Adonis Admin 5.5

ADMINISTRATION GUIDE
Adonis Administration Guide Version 5.5
Legal Notices
Read this page to ascertain important legal information and warnings.
Copyright
Copyright 20002008, BlueCat Networks (USA) Inc. All rights reserved. Company names and/or data used in screens and sample output are fictitious, unless otherwise stated.
Trademarks
BlueCat Networks, the BlueCat Networks logo, Adonis, the Adonis logo, Meridius, the Meridius logo, Proteus, and the Proteus logo are trademarks of BlueCat Networks (USA) Inc. Java and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. Linux is a registered trademark of Linus Torvalds. Windows is a registered trademark of Microsoft Corporation. Intel and Pentium are registered trademarks of Intel Corporation. RPD is a trademark of Commtouch Software Ltd. All other product and company names are registered trademarks or trademarks of their respective holders.
Export Warningc
This is a Class A product. In a domestic environment, this product may cause radio interference, in which case you may be required to take appropriate measures.
Canadian Regulatory Compliance

This is a Class A digital device that complies with Canadian ICES-003.
FCC Compliance
This equipment generates, uses, and may emit radio frequency energy. This equipment has been type tested and found to comply with the limits for a Class A digital device pursuant to part 15 of FCC rules that are designed to provide reasonable protection against such radio frequency interference. Operation of this equipment in a residential area may cause interference that may require you to take reasonable measures to correct at your expense. Any modifications to this device, unless expressly approved by the manufacturer, can void the users authority to operate this equipment under part 15 of the FCC rules.
Disclaimer
a) b) Read this guide before installing or using the product. For more information, see other relevant documents in the distribution. Failure to follow the prescribed instructions will void the product warranty. BlueCat Networks (USA) Inc. (BlueCat) has granted you the right to use this manual. BlueCat believes the information it furnishes to be accurate and reliable, but BlueCat assumes no responsibility for, or arising out of, your use of the manual except to the extent expressly set out in the end-user agreement (EUA) associated with the product. No license is granted by implication or otherwise under any patent, copyright or other intellectual property right of BlueCat Networks (USA) Inc. except as specifically described in the above noted EUA. BlueCat Networks (USA) Inc. reserves the right to change specifications at any time without notice.
c)
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 1: Introduction
DNS and DHCP ................................................................................................ 11 Adonis Overview ............................................................................................. 11 How is Adonis Organized? .............................................................................. 11 Two Consoles: Two Tasks .............................................................................. 12 Project Files ............................................................................................. 12 Deployment .............................................................................................. 12 Security .................................................................................................. 12 IPv6 Support ............................................................................................. 12 Advanced Implementations ................................................................................ 13 Adonis and Proteus IPAM ................................................................................... 13
Chapter 2: Administration Console

Using the Adonis Administration Console ................................................................ 15 Administration Console Modes ............................................................................. 16 Main Mode ............................................................................................... 16 Main Mode Help ......................................................................................... 16 Configuration Mode ..................................................................................... 16 Configuration Mode Help .............................................................................. 17 Saving or Discarding Changes ......................................................................... 18 Viewing the Command History ........................................................................ 18
Chapter 3: Management Console

Getting Started .............................................................................................. 19 Navigating the Adonis Management Console ....................................................... 20 User Management and Access Control .................................................................... 23 Managing Users .......................................................................................... 24 Access Control ........................................................................................... 27 Configuring External Authenticators ...................................................................... 29 Kerberos Authenticators ............................................................................... 30
Version 5.5
Adonis Administration Guide
Contents RADIUS Authenticators ................................................................................. 31 LDAP Authenticators ................................................................................... 32
Chapter 4: Appliance Management

Setting Default Appliance Options ........................................................................ 35 General Options ......................................................................................... 35 Product Updates ........................................................................................ 36 Specifying Proxy Settings .............................................................................. 37 Appliance Authentication Management ............................................................. 38 Passwords ................................................................................................ 41 Resetting from Proteus Control ...................................................................... 41 Administration Console Server Controls .................................................................. 42 Rebooting and Shutting Down ........................................................................ 42 LCD ........................................................................................................ 42 Inspecting the Network Configuration ............................................................... 42 Configuring Network Settings ......................................................................... 43 Configuring the Hostname ............................................................................. 44 Viewing and Setting the Time ........................................................................ 44 Setting the Time Zone ................................................................................. 45 Network Time Protocol (NTP) ........................................................................ 46 Configuring the Routing Table ........................................................................ 48 Configuring Anycast .................................................................................... 50 Administration Console Service Control .................................................................. 51 Command Server ........................................................................................ 51 XHA ....................................................................................................... 51 Firewalls ................................................................................................. 51 SSH ........................................................................................................ 53 Startup Services ......................................................................................... 53 Network Services ....................................................................................... 53 Management Console Server Controls .................................................................... 54 Deploying a Project .................................................................................... 56 Viewing System Logs ........................................................................................ 56 Configuring System Log Output ....................................................................... 57 Viewing Logs ............................................................................................. 58 Simple Network Management Protocol ................................................................... 59 Enabling SNMP ........................................................................................... 59 Configuring SNMP ....................................................................................... 59 Updating Adonis .............................................................................................. 64 Online Updates .......................................................................................... 64 Manual Updates ......................................................................................... 69
Chapter 5: Project Files

Creating a New Project File ................................................................................ 71 Selecting an Appliance Type .......................................................................... 72
Version 5.5
Contents Setting up an Initial DNS Service ..................................................................... 73 Selecting a DNS Network Architecture .............................................................. 73 Opening and Saving Files .............................................................................. 84 Checking Files Into and Out Of an Adonis Server .................................................. 85 Modifying File Location Settings ...................................................................... 88 Editing a Project File ....................................................................................... 88 Adding Servers .......................................................................................... 89 Checking and Correcting a File ....................................................................... 90 Checking the Data ...................................................................................... 91 Modifying Data Check Issue Settings ................................................................. 91 Deploying the Project File ................................................................................. 92 Importing a Project ......................................................................................... 96 Importing from a Previous Version ................................................................... 96
Chapter 6: Adonis DNS

Adonis DNS Implementation ................................................................................ 97 DNS Services .................................................................................................. 98 BIND/DNS Service Control ............................................................................. 98 Specifying Server Version Information .............................................................. 99 Adjusting DNS Service Options ...................................................................... 100 Resource Records .......................................................................................... 101 Custom Resource Records ........................................................................... 102 Resource Record Fields .............................................................................. 103 Managing Servers and Zones ............................................................................. 104 Authoritative DNS and Delegation .................................................................. 104 Adding Zones .......................................................................................... 104 Recursive DNS ......................................................................................... 108 Working with Zones .................................................................................. 111 Setting Zone Options ................................................................................. 112 Defining the Start of Authority for a Zone ........................................................ 113 Zone Templates ....................................................................................... 115 Managing Resource Records .............................................................................. 117 Adding Resource Records ............................................................................ 118 Auto-Generating Resource Records ................................................................ 118 Generating Records Incrementally ................................................................. 119 Editing and Deleting Resource Records ........................................................... 121 Disabling Resource Records ......................................................................... 121
Chapter 7: Advanced DNS

Reverse DNS ................................................................................................ ENUM and VoIP ........................................................................................ Delegating Subnets ................................................................................... Dynamic DNS ............................................................................................... Configuring DDNS ..................................................................................... 123 123 126 128 130
Version 5.5
Contents Integrating Active Directory ............................................................................. Enabling Active Directory Support ................................................................. Windows Active Directory Synchronization ....................................................... Checking the Data ......................................................................................... Data Check ............................................................................................. Using the DNS Fixup Wizard ......................................................................... Live Data Check ....................................................................................... The Whois Lookup Tool .............................................................................. DNS Configuration Statistics ........................................................................ Transaction Signatures .................................................................................... DNS Queries ................................................................................................ Using BIND Views ..................................................................................... Managing Access Control Lists ...................................................................... Query Logging ......................................................................................... DNS and IPv6 ............................................................................................... AAAA Records .......................................................................................... Reverse Lookup ....................................................................................... NS Records ............................................................................................. Mixed Environments .................................................................................. 130 130 131 132 132 132 135 136 139 140 144 144 146 148 151 151 152 153 153
Chapter 8: Adonis DHCP

