Microsoft DNS¶
Overview¶
Morpheus integrates directly with Microsoft DNS to automatically create DNS entries for Instances provisioned to a configured Cloud or Group. Morpheus also syncs in Microsoft DNS Domains for easy selection while provisioning, or setting as the default Domain on a Cloud or Network.
Prepare DNS Server(s)¶
Note
This section will assume a the DNS server is in an Active Directory environment and joined to the domain. The process may be different for other configurations.
The easiest method to prepare DNS server(s) is to use a service account that is added to the DnsAdmins
and Remote Management Users
groups, either in Active Directory (if DNS is on domain contollers) or the local groups of a member server.
The DnsAdmins
group will provide permissions for the service account to make DNS changes, such as creating/deleting A and PTR records. The Remote Management Users
group will allow Morpheus to connect to the server(s) via WinRM.
Additionally, ensure firewall rules have been updated if needed to allow WinRM through. In some cases, the default WinRM rules allow Private
and Domain
networks but not Public
. Enable Public
if the network Morpheus is
connected is considered Public
, or disable the firewall if permitted. If a jump box is required (discussed below), then ensure the firewall is configured to allow the jump box to connect to the DNS server instead.
Finally, winrm quickconfig
may need to be run to enable WinRM, if the server is an older operating system.
Minimum Permissions¶
Some organizations may require that users cannot be added to the DNSAdmin
group, mentioned previously. If this is a requirement, the following process/permissions would be required to ensure Morpheus can connect successfully.
This process may be required on each DNS server, depending on the environment. Note if Morpheus adds additional functionality at a later time, these permissoins may need to be updated to support those features.
Run
dnsmgmt.msc
Right-click the DNS server object and choose
Properties
Add the service account to the user list and ensure the following permissions are applied:
Read
Create all child objects
Delete all child objects
Run
wmimgmt.msc
Right-click
WMI Control (Local)
and chooseProperties
Click the
Security
tabSet the following permissions for each of the below nodes:
CIMV2
MicrosoftDNS
Microsoft => Windows => DNS
(only the DNS node)Hightlight the node and click the
Security
buttonClick the
Advanced
buttonClick the
Add
button to add the service account to the listEnsure the
Applies to
field is set toThis namespace and subnamespaces
Set the following permissions:
Enable Account
Remote Enable
Execute Methods
Finally, restart Windows Management Instrumentation Service or the server. This is required for the change in permissions to take place.
Additional support reference: https://support.morpheusdata.com/s/article/How-to-give-C?language=en_US
(Optional) Prepare Jump Box¶
In some environments, Morpheus may not be allowed to access the DNS servers directly, as they may be on segregated networks. In this case, Morpheus can utilize a member server as a “jump box” that can access the DNS servers directly, the jump box will be used to interact with the DNS server instead. If this is a requirement, follow the below process to prepare the jump box.
Add the service account to the
Remote Management Users
group of the jump box, which will allow WinRM to accessVerify the firewall allows WinRM from Morpheus
Create or edit the following registry key by running
regedit
:
Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb
Create or edit
ProtectionPolicy
DWORD (32-bit) ValueSet
ProtectionPolicy
value to1
Finally,
winrm quickconfig
may need to be run to enable WinRM, if the server is an older operating system.
Add Microsoft DNS Integration¶
Important
The Morpheus Microsoft DNS integration works over http/5985 by default. If you have turned off the http listener on 5985 and only enabled https/5986, be sure to configure the correct WINRM PORT
.
Note
Depending on the version of Morpheus, some settings may only be available by installing the Microsoft DNS plugin from Morpheus Marketplace. Newer versions of Morpheus should contain this plugin by default.
Microsoft DNS can be added in the Administration
or Infrastructure
sections:
In Administration > Integrations, select + New Integration
In
Infrastructure > Networks > Integrations
, select + AddProvide the following:
- TYPE
Microsoft DNS
- NAME
Name for the Integration in Morpheus
- WINRM PORT
Port WinRM should use. By default, HTTP (port 5985) is used, which is the default on Windows Server. If HTTPS has been configured by the organization, then specifying port 5986 may be appropriate.
- DNS SERVER
IP or resolvable hostname of DNS server
morpheus
will connect to. If using a jump box, specify the IP or resolvable hostname of the jump box here, and the main DNS Server in the COMPUTER NAME field below.- USERNAME
DNS provider username
- PASSWORD
DNS provider user password
- ZONE FILTER
Comma separated filter for specific zones to be imported. Example entries:
example.morpheus.com, *.morpheus.com, *.10.in-addr.arpa, d*.us.morpheus.com
. Additional explanations can be found at the plugin source code readme.- COMPUTER NAME
If the DNS SERVER specified is not the main DNS server but rather a jump box, enter the Computer Name of the main DNS Server here. If the DNS SERVER specified above is the main DNS server and not a jump box, leave COMPUTER NAME blank.
- CREATE POINTERS
Enable to create PTR (Pointer/Reverse Lookup) records during provisioning
Once saved the Integration will be added and visible in both Administration > Integrations and
Infrastructure > Networks > Services
Note
All fields can be edited after saving.
Domains¶
Once the integration is added, Microsoft DNS Domains will sync and listed under Infrastructure > Networks > Domains
.
Note
Default Domains can be set on Networks and Clouds, and can be selected when provisioning. Additional configuration options are available by editing a domain in Networks > Domains
Configuring Microsoft DNS with Clouds and Groups¶
DNS Integrations are available in the DNS Integration
dropdown in Cloud and Group settings. Morpheus will register Instances with the DNS provider when provisioned into a Cloud or Group with a DNS Integration added.
Add DNS Integration to a Cloud¶
In
Infrastructure > Clouds
edit the target Cloud.Expand the
Advanced Options
section.In the
DNS Integration
dropdown, select an available DNS Integration.Save Changes
Add DNS Integration to a Group¶
In
Infrastructure > Groups
select the target Group.Select the
Edit
button for the GroupExpand the
Advanced Options
section.In the
DNS Integration
dropdown, select an available DNS Integration.Save Changes
Note
Instances provisioned into a Cloud or Group with a DNS Integration added will be registered as instancename.domain with the DNS Provider during provisioning, and de-registered at teardown.