arpa or 10.in-addr.arpa (which has 3 levels)
IMPORT denver.us.morpheus.com and delaware.us.morpheus.com but NOT ohio.us.morpheus.com (wildcard at 4th level)
Improved Integration Validation
This plugin has improved the error handling and validation. RPC connectivity and access to DNS Services is tested at the time the integration dialog is saved. The Dialog will not save unless validation is passed successfully. The integration dialog will hint where problems occur but you should check the Morpheus Health logs to see detailed messages.
Helpful Tip To force the integration to save you can uncheck the ENABLED checkbox. Doing this disables the validation testing allowing you to save the integration dialog contents and perform troubleshooting without having to re-enter the Intergration dialog contents. When the issue is resolved edit the integration and set the integration to ENABLED, validation will be performed on the save.
Custom Powershell Module Script
New to this verion is a custom Powershell Module script (.ps1 file) which is maintained by the plugin and transferred to the RPC SERVER when the integration is added. The Powershell script file contains Functions designed to handle the interface between Morpheus and DNS. The script uses the standard Windows DNS-Server module (Windows feature RSAT-DNS-Server). The script file is MD5 checked each time the integration syncs and the module is refreshed from the plugin if the checksum fails. The custom script is stored in the %LOCALAPPDATA% folder for the integration Service Account user.
The module contains custom functions designed to interface with the MsDns Plugin via json.
- Having the Powershell module installed on the RPC SERVER offers some performance benefits Morpheus now can call on the modules Functions to perform tasks.
- The Powershell Functions test rpc connectivity and DNS service connectivity tests on each sync refresh ensuring the integration is healthy
- The module uses a standard json interface between Windows RPC SERVER and Morpheus
- The module overcomes restrictions imposed on Morpheus winRm connections authenticating with NTLM
IMPORTANT NOTE
- for verions 2.1.3 the script file is named %LOCALAPPDATA%\morpheusDnsPluginHelper_v32.ps1
- for verions 2.3.3 the script file is named %LOCALAPPDATA%\morpheusDnsPluginHelper_v34.ps1
The Morpheus-UI health logs will log the status of the Morpheus Powershell file on each refresh, for example …
INFO c.m.m.MicrosoftDnsPluginHelper - testHelperFileScript - Checking for valid Helper script fileName: morpheusDnsPluginHelper_v32.ps1 - MD5: 698d8e6ad0bf7f64d9e9ccac962e4ab1
Secure credential cache file
The Morpheus Powershell Functions use a technique where script blocks are executed with Invoke-Command passing a credential object. This effectivly creates a new session from RPC SERVER using kerberos overcoming the restrictions imposed by Windows on the original Morpheus NTLM connection. Credentials are cached using Windows Data Protection API meaning ONLY the user account who created the credential can decrypt it and ONLY on the original Windows server.
credential cache is stored in %LOCALAPPDATA%\S-1-5-21-nnnnnnnnnn-nnnnnnnnnn-nnnnnnnnnn-nnnn-dnsPlugin.ss
where S-1-5-21-nnnnnnnnnn-nnnnnnnnnn-nnnnnnnnnn-nnnn-dnsPlugin.ss is the Service Account SID.
NOTE If USE AGENT FOR RPC is checked there is no need to create a new session since the original session is already Kerberos, however the credentials are still cached.
Configuring the SERVICE TYPE
The SERVICE TYPE is how the RPC SERVER connects to the DNS SERVER in order to access DNS Services. There are 3 options and it is crucial to select the correct SERVICE TYPE for your environment
- local : When the RPC SERVER is the DNS Server local is the default and ONLY option
- wmi : Use wmi when the RPC SERVER contacts the DNS Server over wmi (windows rpc). This is the recommended and default option when using and intermediate RPC SERVER.
- winrm : Use this option when the RPC SERVER connects to DNS SERVER over a winrm session. This is not often used due to WinRm restrictions on Domain Controllers
Troubleshooting Connections
Service Account Requirements
The service account used to Access DNS via the plugin must meet the following requirements
- If using an intermediate server as the RPC SERVER the service account should be a member of local administrators group on the RPC SERVER.
- If USE AGENT FOR RPC is checked the Morpheus Windows Agent service must be configured to login as the service account. The service account will require Log on as a Service rights in the RPC SERVER local policy.
- If not using an intermediate server the service Account must be a member of Remote Management Users on the RPC SERVER as a minimum in order to access the RPC SERVER from Morpheus via winRm. Membership of Administrators however is recommended.
- The service account must be a member of the domain global group DNS Admins
- To Access Microsoft DNS Wmi namespaces the service account must be granted access to the DNS WMI classes. Follow this article in the Integration guides for details Microsoft DNS — Morpheus Docs documentation
RPC SERVER requirements
When using an intermediate server as the RPC SERVER the following requirements must be met
- The RPC SERVER must be a Windows Server which is a member of a domain or forest which is trusted to access the DNS namespace.
- The RPC SERVER must have the Microsoft Windows feature RSAT-DNS-Server installed.
- If planning to USE AGENT FOR RPC then the windows server must have a Morpheus Windows Agent installed and this agent must report into the Morpheus environment where the DNS Integration is being added or configured. Ideally Morpheus will have deployed the RPC SERVER as an instance.