Background ................................................................................................. Adonis DHCP Implementation ............................................................................ Adonis DHCP Files ..................................................................................... Adonis DHCP Services ..................................................................................... Adding a DHCP Relay Service ....................................................................... DHCP Declarations and Scope ...................................................................... Common Object Types ............................................................................... DHCP Groups .......................................................................................... Declaring Groups ...................................................................................... Subnets ................................................................................................. Declaring Subnets ..................................................................................... Shared Networks ...................................................................................... Pools .................................................................................................... Hosts .................................................................................................... DHCP Client Options ...................................................................................... Subnet Mask ........................................................................................... IP Layer Parameters Per Host ....................................................................... Interface-Specific Options ........................................................................... Link Layer Interface-Specific Options ............................................................. TCP Interface-Specific Options ..................................................................... Application and Service Options .................................................................... DHCP Advanced Options .................................................................................. Setting Up DHCP Services ........................................................................... 155 156 156 156 157 158 159 159 159 159 160 160 161 162 165 165 165 167 168 168 168 171 172
Version 5.5
Contents
Chapter 9: Adonis Advanced DHCP

Custom Client Configurations ............................................................................ Classes .................................................................................................. Subclasses .............................................................................................. Vendor Profiles ........................................................................................ DHCP Custom Options ................................................................................ TFTP Service ............................................................................................... DDNS and Zones ............................................................................................ Network Access Control .................................................................................. MAC Address Filtering ................................................................................ Adding MAC Authentication to a DHCP Service ................................................... MAC Authentication Menu ........................................................................... DHCP/TFTP Service Control .............................................................................. DHCP Service Control ................................................................................ TFTP Service Control ................................................................................. OMAPI ................................................................................................... DHCP Lease Viewer ........................................................................................ DHCP Failover .............................................................................................. DHCPv6 ...................................................................................................... Overview of DHCPv6 .................................................................................. IPv6 Prefixes ........................................................................................... Neighbor Discovery for Address Assignment ...................................................... Creating a DHCPv6 Service .......................................................................... Configuring a DHCPv6 Service ...................................................................... 175 175 177 178 181 182 183 184 184 190 195 195 195 196 196 196 197 197 197 197 198 198 199
Chapter 10: High Availability

Crossover High Availability (XHA) ....................................................................... Prerequisites .......................................................................................... Creating a High Availability Cluster ................................................................ Diagnosing a High Availability Cluster ............................................................. Repairing a High Availability Cluster .............................................................. Breaking a High Availability Cluster ............................................................... Manual Failover ....................................................................................... Updating an XHA Cluster ............................................................................ BIND Views in XHA .................................................................................... Adonis DHCP Failover ..................................................................................... One Client per Address .............................................................................. A Companion to XHA ................................................................................. Terms vs Times ........................................................................................ Three Rules ............................................................................................ Address Binding States ............................................................................... Server States .......................................................................................... Failover Monitor ...................................................................................... Typical State Transition ............................................................................. 201 202 202 204 205 208 208 209 210 210 210 210 210 211 211 212 214 214
Version 5.5
Contents Recommended Topologies ........................................................................... Setting Up DHCP Failover ............................................................................ Configuring DHCP Failover on a Pool ................................................................... Modifying Settings for a Failover Pool ............................................................. 215 218 219 220
Chapter 11: Migration Tools

Importing External Configurations ...................................................................... Using a Live Zone Transfer .......................................................................... Importing an Existing DNS Configuration ............................................................... Named.conf ............................................................................................ ACLs ..................................................................................................... Importing an Existing DHCP Configuration ............................................................. ISC DHCP 3.x Config File ............................................................................. Windows 2000 DHCP Dump File ..................................................................... 223 225 227 228 228 229 229 230
Chapter 12: Active Directory Integration

Active Directory and DNS ................................................................................. Dynamic Domain Controller Registration ......................................................... Integrating Adonis into Active Directory ............................................................... DNS Replication ............................................................................................ Active Directory DNS Records ............................................................................ SRV Records ........................................................................................... A Records .............................................................................................. CNAME Records ........................................................................................ 231 232 233 234 235 236 237 237
Appendix A: Integrating with Mirage Post-Admission NAC Appliance . . . . . . . . . . . . . . . 239

About the AMA ............................................................................................. Setting up the AMA ........................................................................................ Enabling SSH Between Adonis and Mirage ........................................................ Configuring the AMA .................................................................................. Configuring Mirage .................................................................................... Creating an External Authority ..................................................................... Creating a Profile Group and Profiles ............................................................. Configuring Zones ..................................................................................... Controlling the AMA ....................................................................................... 239 240 240 240 242 242 242 243 243
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Version 5.5
Preface
Welcome to the Adonis Administration Guide. This guide explains how to add an Adonis appliance to your network and how to administer it on an ongoing basis.
Who should read this guide?

This guide is intended for Adonis administrators. Readers should be familiar with DNS and DHCP administration.
References
Working with a DNS/DHCP system requires in-depth knowledge of many subject areas, including DNS, DHCP, and General Networking. The following references are provided for readers who require more background knowledge before working with Adonis. The DHCP Handbook by Ralph Droms and Ted Lemon, SAMS Publishing, ISBN 0-67232-327-3 Pro DNS and BIND by Ron Aitchison, Apress, ISBN 1-59059-494-0 DNS and BIND by Paul Albitz and Cricket Liu, OReilly Media, ISBN 0-596-00158-4 The Internet System Consortium website (www.isc.org). This site also hosts the BIND FAQ at www.isc.org/sw/bind.
Typographic Conventions
This guide uses the following conventions:
Bold Bold blue Command line options and user input to be typed. Button names, fields, tabs, and icons in the user interface. Cross references and hypertext links within the document. Hypertext links to external URL entries. Source code examples and terminal output. Variables in code examples.
Bold blue italic

Blue underline Monospace Monospace Italic
Version 5.5
Preface
Normal Italic
New terms being defined. Emphasis within a concept description. Dialog box, window, and screen names. This icon appears alongside a Caution. Cautions usually appear where performing an action may be dangerous to the user or to the equipment, or where data may be corrupted or incomplete if the caution is not observed. This icon appears alongside a Note. Notes give additional detail about the material presented in concepts and procedures. This icon appears alongside a Tip. Tips are similar to Notes and suggest alternative ways to accomplish a task or provide ideas for using the product in the most effective way.
How do I contact BlueCat Networks Client Care?

For additional information, please contact clientcare@bluecatnetworks.com or call 416-646-8433 or 1866-491-2228. Office Hours are: Monday to Friday, 7 am to 8 pm Eastern Time.
10
Version 5.5
Chapter 1
Introduction
The Internet has grown to the point where it is indispensable. During this period of growth another phenomenon has occurred: Internet Protocol (IP)-based networks supplanted almost all other ISO layer 3 networking technologies. However, increased complexity and security issues can threaten the viability of these technologies and their use within critical corporate infrastructures. These networks were often constructed on an ad hoc basis, and further management and planning are required to manage and secure them properly. The Internet and other IP-based networks depend on the idea of a unique IP address to route data between network clients. These addresses are organized into smaller blocks or subnets as a means of delegating maintenance to different organizations.
DNS and DHCP

DNS is a scalable distributed service that can tolerate partial outages without disrupting the entire Internet. Because DNS and DHCP are critical network services, their availability and security are principle concerns. The cost of a service outage, even as short as an hour, far exceeds the cost of implementing properly configured, highly available DNS and DHCP infrastructures. Unsecured DNS makes a network vulnerable to attacks, a risk that goes far beyond just unplanned downtime. The ubiquity of older versions of BIND software continues to make DNS a target for spoofing, ID hacking, cache poisoning attacks, and even direct threats to DNS security (such as server attacks). A modern and robust solution to DNS and DHCP service issues must consider security at every level of its design: the hardware, operating system, services, and software applications.
Adonis Overview
Adonis is an appliance server. It is designed to be intuitive, even for users who have very little background knowledge, but it also contains the advanced tools and settings required by DNS and DHCP experts. Adonis is the logical next generation of DNS/DHCP service provision. It is designed on a secure hardware platform, with a firewall-grade operating system. Updates to the software and operating system are completely automated and encrypted thanks to the known hardware and software combinations implicit with appliances.
How is Adonis Organized?

