VitalQIP Product Description
Copyright © 2011 Alcatel-Lucent Technologies
USE PURSUANT TO COMPANY INSTRUCTIONS
Page
28
of
50
VitalQIP software continues its market-leading support of Microsoft Windows DNS/DHCP servers with
support of sites and subnets in Active Directory. VitalQIP software currently manages information
about subnets and subnet organizations, which are used to model Windows sites.
To avoid the tedious and error prone task of having to re-enter the information into the Windows
management console, VitalQIP software provides an export mechanism for the subnet and subnet
organization information to be retrieved and imported into the Windows 2000 Active Directory as
subnets and sites.
Microsoft Secure Zones
A zone may be marked as secure only if it is Active Directory integrated. Non-directory integrated
zones cannot be secured. When a secure dynamic update is made to a secure zone, the security
verification generally occurs in two stages. First the GSS-TSIG protocol is used to verify the identity of
the updater. Second, the DNS server takes the update and uses the updater‟s security context to
update Active Directory with the new information. At this stage Active Directory‟s access security
mechanism is invoked for this “secure zone”.
Active Directory keeps access control information with each entry in Active Directory. This access
control information specifies who owns the entry and who is allowed to access it. If the access
control information does not forbid the updater from making changes to the Active Directory entry it
is trying to modify, then the update succeeds. At this stage, if the entry had no security or did not
previously exist, the access control information for the entry is updated such that only the updater
(and administrators) is allowed to make changes to the entry. There is one exception to this rule.
That is when the updater is a member of a special security group called DNSUpdateProxy. Objects
created by members of the DNSUpdateProxy group have no security; therefore, any authenticated
user can take ownership of the objects.
While VitalQIP will not store the Active Directory access control information, it will require the user
to create two new Windows 2000 users for QIP. One will be a normal user, referred to as a Strong
user. The other will be a member of the DNSUpdateProxy security group, referred to as a Proxy user.
When static objects and RRs are modified in a secure zone, VitalQIP will use the Strong user context
to do the update. This will cause VitalQIP to be the only user that is allowed to modify those entries,
thus locking out random clients from stealing DNS entries that were entered by VitalQIP. When EDUP
objects and RRs are updated, the Proxy user context will be used, thus allowing external users to
make modifications (and take ownership of) those entries.
When dynamic objects are updated, the user may possibly want to allow the DHCP client to take
ownership of the name and make subsequent updates to DNS itself. In this case, QIP will use the Proxy
user context. On the other hand, users may feel more comfortable with VitalQIP managing the DNS
updates for the dynamic clients and not allowing the dynamic clients to update the zone at all. In this
case QIP will use the Strong user context to do the updates, thus locking any other users out of being
able to modify the information. The screen shot below gives an example of the configuration of these
user types for secure zones.
Changed Records Push