Where do I start with replacing the whole MS AD stack
-
@Donahue said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
Unless you have a need for a fully managed DNS system with a fuck ton of records, I recommend just using the system that is doing the DHCP. Router, pfSense, WTF ever.
I've got just our 50 or so workstations and then our servers as records. I don't need much.
Why are you worried about CALs at all? You have at least 50 device CALs to cover those 50 devices - just don't allow other devices on that specific network. If you are allowing personal phones/laptops on WiFi - create a separate network for them, that gets DNS and DHCP from the router (most likely at least).
-
@DustinB3403 said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@DustinB3403 said in Where do I start with replacing the whole MS AD stack:
Why would you have no internal dns?
If you don't have AD and don't have internal servers - why do you need internal DNS?
Nothing in the original post (until a very recent one) stated there were no on-prem servers. Hence the question.
correct, I did not mention that this all occurred as we were introducing on prem servers for the first time.
-
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@DustinB3403 said in Where do I start with replacing the whole MS AD stack:
Why would you have no internal dns?
If you don't have AD and don't have internal servers - why do you need internal DNS?
He has AD. THis is not news. There have been many posts about his network over the last month+
-
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@DustinB3403 said in Where do I start with replacing the whole MS AD stack:
Why would you have no internal dns?
LANless? Other than being a cache, often no need for internal DNS.
Unrelated to this discussion.
Maybe not to the discussion, but it answers the question that Dustin asked.
-
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@DustinB3403 said in Where do I start with replacing the whole MS AD stack:
Why would you have no internal dns?
LANless? Other than being a cache, often no need for internal DNS.
Unrelated to this discussion.
Maybe not to the discussion, but it answers the question that Dustin asked.
It really doesn't because he clearly has AD, which is a Server. Just because there are no services on the network that needed DNS, doesn't equate to lanless.
-
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
Unless you have a need for a fully managed DNS system with a fuck ton of records, I recommend just using the system that is doing the DHCP. Router, pfSense, WTF ever.
I've got just our 50 or so workstations and then our servers as records. I don't need much.
Why are you worried about CALs at all? You have at least 50 device CALs to cover those 50 devices - just don't allow other devices on that specific network. If you are allowing personal phones/laptops on WiFi - create a separate network for them, that gets DNS and DHCP from the router (most likely at least).
that wasn't the point. The point was to get off AD/DHCP/DNS because of, and not limited to, stupid licensing.
-
@Donahue said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
I am in the middle of changing all my DHCP stuff, which is what prompted this whole thing. I want to switch over to reservations for everything, but it got me thinking about CALs, and it all snowballed from there.
Well first, you don't change anything.
Get it cleaned up and in a known good working state.
I just redid our scopes yesterday, but I have not yet started migrating over our static IP's to be reservations. I can get everything setup in windows first, and then migrate it over as @black3dynamite said, but that seems like extra steps to me.
If you have a stbale point, then sure. do it then.
Again, don't worry about adding reservations. Just setup the DHCP scope and options on the new system witht he appropriate DNS and then shutdown the MS DHCP service.
THen once working AS-IS, you start adding in the reservations.
Do everything once step at a time.
-
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
Unless you have a need for a fully managed DNS system with a fuck ton of records, I recommend just using the system that is doing the DHCP. Router, pfSense, WTF ever.
I've got just our 50 or so workstations and then our servers as records. I don't need much.
Why are you worried about CALs at all? You have at least 50 device CALs to cover those 50 devices - just don't allow other devices on that specific network. If you are allowing personal phones/laptops on WiFi - create a separate network for them, that gets DNS and DHCP from the router (most likely at least).
that wasn't the point. The point was to get off AD/DHCP/DNS because of, and not limited to, stupid licensing.
So to summarize this, you have licensing already. Don't want to purchase more and can't legally add devices without violating MS's terms.
Hence the question of how do I move off of these services. >>>>> Start with Jared's first post here.
-
@DustinB3403 and @JaredBusch agreed on both points.
-
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
You need to have your DNS use your AD server as it's forwarder, but everything else can look at your DNS.
How will this affect licensing? Do you only need one CAL for that DNS server, since it's the only thing actually talking to the server? Interesting work-around to MS licensing.
I believe that MS believes that ANY device that gets info that is passed along using DNS requires a CAL. It doesn't matter who hosts the DHCP, if it is still point to MS DNS.
Right - JB's got a kinda work around though.
PC asks router for DNS
Router asks Windows for DNSIn this setup that JB suggests only this one box - the router ever talks to windows DNS, so.... you only need one CAL for that router.
-
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@DustinB3403 said in Where do I start with replacing the whole MS AD stack:
Why would you have no internal dns?
If you don't have AD and don't have internal servers - why do you need internal DNS?
He has AD. THis is not news. There have been many posts about his network over the last month+
You know that he does NOW - I was answering Dustin's post about why he didn't have internal back then... at a time when he didn't have AD.
-
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@DustinB3403 said in Where do I start with replacing the whole MS AD stack:
Why would you have no internal dns?
If you don't have AD and don't have internal servers - why do you need internal DNS?
He has AD. THis is not news. There have been many posts about his network over the last month+
You know that he does NOW - I was answering Dustin's post about why he didn't have internal back then... at a time when he didn't have AD.
He has had AD for some time now though. I came into this topic knowing that 1) based on the topic! 2) from previous conversations.
