Where do I start with replacing the whole MS AD stack

scottalanmiller

@DustinB3403 said in Where do I start with replacing the whole MS AD stack:

Why would you have no internal dns?

LANless? Other than being a cache, often no need for internal DNS.

JaredBusch

Once your DHCP is all fixed, then you can move on to DNS.

Unless you have a need for a fully managed DNS system with a fuck ton of records, I recommend just using the system that is doing the DHCP. Router, pfSense, WTF ever.

Here is how I do it at a remote site for a client that has IPSEC between their sites.

This is the config in their ER4

10.1.1.4 is the Windows AD server.
So the router looks to that first. The options also tell it to know that domain and domain.local are 10.1.1.4

0_1543600322170_140fa1fc-128a-4ab7-bd86-0fef264eedaa-image.png

JaredBusch

@scottalanmiller said in Where do I start with replacing the whole MS AD stack:

@DustinB3403 said in Where do I start with replacing the whole MS AD stack:

Why would you have no internal dns?

LANless? Other than being a cache, often no need for internal DNS.

Unrelated to this discussion.

black3dynamite

Like @JaredBusch keeps saying, start with DHCP because that's the easiest. When I was moving away from AD, DHCP was the first thing I started with. Just document any DHCP settings like reservation, network booting and so on.

JaredBusch

Once you setup DNS, you can manually set your DNS On a test workstation to point to the new system and make sure everything works as expected.

Then you update your DHCP to hand out that IP as the DNS.
0_1543600595155_1303cbdc-cce2-451c-bd95-2cbe47784756-image.png

Donahue

I am in the middle of changing all my DHCP stuff, which is what prompted this whole thing. I want to switch over to reservations for everything, but it got me thinking about CALs, and it all snowballed from there.

JaredBusch

@Donahue said in Where do I start with replacing the whole MS AD stack:

I am in the middle of changing all my DHCP stuff, which is what prompted this whole thing. I want to switch over to reservations for everything, but it got me thinking about CALs, and it all snowballed from there.

Well first, you don't change anything.

Get it cleaned up and in a known good working state.

Dashrender

@JaredBusch said in Where do I start with replacing the whole MS AD stack:

You need to have your DNS use your AD server as it's forwarder, but everything else can look at your DNS.

How will this affect licensing? Do you only need one CAL for that DNS server, since it's the only thing actually talking to the server? Interesting work-around to MS licensing.

Donahue

@JaredBusch said in Where do I start with replacing the whole MS AD stack:

Unless you have a need for a fully managed DNS system with a fuck ton of records, I recommend just using the system that is doing the DHCP. Router, pfSense, WTF ever.

I've got just our 50 or so workstations and then our servers as records. I don't need much.

Dashrender

@DustinB3403 said in Where do I start with replacing the whole MS AD stack:

Why would you have no internal dns?

If you don't have AD and don't have internal servers - why do you need internal DNS?

Donahue

@Dashrender said in Where do I start with replacing the whole MS AD stack:

@JaredBusch said in Where do I start with replacing the whole MS AD stack:

You need to have your DNS use your AD server as it's forwarder, but everything else can look at your DNS.

How will this affect licensing? Do you only need one CAL for that DNS server, since it's the only thing actually talking to the server? Interesting work-around to MS licensing.

I believe that MS believes that ANY device that gets info that is passed along using DNS requires a CAL. It doesn't matter who hosts the DHCP, if it is still point to MS DNS.

DustinB3403

@Dashrender said in Where do I start with replacing the whole MS AD stack:

@DustinB3403 said in Where do I start with replacing the whole MS AD stack:

Why would you have no internal dns?

If you don't have AD and don't have internal servers - why do you need internal DNS?

Nothing in the original post (until a very recent one) stated there were no on-prem servers. Hence the question.

DustinB3403

@Donahue said in Where do I start with replacing the whole MS AD stack:

@Dashrender said in Where do I start with replacing the whole MS AD stack:

@JaredBusch said in Where do I start with replacing the whole MS AD stack:

You need to have your DNS use your AD server as it's forwarder, but everything else can look at your DNS.

How will this affect licensing? Do you only need one CAL for that DNS server, since it's the only thing actually talking to the server? Interesting work-around to MS licensing.

