...
An Infoblox DHCP server can send GSS-TSIG authenticated DDNS updates to a DNS server in an AD domain whose domain controller is running Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, or Windows Server 2016. The DHCP server, DNS server, and domain controller are all in the same AD domain. The process by which an Infoblox DHCP server dynamically updates resource records on a DNS server using GSS-TSIG authentication is shown in Figure 21.6. In the illustration, the Kerberos Key Distribution Center (KDC) is running on an AD domain controller, which also provides DNS service.
Figure 21.6 An Infoblox DHCP Server Sends GSS-TSIG Updates to a DNS Server | Drawio |
|---|
| border | true |
|---|
| viewerToolbar | true |
|---|
| fitWindow | false |
|---|
| diagramName | 21.6 |
|---|
| simpleViewer | false |
|---|
| revision | 12 |
|---|
|
After you enable the NIOS appliance to send GSS-TSIG authenticated updates to a DNS server, the following process occurs:
...
Before configuring an Infoblox DHCP server to support GSS-TSIG, you must create a user account on the Kerberos server for the appliance. Then you must export the corresponding keytab file from the Kerberos server and import it onto the NIOS appliance. Figure 21.7 illustrates the initial configuration tasks.
Figure 21.7 Adding an Infoblox DHCP Server to an AD Environment with GSS-TSIG Support | Drawio |
|---|
| border | true |
|---|
| viewerToolbar | true |
|---|
| fitWindow | false |
|---|
| diagramName | 21.7 |
|---|
| simpleViewer | false |
|---|
| revision | 12 |
|---|
|
The Infoblox DHCP server can send GSS-TSIG-signed DDNS updates to a DNS server for one domain only, though multiple Infoblox DHCP servers can update that domain. If you want more than one Infoblox DHCP server to update a DNS domain, you can either import the same keytab file to the other Infoblox DHCP servers or generate and import a different keytab file. In a Grid, each member can update a different domain.
...
Domain and forest trust relationships provide clients authenticated access to resources in other domains. Some trusts are automatically created, such as the two-way, direct trust between parent and child domains in a forest. Other trusts must be created manually. Refer to the Microsoft Active Directory documentation for information on establishing trusts between domains.
Once a direct trust exists between two AD domains, a KDC from one domain can grant a referral to the KDC of the other domain. The Infoblox DHCP server can then use the referral to request access to services in the other domain.
In Figure 21.8 the Infoblox DHCP server in the child.corpxyz.com domain needs to send GSS-TSIG authenticated DDNS updates to the DNS server in its parent domain, corpxyz.com domain. There is an automatic two-way trust between the domains because corpxyz.com domain is the parent of child.corpxyz.com domain.
Figure 21.8 Sending Secure DDNS Updates to a DNS Server in Another Domain | Drawio |
|---|
| border | true |
|---|
| viewerToolbar | true |
|---|
| fitWindow | false |
|---|
| diagramName | 21.8 |
|---|
| simpleViewer | false |
|---|
| revision | 12 |
|---|
|
After you configure the Infoblox DHCP server and AD domain controller, the following occurs:
...
Figure 21.9 Sending Secure DDNS Updates to a DNS Server in Another Forest | Drawio |
|---|
| border | true |
|---|
| viewerToolbar | true |
|---|
| fitWindow | false |
|---|
| diagramName | 21.9 |
|---|
| simpleViewer | false |
|---|
| revision | 12 |
|---|
|
The following authentication process occurs:
...