Adonis is both the appliance that runs in production and the client-side toolkit for configuring one or more Adonis units. The Adonis appliance includes server-side tools in the Administration Console and a command line interface to the server. Most models have front panel controls for setting the IP address and gateway.
Version 5.5
11
Chapter 1: Introduction Adonis appliances operate with very few open ports; it includes an encrypted control port for connecting it to the Management Console on the administrators PC. Ports are opened only if they are required for the project being deployed on the appliance. Operating behind this dynamically configured packet-filtering firewall, the Adonis appliance is well suited to network conditions anywhere including hostile environments such as DMZs or the Internet. BlueCat Networks Linux-based operating system is stripped down to its essential code, so the kernel does not load new modules during runtime. The DNS daemon (service) also runs in a chroot jailed environment to prevent the server from being compromised in the highly unlikely event that the service is breached.
Two Consoles: Two Tasks

The Adonis Administration Console is a command-line interface that allows you to configure the appliance for use within your existing network. From the Administration Console, you can set the appliances IP address and other network settings, handle security settings, configure query logging, and more. The Administration Console provides the power and control of a root user command prompt within a controlled environment with a fixed command set that minimizes risk to the system. The Adonis Management Console is a Java application that runs on any J2SE-compliant platform, including Microsoft Windows and Linux/UNIX. The look and feel of the Management Console is familiar to Windows users, simplifying the learning curve. The interface also checks the data, both user-entered and imported, and performs automated record creation for maintenance items such as glue records. The Management Console makes DNS and DHCP more manageable, even with minimal training.
Project Files
Adonis stores configurations in project files (file extension .dns) that contain all the settings the appliance needs. The Management Console uses project files to reload the server and service settings saved from a previous session.
Deployment
Adonis separates the design phase of DNS and DHCP rollouts from the actual production environment. You can design and test several different network models before going live. Because deployment is available on an ad hoc basis, configuration changes have minimum impact on service availability.
Security
The Adonis appliance is extremely safe and is designed to operate in the most exposed network environments. For information about specific Adonis appliance safety measures, see Appliance Management on page 35.
IPv6 Support
Adonis includes support for IPv6 addresses. IPv6 is designed to replace IPv4 by conserving its proven and established mechanisms, discarding its known limitations, and extending its scalability and flexibility. IPv6 is designed to handle the growth rate of the Internet while providing reliable service. In most cases, Adonis accepts IPv6 input in the same places as it accepts IPv4 input. Where the two types of address work slightly differently, these differences are noted in the documentation.
12
Version 5.5
Advanced Implementations
Advanced Implementations
Adonis is easily configured through the Management and Administration Consoles, but some advanced configurations require expert advice. BlueCat Networks support and professional services personnel are trained to analyze these situations and provide resources for customers. For more information about these services, ask your BlueCat Networks account manager. Bluecat Networks provides online and on-site training resources. Pre-defined courses can be arranged in certain major cities, or at your location. Professional Services provide advanced network analysis, design and configuration both remotely and on-site. These resources and services should be considered in addition to the information provided in this guide. White papers and other materials are available to registered users through the Resource Center on our public web site (http://www.bluecatnetworks.com). Registration is free, and access is immediate. These white papers discuss topics that are beyond the scope of this document, such as high availability and VoIP.
Adonis and Proteus IPAM

Adonis operates quickly and efficiently because it is a purpose-built appliance that has capacity for DNS and DHCP services. There are no other applications complicating the setup or making demands upon the server. Security is maximized and every part of the server (hardware, operating system, and services) is simplified and secured. The Management Console used to configure the appliance eliminates configuration errors and provides a high level of security during configuration. Adonis is based on a client-server architecture model. The Adonis appliance operates as a server that offers DNS, DHCP, and TFTP services within the network. Project files are created in the Adonis Management Console and then deployed onto the appliance. All essential communications between the Management Console and the appliances are heavily encrypted and proprietary. Adonis can provide services in extremely hostile network environments. The configuration interface is not present on the appliance: it resides on the operators workstation and in the encrypted project file. Adonis on its own is not always a perfect fit with very large installations. When an organization has many DNS and DHCP/DHCPv6 servers scattered across a WAN environment, management becomes a much bigger issue. Managing IP address inventories and policy implementations across multiple servers, as well as the other requirements of a large and complex environment, requires further configuration and modelling assistance. Problems can arise with as few as half-a-dozen DNS and DHCP servers; however, management of tens or hundreds of servers presents much bigger issues. When they reach this point, organizations should look at adding the power of the BlueCat Networks Proteus IPAM appliance to augment their Adonis servers. Proteus is the worlds first IPAM appliance. Instead of following traditional client-server architecture it is an n-tier application that has full Adonis compatibility. Proteus has capabilities such as databaseenabled storage, as well as modelling and deployment resources that are not a good fit for the Adonis server-centric model. Proteus is designed to integrate into almost any network environment and it is compatible with most network management tools. For more information about Proteus contact BlueCat Networks, or visit our website at: www.bluecatnetworks.com.
Version 5.5
13
Chapter 1: Introduction
14
Version 5.5
Chapter 2
Administration Console
The Adonis Administration Console controls the functionality of your appliance. This chapter includes the following topics: Using the Adonis Administration Console on page 15 introduces the Administration Console. Main Mode on page 16 describes Main mode commands. Configuration Mode on page 16 describes Configuration mode commands.
Using the Adonis Administration Console

The Adonis Administration Console reduces the amount of administrative effort needed to configure console settings.
To access the Administration Console use one of the following methods:

Attaching a monitor and keyboard to the Adonis appliance using the VGA and PS/2 connectors provided on the back of the unit. Connecting to the appliances physical IP address through version 2 Secure Shell (ssh) protocol (ssh must be enabled first). Attaching a 9-pin serial cable to the Adonis appliance and use a terminal (tty) application such as Hyperterminal on Windows to open an Administration Console session.
If you purchased a secured model of Adonis, you can only access the Administration Console using the serial cable option. All other access methods have been disabled.
To login to the Administration console:

1 Log in at the IP address of eth0 on the Adonis appliance using the login ID admin and the password provided on the Information Sheet that was included in the shipping box. Passwords are generated for each unique unit and should be retained securely. 2 To close the Administration Console and return to the login screen, type exit.
If you cannot locate the secure password for your Adonis appliance, contact BlueCat Networks Client Care. For more information, see How do I contact BlueCat Networks Client Care? on page 10.
Version 5.5
15
Administration Console Modes

The Administration Console has two operational modes: Main modeIn main mode you can view many settings but you cannot edit most of them. You should use this mode if you need to inspect your Adonis configuration, but do not plan to make any changes. This mode is useful because it allows you to access appliance settings without the risk of changing them accidentally. Configuration modeIn configuration mode you can view and change many appliance settings. You can also review your changes before saving them, and discard them if they are unsatisfactory.
Main Mode
When you log in to the Administration Console, you are in main mode by default. Main mode does not allow you to change many settings, so you are confined to viewing existing settings. Where you can change settings the changes take effect immediately; you can undo them only by changing the setting again.
Main Mode Help