I believe that MS believes that ANY device that gets info that is passed along using DNS requires a CAL. It doesn't matter who hosts the DHCP, if it is still point to MS DNS.

You'd replace them one at a time and eventually not care about MS Licensing besides for the user workstations.

Donahue

@JaredBusch said in Where do I start with replacing the whole MS AD stack:

@Donahue said in Where do I start with replacing the whole MS AD stack:

I am in the middle of changing all my DHCP stuff, which is what prompted this whole thing. I want to switch over to reservations for everything, but it got me thinking about CALs, and it all snowballed from there.

Well first, you don't change anything.

Get it cleaned up and in a known good working state.

I just redid our scopes yesterday, but I have not yet started migrating over our static IP's to be reservations. I can get everything setup in windows first, and then migrate it over as @black3dynamite said, but that seems like extra steps to me.

Dashrender

@Donahue said in Where do I start with replacing the whole MS AD stack:

@JaredBusch said in Where do I start with replacing the whole MS AD stack:

Unless you have a need for a fully managed DNS system with a fuck ton of records, I recommend just using the system that is doing the DHCP. Router, pfSense, WTF ever.

I've got just our 50 or so workstations and then our servers as records. I don't need much.

Why are you worried about CALs at all? You have at least 50 device CALs to cover those 50 devices - just don't allow other devices on that specific network. If you are allowing personal phones/laptops on WiFi - create a separate network for them, that gets DNS and DHCP from the router (most likely at least).

Donahue

@DustinB3403 said in Where do I start with replacing the whole MS AD stack:

@Dashrender said in Where do I start with replacing the whole MS AD stack:

@DustinB3403 said in Where do I start with replacing the whole MS AD stack:

Why would you have no internal dns?

If you don't have AD and don't have internal servers - why do you need internal DNS?

Nothing in the original post (until a very recent one) stated there were no on-prem servers. Hence the question.

correct, I did not mention that this all occurred as we were introducing on prem servers for the first time.

JaredBusch

@Dashrender said in Where do I start with replacing the whole MS AD stack:

@DustinB3403 said in Where do I start with replacing the whole MS AD stack:

Why would you have no internal dns?

If you don't have AD and don't have internal servers - why do you need internal DNS?

He has AD. THis is not news. There have been many posts about his network over the last month+

scottalanmiller

@JaredBusch said in Where do I start with replacing the whole MS AD stack:

@scottalanmiller said in Where do I start with replacing the whole MS AD stack:

@DustinB3403 said in Where do I start with replacing the whole MS AD stack:

Why would you have no internal dns?

LANless? Other than being a cache, often no need for internal DNS.

Unrelated to this discussion.

Maybe not to the discussion, but it answers the question that Dustin asked.

DustinB3403

@scottalanmiller said in Where do I start with replacing the whole MS AD stack:

@JaredBusch said in Where do I start with replacing the whole MS AD stack:

@scottalanmiller said in Where do I start with replacing the whole MS AD stack:

@DustinB3403 said in Where do I start with replacing the whole MS AD stack:

Why would you have no internal dns?

LANless? Other than being a cache, often no need for internal DNS.

Unrelated to this discussion.

Maybe not to the discussion, but it answers the question that Dustin asked.

It really doesn't because he clearly has AD, which is a Server. Just because there are no services on the network that needed DNS, doesn't equate to lanless.

Donahue

@Dashrender said in Where do I start with replacing the whole MS AD stack:

@Donahue said in Where do I start with replacing the whole MS AD stack:

@JaredBusch said in Where do I start with replacing the whole MS AD stack:

Unless you have a need for a fully managed DNS system with a fuck ton of records, I recommend just using the system that is doing the DHCP. Router, pfSense, WTF ever.

I've got just our 50 or so workstations and then our servers as records. I don't need much.

Why are you worried about CALs at all? You have at least 50 device CALs to cover those 50 devices - just don't allow other devices on that specific network. If you are allowing personal phones/laptops on WiFi - create a separate network for them, that gets DNS and DHCP from the router (most likely at least).

that wasn't the point. The point was to get off AD/DHCP/DNS because of, and not limited to, stupid licensing.