ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    ZeroTier + Active Directory Authentication

    Scheduled Pinned Locked Moved IT Discussion
    zerotieradactive directoryauthenticationwork in progress
    111 Posts 10 Posters 47.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dafyreD
      dafyre
      last edited by

      @Dashrender said:

      I'll agree with that, currently I know of no solution to provide what you want in a single shrink wrap solution, but as Dafyre mentioned, he did find a solution.

      I'd qualify that as a workaround. And Sadly, i also have to agree with @JaredBusch that it is more work and maintenance.

      I realize that he's trying to avoid building a full-on mesh network, but assuming he's got a few spare IPs to rob from his DHCP Server, a ZT Bridge could work (http://www.mangolassi.it/topic/8566/zerotier-bridging-configuration) without quite as much ongoing maintenance afterwards.

      JaredBuschJ 1 Reply Last reply Reply Quote 0
      • JaredBuschJ
        JaredBusch @dafyre
        last edited by

        @dafyre said:

        @Dashrender said:

        I'll agree with that, currently I know of no solution to provide what you want in a single shrink wrap solution, but as Dafyre mentioned, he did find a solution.

        I'd qualify that as a workaround. And Sadly, i also have to agree with @JaredBusch that it is more work and maintenance.

        I realize that he's trying to avoid building a full-on mesh network, but assuming he's got a few spare IPs to rob from his DHCP Server, a ZT Bridge could work (http://www.mangolassi.it/topic/8566/zerotier-bridging-configuration) without quite as much ongoing maintenance afterwards.

        AD relies on DNS.
        Not getting the wrong answer for a URL lookup also relies on getting an answer from the right DNS server at the right time.

        So now that we know it all works as expected, the question is can I configure DNS to act how I want in windows easily.

        Easiest example: use the IPv4 DNS server always unless something is not found (such as domain.local).
        When something is not found query the IPv6 DNS backup only.

        This has nothing to do with ZeroTier at this point other than ZeroTier is where the IPv6 connectivity is coming from.

        dafyreD 1 Reply Last reply Reply Quote 2
        • dafyreD
          dafyre @JaredBusch
          last edited by

          @JaredBusch said:

          @dafyre said:

          @Dashrender said:

          I'll agree with that, currently I know of no solution to provide what you want in a single shrink wrap solution, but as Dafyre mentioned, he did find a solution.

          I'd qualify that as a workaround. And Sadly, i also have to agree with @JaredBusch that it is more work and maintenance.

          I realize that he's trying to avoid building a full-on mesh network, but assuming he's got a few spare IPs to rob from his DHCP Server, a ZT Bridge could work (http://www.mangolassi.it/topic/8566/zerotier-bridging-configuration) without quite as much ongoing maintenance afterwards.

          AD relies on DNS.
          Not getting the wrong answer for a URL lookup also relies on getting an answer from the right DNS server at the right time.

          So now that we know it all works as expected, the question is can I configure DNS to act how I want in windows easily.

          Easiest example: use the IPv4 DNS server always unless something is not found (such as domain.local).
          When something is not found query the IPv6 DNS backup only.

          This has nothing to do with ZeroTier at this point other than ZeroTier is where the IPv6 connectivity is coming from.

          What would happen if you added Google's Public DNS to the IPv4 stuff on the ZT Adapter?

          Oh wait... you only have IPv6 enabled on ZT... Hmm...

          JaredBuschJ 1 Reply Last reply Reply Quote 0
          • JaredBuschJ
            JaredBusch @dafyre
            last edited by

            @dafyre said:

            @JaredBusch said:

            @dafyre said:

            @Dashrender said:

            I'll agree with that, currently I know of no solution to provide what you want in a single shrink wrap solution, but as Dafyre mentioned, he did find a solution.

            I'd qualify that as a workaround. And Sadly, i also have to agree with @JaredBusch that it is more work and maintenance.

            I realize that he's trying to avoid building a full-on mesh network, but assuming he's got a few spare IPs to rob from his DHCP Server, a ZT Bridge could work (http://www.mangolassi.it/topic/8566/zerotier-bridging-configuration) without quite as much ongoing maintenance afterwards.

            AD relies on DNS.
            Not getting the wrong answer for a URL lookup also relies on getting an answer from the right DNS server at the right time.

            So now that we know it all works as expected, the question is can I configure DNS to act how I want in windows easily.

            Easiest example: use the IPv4 DNS server always unless something is not found (such as domain.local).
            When something is not found query the IPv6 DNS backup only.

            This has nothing to do with ZeroTier at this point other than ZeroTier is where the IPv6 connectivity is coming from.

            What would happen if you added Google's Public DNS to the IPv4 stuff on the ZT Adapter?