- if NOT planning to USE AGENT FOR RPC then the RPC server must have winRm configured and must be reachable over winRm from the Morpheus Appliance
- When using an intermediate server to access DNS Services, the computer account of the RPC SERVER must be configured for delegation Trusted for Delegation to any service (Kerberos only). Use Active Directory Users and Computers, locate the computer account for RPC SERVER. Click properties and select the Delegation tab and choose the option Trust thiscomputer for delegation to any service (Kerberos only)
Using the plugin test Service page
A new feature of this release is the ability to run a connection test via the Morpheus Applicance. Users must have full access to Integrations permission to test a Microsoft DNS plugin connection. To test connectivity to Integration with id 5 browse to the following url in Morpheus
https://my.morpheus.appliance/plugin/msdns/service?integrationId=5
The plugin will run a series of tests using details from the Integration dialog. NOTE Tests can be run even if the integration ENABLED checkbox is unticked allowing troubleshooting with the integration offline.
Results are output in the browser in json.
In the example below inspect the serviceProfile, here the rpcType is “agent” so USE AGENT FOR RPC is checked and the serviceType is “wmi”. The “rpcSession” and “serviceSession” show the connection details, logon types and group membership for the rpc and service sessions. The “dnsServer” section shows the FQDN and version of the DNS server and if populated indicates a successful test (status = 0)
If the test is unsuccessful a status code other than 0 is returned and any error will be listed in the Errors section
Morpheus Microsoft DNS Integration Service Profile
Discovered service profile for Microsoft DNS integration : 5
Rpc Connection Status true
Successful rpc response from spie-mo-w-3011 via agent: Command completed successfully
Errors
{
}
Rpc Output
{
"status": 0,
"cmdOut": {
"serviceProfile": {
"rpcHost": "SPIE-MO-W-3011",
"rpcType": "agent",
"serviceHost": "ip-c61302.myad.net",
"serviceType": "wmi",
"useCachedCredential": false
},
"dnsServer": {
"computerName": "IP-C61302.myad.net",
"version": "10.0.17763"
},
"rpcSession": {
"userId": "myad\\spsvcdns",
"computerName": "SPIE-MO-W-3011",
"authenticationType": "Kerberos",
"impersonation": "None",
"isAdmin": true,
"localProfile": "C:\\Users\\spsvcdns\\AppData\\Local",
"tokenGroups": [
"myad\\Domain Users",
"Everyone",
"BUILTIN\\Users",
"BUILTIN\\Administrators",
"NT AUTHORITY\\SERVICE",
"CONSOLE LOGON",
"NT AUTHORITY\\Authenticated Users",
"NT AUTHORITY\\This Organization",
"LOCAL",
"Authentication authority asserted identity",
"myad\\AWS Delegated Domain Name System Administrators",
"myad\\AWS Delegated Server Administrators",
"myad\\AWS Delegated Add Workstations To Domain Users",
"myad\\DnsAdmins",
"myad\\AWS Delegated Kerberos Delegation Administrators"
],
"isSystem": false,
"isService": true,
"isNetwork": false,
"isBatch": false,
"isInteractive": false,
"isNtlmToken": false
},
"serviceSession": {
"userId": "myad\\spsvcdns",
"computerName": "SPIE-MO-W-3011",
"authenticationType": "Kerberos",
"impersonation": "None",
"isAdmin": true,
"localProfile": "C:\\Users\\spsvcdns\\AppData\\Local",
"tokenGroups": [
"myad\\Domain Users",
"Everyone",
"BUILTIN\\Users",
"BUILTIN\\Administrators",
"NT AUTHORITY\\SERVICE",
"CONSOLE LOGON",
"NT AUTHORITY\\Authenticated Users",
"NT AUTHORITY\\This Organization",
"LOCAL",
"Authentication authority asserted identity",
"myad\\AWS Delegated Domain Name System Administrators",
"myad\\AWS Delegated Server Administrators",
"myad\\AWS Delegated Add Workstations To Domain Users",
"myad\\DnsAdmins",
"myad\\AWS Delegated Kerberos Delegation Administrators"
],
"isSystem": false,
"isService": true,
"isNetwork": false,
"isBatch": false,
"isInteractive": false,
"isNtlmToken": false
},
"domainSOAServers": {
"nameToQuery": "ip-c61302.myad.net",
"fqdn": "ip-c61302.myad.net",
"dcList": [
{
"zone": "myad.net",
"dnsServer": "ip-c61301.myad.net"
},
{
"zone": "myad.net",
"dnsServer": "ip-c61302.myad.net"
}
]
}
},
"errOut": null
}
DNS Record validation and Error Handling
- DNS records are now fully validated before they are created. Only record types A, AAAA, CNAME and PTR are currently supported.
- Adding a DNS Record which already exists (ie fqdn and IPAddress match an existing record in DNS) would normally return an error (code 9711) - this is masked to a success to prevent Morpheus aborting the provision.
- Removing a Morpheus DNS Record that does not exist in DNS (error 9714) is also masked to success to have Morpheus delete its copy
- If a fwd record is created but the PTR record fails (due to missing PTR zone error 9715). This is also masked to success to prevent Morpheus aborting the Provision
- All error are logged to the Morpheus Health logs.
AWS Directory Services Support
Support AWS Active Directory service.
- Access is only possible via a correctly configured intermediate server (RPC SERVER) hosted in AWS and having the DNS Management Tools installed.
- The DNS SERVER must be the fully qualified name of one of the AWS Domain controllers.
- The Service Account should be a member of AWS Delegated Domain Name System Administrators, AWS Delegated Kerberos Delegation Administrators and AWS Delegated Server Administrators (for access to RPC SERVER).
- The RPC SERVER computer object should be trusted for delegation for all Kerberos Services on the AWS Directory Service domain controllers. This can be performed using AD Users and Computers to modify the properties of the RPC SERVER Computer object. Right click the computer object, select properties and open the Delegation tab. Select the Radio button **Trust this computer for delegation to any service (Kerberos Only). Click OK to Save
Note it is possible to finely tune the delegation so that the RPC SERVER computer object can only delegate to specific services if this is required.