...
- On the Microsoft server, create a user account for the Grid member. For information, see see Setting Microsoft Server Credentials.
- On the Grid Master, configure the managing member, as described in in Configuring a Managing Member.
...
Setting Microsoft Server Credentials
...
To enable a Grid member to synchronize data with a Microsoft server and control DNS and DHCP services, you must do the following on the Microsoft server:
...
- To enable the member to synchronize DNS data with the Microsoft server, add its user account to the DnsAdmins Group.
- To enable the member to synchronize DHCP data with the Microsoft server, add its user account to the Dhcp Administrators Group.
- To enable the Grid member to monitor, start, and stop the DNS and DHCP services, grant the user account permissions on the Service Control Manager (SCM), as follows:
- Grant permissions to the SCM on each managed Microsoft server. For more information, refer to the section DNS Server Service Permissions at http://technet.microsoft.com/en-us/library/gg638675.aspx.
To find additional information, you can also search for "Least Privilege Setup" on the Microsoft sites. - Grant permissions to the DNS and/or DHCP service on each managed server by doing one of the following:
- Use the
sccommand line utility to remotely configure each managed DNS or DHCP server.
Note that you need to know the SID of the user account and its current permissions. You can retrieve the SID of the user account by using thedsqueryanddsgetcommands. - Use the Domain Controller Policy editor to define a global policy that applies to all DNS or DHCP services running in a domain or on domain controllers. For additional information, refer to http://support.microsoft.com/kb/324802.
- Use the
- Grant permissions to the SCM on each managed Microsoft server. For more information, refer to the section DNS Server Service Permissions at http://technet.microsoft.com/en-us/library/gg638675.aspx.
...
Configuring a Managing Member
When you configure a member to manage Microsoft servers, you must specify the following:
- The management mode of the Microsoft server. For information, see see Setting the Management Mode.
- A network view, if there is more than one in the Grid, and a DNS view, if there is more than one in the network view. For information, see see Synchronizing to a Network View and DNS View.
For the steps on configuring the managing member, see see Assigning Grid Members to Microsoft Servers.
...
...
Setting the Management Mode
A Grid member can manage a Microsoft server in Read-only mode, which is the default, or in read-write mode. In Read-only mode, the Grid member copies the DNS and DHCP data from the Microsoft server to the Grid so Grid Manager admins can view the synchronized data. They cannot update the data, control the DNS and DHCP service of the Microsoft server, or configure any properties.
When you select Read-only mode for Active Directory sites, you can view the sites and networks that are present on the Microsoft server through Grid Manager. Note that you cannot manage the Active Directory sites and networks directly from the Grid, but you can manage an object within the Grid that is associated with a Read-only Active Directory Site or an Active Directory network. The synchronization process is Read-only and you cannot write into the Microsoft server in this mode. For more information, see Assigning Grid Members to Microsoft Servers bookmark2620.
In Read/Write mode, Grid Manager admins are allowed to update the data of the Microsoft server. Therefore during each synchronization, the Grid member applies changes from the Grid to the Microsoft server and vice versa. Read/Write mode also allows admins to control DNS and DHCP services of the Microsoft server and configure some of their properties.
When you select Read/Write mode for Active Directory Sites, you can view and manage the sites and networks that are present on the Microsoft server through Grid Manager. When you update an object that is associated with the Active Directory Site or an Active Directory network, the changes reflect on the Microsoft server. For more information, see Assigning Grid Members to Microsoft Servers bookmark2620.
Note that the management mode of a Microsoft server is separate from the admin permissions that the appliance requires to access the Microsoft servers and DNS and DHCP resources. An admin must still have the applicable permissions to the Microsoft servers and DNS and DHCP resources they want to access. For information on admin permissions, see Administrative Permissions for Microsoft Servers.
...
Synchronizing to a Network View and DNS View
A Microsoft server can synchronize its data only to a single network view and a DNS view. Grid Manager automatically assigns Microsoft servers to the default view when a Grid contains only the default network view and DNS view. If a Grid has more than one network view, you must select a network view for the Microsoft server to synchronize its data; and if there are multiple DNS views, you must select a DNS view as well.
...
- Grid: From the Grid tab -> Microsoft Servers tab -> Servers tab, click the Add icon.
Standalone appliance: From the System tab -> Microsoft Servers tab -> Servers tab, click the Add icon. - In the Add Microsoft Server(s) wizard, complete the following:
- Which features do you want to configure?: This section appears only when you have selected the Enable MS AD feature check box for mapping network users. For more information, see Enabling Identity Mapping. You can select multiple options in this section:
- Network Users: Select this check box to enable the Grid member to synchronize user information with the managed Microsoft servers.
- DNS and DHCP Services: Select this check box to enable the Grid member to synchronize DNS and DHCP services with the Microsoft servers.
- Active Directory Sites: Select this check box to enable the Grid member to synchronize Active Directory sites.