You can access help at any time in the Administration Console. There are general help pages with lists of possible commands and specific help pages for each command. To get general help, type help, and then press Enter. To get help on configuration mode, type help configure, and then press Enter. To get help on a specific command, type help command (where command is the command you want information about), and then press Enter. For example, to see help for the set command:
:adonis>help set set admin password set time set host-name <hostname> set name-server <nameserver> set anycast
The following list shows the full set of help possibilities: help help configure help configure object help sample help command
Configuration Mode
Configuration mode allows you to change Adonis settings. Adonis does not apply your changes immediately, but it keeps track of them, so you can save them or discard them later. This provides a level of safety because it prevents you making inappropriate changes accidentally. Saving a setting modifies the operational state of the appliance to reflect the changes.
16
Version 5.5
Administration Console Modes Configuration mode includes several separate functions: Network configuration Query logging configuration Routing table configuration Time zone configuration NTP configuration SNMP configuration Syslog configuration Anycast configuration Each configuration function allows you to make changes only to a specific area.
Configuration Mode Help

Configuration mode includes the same help functions as main mode (for more information, see Main
Mode Help on page 16). In addition, there are help pages for specific configuration functions.
To get general help on configuration, type help configure, and then press Enter. To get help about a specific configuration function, type help configure object, and then press Enter.
To change from main mode to a configuration mode:

Type configure object, and then press Enter, where object is one of the following parameters: network network interface network gateway querylogging routetable timezone ntp snmp syslog anycast ospf anycast rip The Administration Console prompt changes after you type configure object:
:adonis>configure network interface eth0 :configure:network:interface>set address 192.168.32.1 :configure:network:interface>exit Do you want to save all changes (Yes or No)? y :adonis>
Version 5.5
17
Saving or Discarding Changes

Configuration changes do not take effect immediately; you must save them first. Before you do this, you should review your unsaved changes. If you are not satisfied with them or if you discover an error in the data, you can discard them and start again.
Reviewing Unsaved Changes

Adonis lets you review your changes before you commit them. To review unsaved changes type show unsaved, and then press Enter. To review specific unsaved changes type show unsaved object, and then press Enter.
Saving or Discarding Changes and Returning to Main mode

To save your changes and return to main mode, type save, and then press Enter. Alternatively, you can type exit, and then press Enter. When prompted to save your changes, type Y, and then press Enter. To discard your changes and return to main mode, type cancel, and then press Enter. Alternatively, you can type exit, and then press Enter. When prompted to save your changes, type N, and then press Enter.
Viewing the Command History

The Administration Console records the commands you typed during your sessions in either operational mode. To view the command history, type h or history, and then press Enter. For example:
:adonis>history show version help help set enable lcd set network eth0 ip 192.168.127.2
You can use the up and down arrow keys to scroll through the commands you typed previously. This feature is useful when you need to repeat previous commands.
18
Version 5.5
Chapter 3
Management Console
The Adonis Management Console is a client-side Java GUI application that serves as a front-end for the appliance. There is some crossover with the Administration Console because it includes some configuration functions and the Management Console contains some real-time controls for the appliance. This places the controls that you may need for any given task in the appropriate interface when you need them. This chapter includes the following topics: Getting Started on page 19 gives an overview of the Management Console. User Management and Access Control on page 23 discusses users and user access control. Configuring External Authenticators on page 29 discusses external authenticators.
Getting Started
You use the Management Console to create and deploy DNS and DHCP configurations.
To start the Adonis Management Console in Windows:

From the Start menu select BlueCat Networks > Adonis > Adonis Management Console.
To start the Adonis Management Console in Linux, Solaris, or Mac OS:

Use the following executable to launch the application:
/root/BlueCat_Networks/Adonis, or ./ BlueCat _Networks/Adonis
You can find this executable in the home directory of the user who installed the Management Console. You can create a symbolic link or application launcher for the executable in the location of your choice.
Version 5.5
19
Navigating the Adonis Management Console

The Management Console GUI comprises three areas: the toolbar the tree-view pane the detail pane
The Toolbar
The toolbar gives you quick access to commonly used functions. The tools are organized into functional groups from left to right: New File , Open , Save
These tools allow you to work with the Management Console files stored on your local machine. Undo , Redo
These tools undo or redo your recent changes. Adonis maintains undo information for the actions you performed since you opened or saved the current file. Search , Replace
These tools access the search and replacement features. Use these to navigate within a configuration or to quickly propagate a modification throughout it. Cut , Copy , Paste
These tools cut, copy, and paste certain types of items in the tree-view and detail panes.
20
Version 5.5
Getting Started
Rename
, Delete
These tools allow you to rename and delete certain types of objects in the tree-view and detail panes. Move Up , Move Down
These tools move certain types of objects in the tree-view pane up or down relative to their siblings in the hierarchy. Check Data , Live Data Check
These tools access the DNS error-checking functions. Deploy , Server Control
These allow the Management Console to connect to the Adonis appliance to distribute project file changes, gather server data, and perform server commands.
The Tree-view Pane

The tree-view pane shows a hierarchical representation of all the information in your project file, including servers, DNS, DHCP, and TFTP services. You can expand or collapse items in the tree-view as necessary. To display the details of an item in the detail pane, select it in the tree-view pane.
The Detail Pane

The detail pane shows information about the item you selected in the tree-view pane. For example, if you select a master DNS zone in the tree-view pane, the detail pane displays the resource records it contains. Most detail pane displays have multiple tabs that display different categories of details about the selected item. For example, the master DNS zone has four tabs: Resource Records Start of Authority Template Options
Some tabs have specific toolbars or other custom buttons. These buttons perform tasks related specifically to objects displayed in the current tab. For example, the Resource Records tab for a master DNS zone has a toolbar with a button for each type of record you can add. For more information about Resource Records see, Resource Records on page 101.
Version 5.5
21
Search and Replace

The Management Console include two tools to help you locate and replace objects in the tree-view pane. These are useful for large configurations that include many servers, views, and zones.
To go to an object:
1 On the toolbar click Search. The Data Navigator dialog box opens. 2 Select the Go To tab, and then type the name of the object you want to locate in the Go To field. 3 Click Go. Go To locates the object, and then the Data Navigator dialog box closes.
To search for objects:

1 On the toolbar click Search. The Data Navigator dialog box opens.
2 In the Search field, type the name of the object you want to find, and then click Search.
You can search for whole words, abbreviations, file name extensions, or numbers. The search tool is not case-sensitive and returns all types of objects that meet the search criteria.
3 To search only the DNCS or DHCP service click the Target down arrow, and then select the service you want to search from the drop-down list. 4 To restrict your search to specific object types click (...). The Select Target Objects dialog box appears.
22
Version 5.5
User Management and Access Control The Select Target Objects dialog contains checkboxes for DNS or DHCP objects, depending on the service you chose in step 3. 5 Select the checkboxes for the objects you want to search, and then click OK. 6 In the Data Navigator dialog box click Search. Objects that match the search criteria appear in the results table. 7 Double-click one of the objects in the table: the object is selected in the tree-view pane. 8 Click Close.
To find and replace objects:

1 On the toolbar click Replace. The Replace dialog box opens.
2 Type the name of the object you want to find in the Find What field, and then click Find.
You can use whole words, abbreviations, or numbers, but not file extensions or wildcards. To make the find tool case-sensitive select the Case Sensitive checkbox.
3 To find an object by IP address click the Type down arrow, and then select IP from the dropdown list. 4 To replace an object name or IP address, type the new information in the Replace With field, and then click Replace.
If you do not want to replace every object you found, clear the appropriate checkboxes in the Replace column.
5 Click Close.
User Management and Access Control

The User Management feature allows you to set and enforce access to the Management Console with password authentication or without access security applied to the project file. Without access
Version 5.5
23
Chapter 3: Management Console security, the administration and deployment passwords are still required to make changes to the appliance, but changes can be made to the project file (.dns) without a password. Some network policies require that users be authenticated centrally by a single system. Adonis project file users can be authenticated either by Adonis or by an external authentication server on the network. For more information, see Configuring External Authenticators on page 29.
Managing Users
You can set and enforce user and group level access control over the project file at the server, view, and zone levels, as well as individual DNS and DHCP service levels.
To establish user level access control:

1 From the Management Console File menu, select User Management. The Set Administrator Password dialog box appears.
2 Type the new administrator password in the Password and Re-enter Password fields. 3 Click OK. The User Management dialog box appears.
4 To enable user level access control for the project file, select the Enable user level access checkbox.
24
Version 5.5
User Management and Access Control If you do not enable this feature, authentication and user management are not performed when this file is accessed.
After you enable user level access control, you are prompted to enter a user name (Administrator) and password when you close the User Management dialog box.
Users and Groups

Users and groups are distinguished by different icons. You can edit users and groups by selecting them from the User Management dialog box, and then clicking Edit. You can remove the users or groups you created by selecting them from the User Management dialog box, and then clicking Remove.
If you want to add a new user to an existing group, click the Member of tab, select the group to which you want to add the new user, and then click Add. If you want to add the user to a new group you need to create the new group first.
To add a new user:

1 On the Users and Groups tab of the User Management dialog box, click Add User. The New User dialog box appears.
2 Type values in the User Name, Full Name, and Adonis Password fields. Confirm the password, and then select the applicable user options.
A user who can deploy configurations can change server settings directly, as opposed to adding changes to a project file.
User cannot change passwordonly an Administrator can change the users login password. Password must be changed next logincurrent Adonis password is valid only for this login; user must change the password. User disableduser cannot login to Adonis.
Version 5.5
25
Chapter 3: Management Console User can deploy configurationuser has permission to deploy project files to Adonis. Full Accesscreates an Administrator user who can access the Administration menu and change any detail in the project file. The name of the new user appears in the list on the Users and Groups tab. 3 Click OK.
Group Accounts
Group accounts make administration easier. By collecting individual users into groups you can assign the same access rights to all members in the group.
To add a new group:

1 On the Users and Groups tab of the User Management dialog box, click Add Group. The New Group dialog box appears.
2 Type a name for the new group. To add members to the group click Add, and then select the new group members from the Users List dialog box.
3 Click OK.
26
Version 5.5
User Management and Access Control
To log in as a user and change the password:

1 In the Authenticate dialog box, click Change Password (not available if the Administrator selected the User cannot change password option in the New User dialog box).
2 The Change Password dialog box opens. Type the old password, the new password, and then type the new password again to confirm.
3 Click OK.
Access Control
Access rights control access to the project file. A newly created user or group has no access rights to any object within a project file. Before users can perform any actions you must assign access rights to the appropriate user or group account. You can modify the user permissions for system objects that reside within servers, views, and zones. This is a two-stage process: adding a list of users or groups for each type of object modifying the user permissions for each type of object
Version 5.5
27
To set access control for an object:

1 Right-click the server, view, or zone object in the tree-view pane of the Management Console. Select Access Control from the menu. The Access Control dialog box opens.
The Access Inherited From field does not appear for server objects. Views and zones always reside within server objects.
2 To add users or groups, click Add. The Add User or Group dialog box opens.
28
Version 5.5
Configuring External Authenticators 3 Select a user (or group), and then click OK. The Access Control dialog box displays the added user and the users access rights.
4 To see the access rights available for any sub-level of the current object, click the downarrow to the right of the Filter drop-down list. The drop-down list changes depending on which object you chose in the tree-view pane. For example, the Server object shows the complete list: All DHCP Group DHCP Service DHCP Shared Network DHCP Subnet DHCPv6 Service DNS Service Master Zone Name Server View 5 In the Enable column of the Access Rights area, modify the rights granted to this user (or group) by selecting the appropriate checkboxes for the access rights you want to modify. 6 In the Permission column, click in one of the rows, and then select the level of access control for each kind of object from the drop-down list: Hide, Read-Only, Change, or Full. 7 Click OK.
You can replicate the attributes of parent objects to child objects by right-clicking the appropriate object in the Access Right column, and then selecting Replicate To Child Attributes.
Configuring External Authenticators

In large network environments, requirements may dictate that password management and account validity are centralized on a single system. In addition to authenticating users natively, Adonis can
Version 5.5
29
Chapter 3: Management Console authenticate them through an organizations existing LDAP, RADIUS, or Kerberos/Active Directory servers. Although users do not normally require a user account to log in to Adonis, when the user management sub-system is enabled they are prompted for a user name and password when opening project files. When you are creating or editing a user, you can switch authentication methods between the internal Adonis system and external systems by selecting an external authenticator. To access an external authentication server, the details of the connection to this server are consolidated in an Adonis authenticator object. You can add authenticators as part of the user management subsystem (File > User Management). When you enable user management the Authenticators tab appears in the User Management dialog box.
Enabling user management requires a login for all future sessions using this configuration in the Management Console.
If the authenticator information that is displayed does not appear to be current, you can update it by restarting the Management Console.
To add an authenticator:
1 Right-click in the empty region of the Authenticators tab, and then select New. The Add Authenticator dialog box opens. 2 Use the Add Authenticator dialog box to add authenticator objects for servers running LDAP, Radius, or Kerberos/Active Directory authentication.
The fields that appear in the Add Authenticator dialog box differ for each of the available external authentication servers.
Kerberos Authenticators
A Kerberos server issues a temporary permission ticket to an authenticated user. This ticket is authenticated and distributed using a Key Distribution Center(KDC). Kerberos authentication is also used for authentication in Microsoft Active Directory environments. For more information on integrating Adonis into Microsoft Active Directory environments, see Active Directory Integration on page 231.
30
Version 5.5
To add a Kerberos authenticator:

1 In the Add Authenticator dialog box, specify the following values:
NameThe name of this Kerberos authenticator object within Adonis. HostThe host name or IP address of the Kerberos server that you are contacting to authenticate Adonis users. RealmThe realm represents the administrative domain for the Kerberos server. This must be typed as ALL CAPS. KDCThe host name or IP address of the Kerberos Key Distribution Center. 2 To ensure that the authenticator is configured properly, click Test Authenticator. This checks to see if a socket connection to the server can be formed. It returns a pop-up with status information on the authenticator connection. 3 To create this Kerberos authenticator object, click OK.
RADIUS Authenticators
RADIUS authentication is used in many embedded systems, including routers. It is often found running on servers as the default authentication systems for networks. RADIUS authentication support on Adonis is supported through the creation of a RADIUS authenticator object.
Version 5.5
31
To add a Radius authenticator:

1 In the Add Authenticator dialog box, specify the following values.
NameThe name of this Radius authenticator object within Adonis. HostThe host name or IP address of the Radius server. Shared SecretThe shared secret between the client and the server passed as a text string. This value needs to be obtained from your Radius server configuration. Auth PortThe port used when authenticating users, usually 1812. This port should not be changed unless your implementation requires another port to be supported. The port must be set properly here in order for the Adonis firewall to be reconfigured. Acct PortThe port used for Radius accounting, usually 1813. This port should not be changed unless your implementation requires another port to be supported. The port must be set properly here in order for the Adonis firewall to be reconfigured. MethodSelect either the Password Authentication Protocol (PAP) or the Challenge Handshake Authentication Protocol (CHAP) depending which authentication method this server is accepting. 2 To ensure that the authenticator is configured properly, click Test Authenticator. This checks to see if a socket connection to the server can be formed. It returns a pop-up with status information on the authenticator connection. 3 To create this Radius authenticator object, click OK.
LDAP Authenticators
Lightweight Directory Access Protocol (LDAP directories are server services used to store user information centrally, thereby providing a single log on for a network.
32
Version 5.5
To add a LDAP authenticator:

1 In the Add Authenticator dialog box, specify the following values.
NameThe name of this LDAP authenticator object within Adonis. HostThe host name or IP address of the LDAP server. PortThe TCP port used for communication between Adonis and the LDAP server. Search BaseThe location within the LDAP directory structure where the search for authenticating users begins. 2 To ensure that the authenticator is configured properly, click Test Authenticator. This checks to see if a socket connection to the server can be formed. It returns a pop-up with status information on the authenticator connection. 3 To create this LDAP authenticator object, click OK.
Version 5.5
33
34
Version 5.5
Chapter 4
Appliance Management
Adonis delivers reliable and secure DNS and DHCP. It can reside within any part of a network, including DM zones close to the Internet where security threats are greatest. A packet-filtering/statefulinspection firewall protects the appliance from inbound threats from the network. Adonis is designed on a secure hardware platform with a hardened Linux-based operating system that does not load kernel modules while it is running, and runs BIND in a jailed environment. All of these precautions mean that Adonis operates wherever it is needed, rather than needing to be hidden in a secure portion of the network. This chapter includes the following topics: Setting Default Appliance Options on page 35 explains how to set appliance options. Appliance Authentication Management on page 38 describes Adonis security measures. Management Console Server Controls on page 54 describes function you can perform through the Management Console. Deploying a Project on page 56 describes the process of deploying a project file.
Setting Default Appliance Options

The Adonis Management Console contains default options. You can set various appliance options and customize some of the Adonis operating environment variables globally. The following sections describe the default settings that you can modify using the Options dialog box.
General Options
These settings control the global behaviors of the Management Console.
Version 5.5
35
To customize the General options:

1 On the Tools menu, click Options. The Options dialog box appears.
2 To display the splash screen each time you launch the Management Console, select the Show splash screen on startup checkbox. 3 To check through the project files for errors and logical inconsistencies before it is deployed, select the Set auto data check before deployment checkbox. 4 To create a extra copy of the project file each time it is saved, select the Backup files before saving (.bak extension) checkbox.
Backup files let you revert to an earlier version of the file. Backups have the same name as the project file, but use the extension .bak. To keep several iterations, manually archive the files using different names.
5 To autosave a project file when it is being checked in or out of the appliance, select the Auto save local copy for check in/out checkbox. 6 To maintain reverse pointers globally, select the Maintain reverse lookup record checkbox. You can override this option for individual host records. 7 To add a trailing dot to these records to fully qualify them within the domain select the Auto add trailing dot for MX, CNAME, and NS records checkbox. 8 To select the number of project files that appear in the Welcome dialog box use the arrows next to the Number of Recent Files list. This value also affects the number of files listed in the Recent Files section of the File menu.
The value is 5 by default, but you can use any number between 1 and 20.
9 Click OK.
Product Updates
These settings control the update behavior for the Adonis appliance.
36
Version 5.5
To customize options for keeping your appliance up-to-date:

1 Click the Product Updates tab.
2 Update Server is set to the Use Default option. If you want to specify a different server, select Specify Address, and then type the URL of the server. If you want to select a specific file select Specify File, and then click Browse. Navigate to the file you want to use, and then click Open.
This is generally not necessary, because updates are downloaded directly from the BlueCat Networks website.
3 Click OK.
Specifying Proxy Settings

Proxy settings determine how to communicate with the update server. The Adonis update process supports the use of HTTP and SOCKS proxy settings.
If your organization uses a proxy server to access the Internet you need to configure it here.
Version 5.5
37
To specify proxy settings:

1 Click the Proxy Settings tab.
2 If you want Adonis to use a proxy during the update process, select the Use proxy for web connections checkbox, and then provide the following information: Proxy TypeHTTP or SOCKS Proxy Serverthe Fully Qualified Domain Name or FQDN Proxy Portthe port number for the proxy server within your network 3 If the proxy requires authentication, select the Proxy requires authentication checkbox, and then type the user name and password for the proxy in the corresponding fields. 4 Click OK.
Appliance Authentication Management

Adonis security measures include digital certificates and passwords. Adonis uses 1024-bit certificates on both the server and client side of the 128-bit SSL encrypted connection between the appliance and the Management Console. If the certificates on the appliance and the copies stored in the Management Console do not match, you cannot deploy your configurations.
Viewing, Adding, Changing and Deleting Certificates

Certificates are managed from the Management Console. You can view a list of the installed certificates, attach additional certificates, and change or remove certificates that are no longer required. Certificates are generated automatically based on symmetrical key pairs and saved in a keystore on both the server and the client. For the installed certificates shown in the following topic, these files are saved to the client workstation: 172.20.210.1.ks 172.20.210.2.ks For example, the default location for Windows is C:\Program Files\BlueCat Networks\Adonis\keystores, but you can specify another location in the Management Console.
38
Version 5.5
To add, change, or delete server certificates:

1 On the Server menu, click Certificates Management. The Certificate Browser dialog box opens. If you have installed any server certificates they are listed here.
2 To add a certificate to the list, click Add. The Connect To Server dialog box opens.
3 Choose a server from the drop-down list, type the password, and then click OK.
If you select the Remember password checkbox you do not need to type a password every time you connect to the server.
4 To delete a certificate, select it and then click Remove. The certificate is removed from the list in the Certificate Browser dialog box. 5 To change a certificate, click Change. The Connect To Server dialog box opens and connects to retrieve the modified certificate for this server. Changing a certificate is similar to adding one. 6 When you are finished, click Close.
To define an alternate keystore location for the client workstation:

1 On the Tools menu, select Options. The Options dialog box opens.
Version 5.5
39
Chapter 4: Appliance Management 2 Click the File Locations tab.
3 Click the path beside Certificates. The Select Directory dialog box opens. Use it to select another location or define a new folder.
4 Click OK. If secure communication between the client and the appliance is not possible, you may need to repopulate the keystore on the appliance and subsequently re-install server certificates on client workstations. For example, communication may be affected if problems occurred during deployment. It might be necessary to delete any installed keystore files on the client machine as well as the certificate keystore (cert.ks) on the appliance. To repopulate the keystore on the appliance, restart the command server. For more information, contact BlueCat Technical Support at: clientcare@bluecatnetworks.com.
40
Version 5.5
Resetting the Certificate

You can reset certificates using the Administration Console. In certain situations, for example with Crossover High Availability (Crossover High Availability (XHA) on page 201) the Management Console may create a new certificate and replace the factory-set certificate on both the server and client. Adonis always has a single current certificate and the ability to revert to the factory installed certificate. If these certificates continue to match, you can deploy new configurations. However, if the certificates become mismatched, you may have to reset the appliance certificate to its factory-set value (the certificate that shipped with your appliance). To reset the server certificate, type reset certificate, and then press Enter.
Passwords
Passwords are managed from the Management Console and from the Administration Console. You can set the administration password to any value, as well as reset the deployment password to its factoryset value using the Administration Console.
Setting the Administration Password

This is the password you use to log into the Administration Console. You set the administration password in main mode.
To set the administration password:

1 Type set admin password, and then press Enter. 2 Type a new password, and then press Enter. 3 Type the new password again, and then press Enter.
If you entered this command by mistake, press Enter six times, until you return to the command prompt.
Resetting the Deployment Password

The deployment password is the password you use to deploy configurations and perform other actions from the Management Console. You set the deployment password in main mode. To reset the deployment password to its factory-set value, type reset deployment password, and then press Enter. You can set the deployment password to a new value in the Management Console. For more information, see Management Console Server Controls on page 54.
Resetting from Proteus Control

You cannot create DNS and DHCP configurations through the Adonis Management Console while Adonis is under the control of a Proteus IPAM appliance. You must remove the Adonis appliance from Proteus control before you can use Adonis on its own again. To remove Proteus control use the main mode of the Adonis Administration Console. Type reset from proteuscontrol, and then press Enter.
Version 5.5
41
Administration Console Server Controls

The following sections describe some of the server control operations that are available from the Administration Console. These settings have a direct effect on the operational state of the appliance itself rather than on any services it may be running.
Rebooting and Shutting Down