            Oh wait... you only have IPv6 enabled on ZT... Hmm...

            The computer is working properly and getting the ownCloud IP from the DC because it knows where the DC is. The question is can I force DNS to behave like I want.

            A 3 Replies Last reply Reply Quote 0
            • A
              adam.ierymenko @JaredBusch
              last edited by

              @JaredBusch Just checking in on this. So the final issue is: you folks want to consult the AD DNS server(s) only for names within AD, but want to consult the host's default regular DNS servers for the Internet. Is that correct?

              JaredBuschJ 1 Reply Last reply Reply Quote 0
              • A
                adam.ierymenko @JaredBusch
                last edited by

                @JaredBusch What's wrong with using the AD servers for all DNS? Other than reliability?

                Note that ZT does not depend on DNS, so ZT will work if DNS is not up.

                JaredBuschJ 1 Reply Last reply Reply Quote 0
                • A
                  adam.ierymenko @JaredBusch
                  last edited by

                  @JaredBusch I used teh Google a little and found this open source project:

                  https://github.com/stackia/DNSAgent

                  Never used it but it looks promising. This could be installed on a client machine and then you could configure it to route DNS queries to different servers by regex of the DNS name.

                  Looks source only so you'd need to build. Has a .sln file.

                  1 Reply Last reply Reply Quote 1
                  • JaredBuschJ
                    JaredBusch @adam.ierymenko
                    last edited by

                    @adam.ierymenko said:

                    @JaredBusch Just checking in on this. So the final issue is: you folks want to consult the AD DNS server(s) only for names within AD, but want to consult the host's default regular DNS servers for the Internet. Is that correct?

                    No, I want DNS only so far as AD authentication. I want all DNS to use the dhcp assigned DNS that the primary network adapter gets.

                    I am not having any problems with ZeroTier as stated above.

                    ZT works perfectly as designed. I am not trying to limit DNS in windows.

                    1 Reply Last reply Reply Quote 0
                    • JaredBuschJ
                      JaredBusch @adam.ierymenko
                      last edited by

                      @adam.ierymenko said:

                      @JaredBusch What's wrong with using the AD servers for all DNS? Other than reliability?

                      Note that ZT does not depend on DNS, so ZT will work if DNS is not up.

                      Because DNS from AD through ZT is returning an address I cannot use.

                      oc.domain.com should resolve to the external IP but because I set DNS on the ZT adapter I am getting the internal name.

                      Again, this is not a "problem" with ZT.

                      A 1 Reply Last reply Reply Quote 1
                      • A
                        adam.ierymenko @JaredBusch
                        last edited by

                        @JaredBusch I see. At some point it might be worth looking into that DNSAgent program, since that might do what is needed. Or maybe we could develop/fork something like that to provide the kind of split brain DNS that Pertino apparently does/did.

                        JaredBuschJ 1 Reply Last reply Reply Quote 0
                        • JaredBuschJ
                          JaredBusch @adam.ierymenko
                          last edited by

                          @adam.ierymenko said:

                          @JaredBusch I see. At some point it might be worth looking into that DNSAgent program, since that might do what is needed. Or maybe we could develop/fork something like that to provide the kind of split brain DNS that Pertino apparently does/did.

                          Pertino has the same issues as ZeroTier. Well unless you have a subscription level large enough to use their AD add on.

                          A 1 Reply Last reply Reply Quote 0
                          • A
                            adam.ierymenko @JaredBusch
                            last edited by adam.ierymenko

                            @JaredBusch Hmm... so they charge a ton for what that GitHub project does? If the need for split-brain DNS is all it is, I really don't see how this is a hard problem.

                            A scottalanmillerS 2 Replies Last reply Reply Quote 0
                            • A
                              Alex Sage @adam.ierymenko
                              last edited by

                              @adam.ierymenko Yes.

                              1 Reply Last reply Reply Quote 1
                              • scottalanmillerS
                                scottalanmiller @adam.ierymenko
                                last edited by

                                @adam.ierymenko said:

                                @JaredBusch Hmm... so they charge a ton for what that GitHub project does? If the need for split-brain DNS is all it is, I really don't see how this is a hard problem.

                                They also charge a lot for what ZeroTier does.

                                1 Reply Last reply Reply Quote 1
                                • K
                                  krisleslie @JaredBusch
                                  last edited by

                                  @JaredBusch how did you setup your NIC for the workstation that had to remote into the AD via ZeroTier? I'm still trying to figure out exactly what was statically assigned as your post wasn't too clear for me (this is new to me).

                                  1 Reply Last reply Reply Quote 0
                                  • 1
                                  • 2
                                  • 3
                                  • 4
                                  • 5
                                  • 6
                                  • 6 / 6
                                  • First post
                                    Last post