Microsoft DNS

Overview

Morpheus integrates directly with Microsoft DNS to automatically create DNS entries for Instances provisioned to a configured Cloud or Group. Morpheus also syncs in Microsoft DNS Domains for easy selection while provisioning, or setting as the default Domain on a Cloud or Network.

Prepare DNS Server(s)

Note

This section will assume a the DNS server is in an Active Directory environment and joined to the domain. The process may be different for other configurations.

The easiest method to prepare DNS server(s) is to use a service account that is added to the DnsAdmins and Remote Management Users groups, either in Active Directory (if DNS is on domain contollers) or the local groups of a member server. The DnsAdmins group will provide permissions for the service account to make DNS changes, such as creating/deleting A and PTR records. The Remote Management Users group will allow Morpheus to connect to the server(s) via WinRM.

Additionally, ensure firewall rules have been updated if needed to allow WinRM through. In some cases, the default WinRM rules allow Private and Domain networks but not Public. Enable Public if the network Morpheus is connected is considered Public, or disable the firewall if permitted. If a jump box is required (discussed below), then ensure the firewall is configured to allow the jump box to connect to the DNS server instead.

Finally, winrm quickconfig may need to be run to enable WinRM, if the server is an older operating system.

Minimum Permissions

Some organizations may require that users cannot be added to the DNSAdmin group, mentioned previously. If this is a requirement, the following process/permissions would be required to ensure Morpheus can connect successfully. This process may be required on each DNS server, depending on the environment. Note if Morpheus adds additional functionality at a later time, these permissoins may need to be updated to support those features.

  • Run dnsmgmt.msc

  • Right-click the DNS server object and choose Properties

  • Add the service account to the user list and ensure the following permissions are applied:

    • Read

    • Create all child objects

    • Delete all child objects

  • Run wmimgmt.msc

  • Right-click WMI Control (Local) and choose Properties

  • Click the Security tab

  • Set the following permissions for each of the below nodes:

    • CIMV2

    • MicrosoftDNS

    • Microsoft => Windows => DNS (only the DNS node)

  • Hightlight the node and click the Security button

  • Click the Advanced button

  • Click the Add button to add the service account to the list

  • Ensure the Applies to field is set to This namespace and subnamespaces

  • Set the following permissions:

    • Enable Account

    • Remote Enable

    • Execute Methods

  • Finally, restart Windows Management Instrumentation Service or the server. This is required for the change in permissions to take place.

Additional support reference: https://support.morpheusdata.com/s/article/How-to-give-C?language=en_US

(Optional) Prepare Jump Box

In some environments, Morpheus may not be allowed to access the DNS servers directly, as they may be on segregated networks. In this case, Morpheus can utilize a member server as a “jump box” that can access the DNS servers directly, the jump box will be used to interact with the DNS server instead. If this is a requirement, follow the below process to prepare the jump box.

  • Add the service account to the Remote Management Users group of the jump box, which will allow WinRM to access

  • Verify the firewall allows WinRM from Morpheus

  • Create or edit the following registry key by running regedit:

    • Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb

    • Create or edit ProtectionPolicy DWORD (32-bit) Value

    • Set ProtectionPolicy value to 1

  • Finally, winrm quickconfig may need to be run to enable WinRM, if the server is an older operating system.

Add Microsoft DNS Integration

Important

The Morpheus Microsoft DNS integration works over http/5985 by default. If you have turned off the http listener on 5985 and only enabled https/5986, be sure to configure the correct WINRM PORT.

Note

Depending on the version of Morpheus, some settings may only be available by installing the Microsoft DNS plugin from Morpheus Marketplace. Newer versions of Morpheus should contain this plugin by default.

Microsoft DNS can be added in the Administration or Infrastructure sections:

  1. In Administration > Integrations, select + New Integration

  2. In Infrastructure > Networks > Integrations, select + Add

  3. Provide the following:

    TYPE

    Microsoft DNS

    NAME

    Name for the Integration in Morpheus

    WINRM PORT

    Port WinRM should use. By default, HTTP (port 5985) is used, which is the default on Windows Server. If HTTPS has been configured by the organization, then specifying port 5986 may be appropriate.

    DNS SERVER

    IP or resolvable hostname of DNS server morpheus will connect to. If using a jump box, specify the IP or resolvable hostname of the jump box here, and the main DNS Server in the COMPUTER NAME field below.

    USERNAME

    DNS provider username

    PASSWORD

    DNS provider user password

    ZONE FILTER

    Comma separated filter for specific zones to be imported. Example entries: example.morpheus.com, *.morpheus.com, *.10.in-addr.arpa, d*.us.morpheus.com. Additional explanations can be found at the plugin source code readme.

    COMPUTER NAME

    If the DNS SERVER specified is not the main DNS server but rather a jump box, enter the Computer Name of the main DNS Server here. If the DNS SERVER specified above is the main DNS server and not a jump box, leave COMPUTER NAME blank.

    CREATE POINTERS

    Enable to create PTR (Pointer/Reverse Lookup) records during provisioning

  4. Once saved the Integration will be added and visible in both Administration > Integrations and Infrastructure > Networks > Services

Note

All fields can be edited after saving.

Domains

Once the integration is added, Microsoft DNS Domains will sync and listed under Infrastructure > Networks > Domains.

Note

Default Domains can be set on Networks and Clouds, and can be selected when provisioning. Additional configuration options are available by editing a domain in Networks > Domains

Configuring Microsoft DNS with Clouds and Groups

DNS Integrations are available in the DNS Integration dropdown in Cloud and Group settings. Morpheus will register Instances with the DNS provider when provisioned into a Cloud or Group with a DNS Integration added.

Add DNS Integration to a Cloud

  1. In Infrastructure > Clouds edit the target Cloud.

  2. Expand the Advanced Options section.

  3. In the DNS Integration dropdown, select an available DNS Integration.

  4. Save Changes

Add DNS Integration to a Group

  1. In Infrastructure > Groups select the target Group.

  2. Select the Edit button for the Group

  3. Expand the Advanced Options section.

  4. In the DNS Integration dropdown, select an available DNS Integration.

  5. Save Changes

Note

Instances provisioned into a Cloud or Group with a DNS Integration added will be registered as instancename.domain with the DNS Provider during provisioning, and de-registered at teardown.