Adonis is extremely stable, but you may occasionally need to reboot or shut down the appliance (for example, to reset the startup services). To reboot Adonis from the Administration Console main mode, type reboot, and then press Enter. To shut down Adonis from this mode, type shutdown, and then press Enter. Adonis prompts you to confirm each operation before it executes the command. You can also perform these functions in the Management Console. For more information, see Management Console Server Controls on page 54.
LCD
The Liquid Crystal Display (LCD) on the front panel of the Adonis appliance gives you quick access to important settings without setting up an SSH connection (for example, the appliances IP address). You can enable and disable the LCD in main mode. To enable the LCD, type enable lcd, and then press Enter. To disable the LCD, type disable lcd, and then press Enter.
Inspecting the Network Configuration

You can view any network setting from main mode, but to change most of the settings, you must work in one of the configuration modes.
42
Version 5.5
Viewing Network Interface Settings

You can use a unified set of commands to view general and specific network interface settings, including IP address, gateway, subnet mask, speed, and duplex. To view the network interface settings for the entire appliance, open main mode, type show network, and then press Enter. For example:
:adonis>show network Eth0: address:192.168.127.2 gateway:192.168.127.1 netmask:255.255.255.0 speed: duplex : auto-negotiation : inet6 : fe80::20c:29ff:fed6:385f/64 :adonis>_
To view the network settings for a specific interface, open network configuration mode, type show network interface interface (where interface is the name of the interface), and then press Enter.
Configuring Network Settings

The Adonis network configuration commands allow you to change important settings; for example, IP address, subnet mask, gateway, speed, and duplex.
You may omit the word network from all commands if you are working in network configuration mode.
To delete a network interface completely, type del interface, where interface is the name of the interface such as eth1. To access network configuration mode, type configure network, and then press Enter.
Changing IP Address Settings

In configuration mode, you can change the network interface settings as well as view them.
To set the IP address, subnet mask, and gateway simultaneously:

1 Type set network interface, where interface is either eth0 or eth1, and then press Enter. 2 Type the IP address of the interface, and then press Enter. 3 Type the subnet mask, and then press Enter. 4 Type the gateway, and then press Enter.
Version 5.5
43
Chapter 4: Appliance Management To set the IP address, subnet mask, or gateway individually, type set network interface setting address, where setting is ip, netmask, or gateway, and address is the appropriate address or mask, and then press Enter. For example:
:configure:network>set eth0 ip 192.168.127.2 :configure:network>set eth0 netmask 255.255.255.0 :configure:network>set eth0 gateway 192.168.127.1
Changing Speed and Duplex Settings

You can set the network speed and duplex settings of a specified network interface. This is useful where network environments use switches that need specific speed and duplex settings rather than automatically negotiated settings.
You must set the speed and duplex manually if you are using Crossover High Availability (XHA). To ensure trouble-free HA operation, set the speed to 100 and set Full duplex on Adonis and on the switch you are using. Do not try to configure half-duplex communication. If you try to configure half-duplex, Adonis prevents you from saving the setting and an error message appears. For more information about duplex settings contact BlueCat Networks at: http://www.bluecatnetworks.com/clientsupport/ self-service/.
To set the speed and duplex manually:

1 To switch off the auto-negotiation from main mode type set autoneg off and then press Enter. 2 To set the speed of a network interface from main mode, type configure network interface interface where interface is either eth0 or eth1. Type set speed speed, and then press Enter, where speed is 10, 100, or 1000. 3 To set the duplex of a network interface from main mode, type configure network interface interface where interface is either eth0 or eth1. Type set duplex duplex, and then press Enter, where duplex is either half or full.
Configuring the Hostname

You can display and modify the hostname for the Adonis appliance from main mode. To display the hostname, type show hostname. To set the hostname, type set hostname hostname, where hostname is the new name.
Viewing and Setting the Time

Many applications including VoIP, and many Adonis services, such as failover, authentication logging, and high availability require time synchronization to function properly. For this reason, it is important to set the time correctly. You can set the time manually in main mode or use NTP to set it automatically.
44
Version 5.5
Viewing the Time

To view the current time, type show time, and then press Enter. To view the time zone that Adonis believes it is in, type show timezone, and then press Enter.
Setting the Time Manually

If you do not have access to an NTP server, or if you do not want to create network traffic by querying one, you can set the Adonis internal clock manually.
To set the clock manually:

1 Type set time, and then press Enter. 2 Type the current time in the format MMDDHHMMYYYY.SS(Month, Day,Hour, Minutes, Year. Seconds using the 24-hour clock. For example, if the current time is 10:11:16 on December 27, 2008, type 122710112008.16, and then press Enter.
Setting the Time Zone

Setting the time zone ensures that Adonis behaves correctly with regard to daylight savings time. This is important for ensuring uninterrupted service.
You may omit the word timezone from the time zone commands if you are working in time zone configuration mode.
To access time zone configuration mode, type configure timezone, and then press Enter.
Displaying the Time Zone

To display the current time zone, type show timezone, and then press Enter. For example:
:configure:timezone>show Area=Canada City=Eastern
Setting the Time Zone

To set the time zone:
1 Type set timezone, and then press Enter.
Version 5.5
45
Chapter 4: Appliance Management 2 Select an area from the numbered list, and then press Enter:
1 2 3 4 5 6 7 8 9 10 11 12 Africa America US time zones Canada time zones Asia Atlantic Ocean Australia Europe Indian Ocean Pacific Ocean Use System V style time zones None of the above
3 If you chose an option from 1 to 10, select a city or zone from the numbered list, and then press Enter. The options change depending on the area you chose in the previous step. 4 If you chose option 11, select one of the 13 System V time zones. 5 If you chose option 12, select one of the 35 possible time zones, based on Greenwich Mean Time (GMT).
Network Time Protocol (NTP)

Network Time Protocol (NTP) synchronizes the time settings between servers. The protocol consists of a client and a service. The Adonis NTP client runs automatically to synchronize the server. Some services like XHA and DHCP Failover require NTP synchronization to function correctly. Adonis can provide NTP service to a network and it can also set its own time as an NTP client.
Setting the Time on Adonis with the NTP Client

An NTP server provides the correct time and is useful for synchronizing multiple Adonis appliances to within a second. Adonis always checks a pre-defined list of NTP servers and updates its time each day at 6:25 a.m. This service always runs and does not need to be enabled.
NTP Configuration Mode

Adonis has a configuration mode for setting up the NTP service. To enter this mode type configure ntp.
Unless you have considerable experience with ntp, it is probably best to accept the default values.
46
Version 5.5
To add an NTP server from the pre-defined list of servers:

1 Type "add server address" where address is the IP address of the ntp server.
:adonis>configure ntp :configure:ntp:>add server <ip-address> Use autokey ([yes|no] or leave blank to set to default)? Please input version (1,2,3,4, leave blank to set to default): Set burst ([yes|no] or leave blank to set to default)? Set prefer ([yes|no] or leave blank to set to default)? Please input minpoll (leave blank to set to default): Please input maxpoll (leave blank to set to default): :configure:ntp:>save Configurations have been saved.
2 At the :adonis> prompt, type configure ntp, and then press Enter. 3 At the :configure:ntp:> prompt, type add server, and then press Enter. 4 Type appropriate answers to the questions that appear on the screen, and then type, save. autokeytype Y for ntp authentication using the Autokey protocol versionthe version to use for outgoing ntp packets (4 is the default) burstsend a burst of 8 packets, instead of one packet prefermark the reference clock as preferred, so this host is chosen for synchronization minpollthe minimum polling interval for the reference clock maxpollthe maximum polling interval for the reference clock This server is added to the top of the list and is queried first. Adonis contacts the servers starting at the top of the list and continues until it receives a response. As long as the ntp server allows the Adonis server to be an NTP client, time is synchronized each time the Adonis server boots. To delete an NTP server from the pre-defined list of servers, type del server address where address is the IP address of the ntp server. To display the list of NTP servers, open configure ntp mode, and then type show server. When Adonis is managed by Proteus, the Proteus IP address is automatically added to the top of the list. For these Adonis appliances time is synchronized upon deployment and upon every reboot.
Providing the Time with the NTP Service