The no internal DNS portion is still "weird" when he had the other pieces.
-
@Donahue said in Where do I start with replacing the whole MS AD stack:
@DustinB3403 and @JaredBusch agreed on both points.
I'm sorry, there's nothing quoted - so I'm not sure what points you're talking about?
-
@DustinB3403 said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@DustinB3403 said in Where do I start with replacing the whole MS AD stack:
Why would you have no internal dns?
If you don't have AD and don't have internal servers - why do you need internal DNS?
He has AD. THis is not news. There have been many posts about his network over the last month+
You know that he does NOW - I was answering Dustin's post about why he didn't have internal back then... at a time when he didn't have AD.
He has had AD for some time now though. I came into this topic knowing that 1) based on the topic! 2) from previous conversations.
The no internal DNS portion is still "weird" when he had the other pieces.
that's because he mentioned it about the past - and perhaps you read or though he might have been talking about the present.
-
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@DustinB3403 and @JaredBusch agreed on both points.
I'm sorry, there's nothing quoted - so I'm not sure what points you're talking about?
the two posts immediately above that one.
-
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
You need to have your DNS use your AD server as it's forwarder, but everything else can look at your DNS.
How will this affect licensing? Do you only need one CAL for that DNS server, since it's the only thing actually talking to the server? Interesting work-around to MS licensing.
I believe that MS believes that ANY device that gets info that is passed along using DNS requires a CAL. It doesn't matter who hosts the DHCP, if it is still point to MS DNS.
Right - JB's got a kinda work around though.
PC asks router for DNS
Router asks Windows for DNSIn this setup that JB suggests only this one box - the router ever talks to windows DNS, so.... you only need one CAL for that router.
I dont believe this is compliant still. I believe that MS would argue that any device that make a DNS request through that DNS server requires a CAL. It's a grey area at best.
-
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
You need to have your DNS use your AD server as it's forwarder, but everything else can look at your DNS.
How will this affect licensing? Do you only need one CAL for that DNS server, since it's the only thing actually talking to the server? Interesting work-around to MS licensing.
I believe that MS believes that ANY device that gets info that is passed along using DNS requires a CAL. It doesn't matter who hosts the DHCP, if it is still point to MS DNS.
Right - JB's got a kinda work around though.
PC asks router for DNS
Router asks Windows for DNSIn this setup that JB suggests only this one box - the router ever talks to windows DNS, so.... you only need one CAL for that router.
I dont believe this is compliant still. I believe that MS would argue that any device that make a DNS request through that DNS server requires a CAL. It's a grey area at best.
I agree, if Windows exists and is used as a source, it's clear that you need a CAL for every user or device on the network.
Having a proxy after it has no effect on that. This is clear cut in all of their documentation. Actually talking to the server is never a factor.
-
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
You need to have your DNS use your AD server as it's forwarder, but everything else can look at your DNS.
How will this affect licensing? Do you only need one CAL for that DNS server, since it's the only thing actually talking to the server? Interesting work-around to MS licensing.
I believe that MS believes that ANY device that gets info that is passed along using DNS requires a CAL. It doesn't matter who hosts the DHCP, if it is still point to MS DNS.
Right - JB's got a kinda work around though.
PC asks router for DNS
Router asks Windows for DNSIn this setup that JB suggests only this one box - the router ever talks to windows DNS, so.... you only need one CAL for that router.
I dont believe this is compliant still. I believe that MS would argue that any device that make a DNS request through that DNS server requires a CAL. It's a grey area at best.
It is a single device CAL for the DNS server. Many users (not devices) are requesting DNS from the DNS server (a device).
-
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
You need to have your DNS use your AD server as it's forwarder, but everything else can look at your DNS.
How will this affect licensing? Do you only need one CAL for that DNS server, since it's the only thing actually talking to the server? Interesting work-around to MS licensing.
I believe that MS believes that ANY device that gets info that is passed along using DNS requires a CAL. It doesn't matter who hosts the DHCP, if it is still point to MS DNS.
Right - JB's got a kinda work around though.
PC asks router for DNS
Router asks Windows for DNSIn this setup that JB suggests only this one box - the router ever talks to windows DNS, so.... you only need one CAL for that router.
I dont believe this is compliant still. I believe that MS would argue that any device that make a DNS request through that DNS server requires a CAL. It's a grey area at best.
It is a single device CAL for the DNS server. Many users (not devices) are requesting DNS from the DNS server (a device).
the DNS server does not require a CAL, its the device or user making the request to the DNS service.
-
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
You need to have your DNS use your AD server as it's forwarder, but everything else can look at your DNS.
How will this affect licensing? Do you only need one CAL for that DNS server, since it's the only thing actually talking to the server? Interesting work-around to MS licensing.
I believe that MS believes that ANY device that gets info that is passed along using DNS requires a CAL. It doesn't matter who hosts the DHCP, if it is still point to MS DNS.
Right - JB's got a kinda work around though.
PC asks router for DNS
Router asks Windows for DNSIn this setup that JB suggests only this one box - the router ever talks to windows DNS, so.... you only need one CAL for that router.
I dont believe this is compliant still. I believe that MS would argue that any device that make a DNS request through that DNS server requires a CAL. It's a grey area at best.
It is a single device CAL for the DNS server. Many users (not devices) are requesting DNS from the DNS server (a device).
You don't need device CALs if you are covered by user CALs. That's only needed if you don't cover your users.