- In the General Settings section, complete the following:
- Managing Member: Click Select Member and select the Grid member that manages Microsoft servers.
Select None if you do not want to associate a Microsoft server with a Grid member. - Credentials to Connect to the Microsoft Server(s): Enter the login name and password that the appliance uses to connect to the Microsoft servers. These must be the same as those you specified when you created the user account for the Grid member on the Microsoft servers. Note that you must specify the domain name and the user name in the following format: domain_name\user_name.
- Manage Server(s) in: Select the management mode, which is either Read-only or Read/Write. You can choose to manage the DNS and DHCP synchronization services in either Read-only or Read/Write mode. For more information, see Setting the Management Mode bookmark2618.
- Minimum Synchronization Interval (min): The default synchronization interval is two minutes. This is the time between the completion of one synchronization and the start of a new one. Synchronizing large data sets could take longer than the synchronization interval, causing a delay in the start of the next synchronization. For example, if the synchronization interval is two minutes but a synchronization takes five minutes, the time between the start of the first synchronization and the start of the next one is approximately seven minutes.
- Managing Member: Click Select Member and select the Grid member that manages Microsoft servers.
- Which features do you want to configure?: This section appears only when you have selected the Enable MS AD feature check box for mapping network users. For more information, see Enabling Identity Mapping. You can select multiple options in this section:
...
- Use General credentials (from first page of wizard): Select this check box if you want to use the same credentials that you specified for connecting the Microsoft servers.
- Credentials for synchronizing Network User service information: Specify a username and password to synchronize user information from Active Directory domain controllers. The username you specify here must belong to the Domain User group and Event Log Reader group in Microsoft. For information, see Prerequisites on the Microsoft Server.
- Use General synchronization interval (from first page of wizard): Select this check box to use the same synchronization interval that you specified in the Minimum Synchronization Interval for synchronizing the user and device mapping information from the Microsoft Active Directory authentication logs.
- Minimum synchronization interval: The default synchronization interval is two minutes. This is the time between the completion of one synchronization and the start of a new one. Specify an interval to synchronize user information from the Microsoft Active Directory authentication logs.
- If you have selected the DNS and DHCP Services check box, complete the following in the Select your across-server settings for DNS and DHCP Services page:
- Use General credentials (from first page of wizard): Select this check box if you want to use the same credentials that you specified for connecting the Microsoft servers.
- Credentials to connect to DNS and DHCP Services: Specify a username and password to synchronize DNS and DHCP services. You must use the same username and password that you specify here when the appliance prompts for credentials during DNS or DHCP synchronization.
- Use General synchronization interval (from first page of wizard): Select this check box to use the same synchronization interval that you specified in the Minimum Synchronization Interval for synchronizing the DNS and DHCP services as well.
- Minimum Synchronization interval: The default synchronization interval is two minutes. This is the time between the completion of one synchronization and the start of a new one. Specify an interval to synchronize the DNS and DHCP data from the Microsoft server.
- Manage DNS and DHCP services in: Select a value from the drop-down list. You can choose to manage the DNS and DHCP synchronization services in either Read-only or Read/Write mode. For more information, see Setting the Management Mode bookmark2618.
- If you have selected the Active Directory Sites check box, complete the following in the Select your across-server settings for Active Directory Sites page:
- Use General credentials (from first page of wizard): Select this check box if you want to use the same credentials that you specified for connecting the Microsoft servers. Clear the check box to specify a new username and password for managing Active Directory sites.
- Credentials for synchronizing Active Directory information: Specify a username and password to synchronize Active Directory sites. You must specify the same username and password that you specify here when the appliance prompts for credentials while synchronizing Active Directory sites.
- Use General synchronization interval (from first page of wizard): Select this check box to use the same synchronization interval that you specified in the Minimum Synchronization Interval for synchronizing Active Directory sites.
- Minimum Synchronization interval: The default synchronization interval is two minutes. This is the time between the completion of one synchronization and the start of a new one. Specify an interval to synchronize the Active Directory sites.
- Manage Active Directory sites in: Select a value from the drop-down list. You can choose to manage the Active Directory Site in either Read-only or Read/Write mode. For more information, see Setting the Management Mode. bookmark2618 bookmark2618
- Encryption: You can encrypt the network traffic between the Grid member and the managed Microsoft server using SSL. Select a value, None or SSL, from the drop-down list. Infoblox strongly recommends that you select SSL from the drop-down list to ensure the security of all communications between the NIOS appliance and the Active Directory server. When you select SSL, the appliance automatically updates the TCP port to 636. When you select this option, you must specify the FQDN of the Microsoft server instead of the IP address and you must upload a CA certificate from the Active Directory server. Click CA Certificates to upload the certificate. In the CA Certificates dialog box, click the Add icon, and then navigate to the certificate to upload it.
- TCP port for LDAP connections: The appliance displays the port number by default based on the encryption type that you select. When you select None, the appliance automatically updates the TCP port to 389.
...