The NTP service is essential to some of the more complex Adonis functions. A specific external time reference is also essential to some organizations for reports and compliance tracking. The NTP service on Adonis acts as both a source of NTP synchronization for clients and as clients themselves to another NTP service that synchronizes the clock reference they provide. The Adonis NTP service commands described here should be sufficient for most NTP service requirements. To enable the Adonis NTP service on startup, type enable startup ntp, and then press Enter. To disable the Adonis NTP service on startup, type disable startup ntp, and then press Enter.
Version 5.5
47
NTP Servers
The Adonis NTP service sets its own time through NTP. The Adonis server acts as a client for another NTP server. NTP Servers can be added to the list that is queried. Typing the command show ntp in main mode displays the list of NTP servers.
:adonis>show ntp-server server 127.0.0.1 autokey burst version 3 prefer server 0.north-america.pool.ntp.org server 0.europe.pool.ntp.org server 127.127.1.0
NTP Logs
You can specify a custom location for logging the NTP service. In configuration mode, type the command set logconfig and specify an absolute path for the log including the log file name. To display the log location type the command show logconfig.
Configuring the Routing Table

The Adonis routing table indicates where the system should send packets intended for certain IP addresses. Packets to be sent to hosts on the same subnet as the Adonis appliance can be routed directly to that subnet, but packets for hosts on other subnets must be sent through a gateway (a router). The same procedures can be used to manage either IPv4 or IPv6 routes.
You may omit the word routetable from the routing table commands if you are working in routing table configuration mode.
To access routing table configuration mode, type configure routetable, and then press Enter.
Viewing the Routing Table

To view the routing table, type show routetable, and then press Enter. For example:
:adonis>show routetable Kernel IP routing table Destination Gateway 192.168.1.0 0.0.0.0 0.0.0.0 192.168.1.1
Genmask 255.255.255.0 0.0.0.0
Flags U UG
Metric 0 0
Ref 0 0
Use 0 0
Iface eth0 eth0
The first line states that all requests for hosts in the 192.168.1.0/24 network should be routed directly to the host, and therefore do not require a gateway. This is possible because these hosts are on the same subnet as the Adonis appliance. The second line states that all other requests should be directed to the router at 192.168.1.1. The columns contain the following information: DestinationThe destination subnet or host of a packet.
48
Version 5.5
Administration Console Server Controls GatewayThe gateway through which to route a packet. GenmaskThe bits of the packets intended destination that must match the value in the destination column. FlagsThe flag value indicates the type of route. RThis is a reinstate route for dynamic routing. MThis is a modified route, probably modified using the mod option. CThis is a route from the kernel routing cache. UThis route is up. GThis is a gateway route. IInternal route using the loopback interface for other than loopback purposes. !Datagrams to this route are rejected. MetricThis is the distance to the target destination, usually measured in hops. RefThis is the number of references to this route by other systems. UseThis is the count of lookups for the route, or the number of times it has been looked up by IP. IfaceThe network interface that routes the packets.
Adding Routes
Although Adonis maintains the routing table, you may want to add a permanent route to the table to improve the routing efficiency.
To add a route to the routing table:

1 Type add routetable, and then press Enter. 2 Type the destination address for the route, and then press Enter. 3 Type the netmask for the route (i.e., the netmask determining the subnet that a packet must match), and then press Enter. 4 Type the IP address of the gateway for the route, and then press Enter.
If the route does not require a gateway, type 0.0.0.0 as the IP address.
Deleting Routes
If you no longer require a route, you can delete it by specifying its address, netmask, and gateway.
To delete a route:
1 Type del routetable, and then press Enter. 2 Type the destination address for the route, and then press Enter. 3 Type the netmask for the route (i.e., the netmask determining the subnet that a packet must match), and then press Enter. 4 Type the IP address of the gateway for the route, and then press Enter.
For XHA, the routing table must be set identically on both Adonis nodes through their respective Administration Consoles.
Version 5.5
49
Configuring Anycast
Anycast is a technique for assigning a common IP address to multiple servers that provide the same service; it allows load balancing and redundancy. A client asking for that IP address is directed to the geographically closest server using Open Shorter Path First (OSPF). The Anycast technique is useful for large DNS applications that handle a high volume of requests. For example, the DNS root servers use Anycast to distribute their service throughout the world. Although most root servers are nominally located in the United States, most of the physical machines are located elsewhere and share a U.S. IP address. Adonis uses the Zebra daemon to broadcast Anycast addresses to the appropriate routers.
Controlling the Anycast Service

To enable Anycast, type enable anycast, and then press Enter. To disable Anycast, type disable anycast, and then press Enter. To check whether Anycast is currently running, type isrunning anycast, and then press Enter.
Managing Anycast Addresses

To display existing Anycast addresses:
To show the Anycast settings for this Adonis appliance in main mode, type show anycast, and then press Enter.
To create a virtual address for load balancing using Anycast:

1 Type set anycast, and then press Enter. 2 Type lo, lo:0, or lo:1 as the loopback interface that spoofs the address, and then press Enter. 3 Type the IP address, and then press Enter. 4 Type the subnet mask, and then press Enter.
To delete an Anycast address:

Type del anycast, and then press Enter. You are prompted to type the name of the loopback interface you want to delete.
Configuring the Anycast Service

You can configure the Zebra Anycast service in Linux for OSPF using the Zebra command set. The Linux Zebra documentation describes these commands. For more information, refer to www.zebra.org.
To configure Anycast for OSPF:

1 Type the command configure anycast ospf. 2 When prompted for the password, type ospf.
50
Version 5.5
Administration Console Service Control
Administration Console Service Control

Many Adonis services can be controlled from the Management Console and the Administration Console, but the command server can only be configured from the Administration Console. The service controls for DNS, DHCP, and TFTP are described here and in their respective chapters. This section describes some of the service controls that are found in the Administration Console. Service control is always performed in main mode.
Command Server
The command server allows the Management Console to communicate with the appliance. It is an agent program that provides communication and reporting between the appliance and the Management Console, and implements the server control and deployment commands issued by the Management Console. When you make major changes to the appliance, for example, changes in the Administration Console, you may need to restart the command server. To start the command server, type start commandserver, and then press Enter. To stop the command server, type stop commandserver, and then press Enter. To restart the command server, type restart commandserver, and then press Enter. To check whether the command server is running, type isrunning commandserver, and then press Enter.
XHA
To check whether this unit is a member of a high-availability cluster, use the command isrunning xha. The answer shows you whether or not the XHA heartbeat is present; if it is this appliance is a member of an XHA pair. For more information, see Crossover High Availability (XHA) on page 201.
Firewalls
Adonis includes a powerful firewall to protect your DNS and DHCP services against malicious network traffic. The firewall is usually running, but you can disable it for diagnostic purposes. You can also view the current status and settings of the firewall.
Adonis rejects ICMP packets including pings while the firewall is in place.
Version 5.5
51
Firewall Requirements
Adonis uses the ports shown in the following table: Port #
22 53 67 68 69 80 88 123 123, 102365535 161 162 389 443 647/847 694 1812 10042 10044 10045 10046
Protocol
TCP TCP/UDP UDP UDP UDP TCP TCP/UDP UDP
Notes
SSH2 (secure shell) DNS DHCP DHCP TFTP MAC Authentication Kerberos NTP
Purpose
SSH/SCP connectivity to appliances DNS server DHCP server DHCP server TFTP service for file transfer MAC Authentication portal Kerberos/Active Directory authentication Network Time (client) (in from user ports) Network Time (client) SNMP management SNMP management LDAP authentication MAC Authentication portal DHCP Failover communication ports XHA State information (heartbeat) Radius authentication Secure management / connectivity to Proteus appliances File and state synchronization Adonis to Proteus notification (DDNS, IP leases, etc.) XHA File Sync port
In/Out
Bidirectional Bidirectional In Out Bidirectional Bidirectional Bidirectional In
Optional
Optional Optional Optional Optional Optional Optional Optional Optional
UDP UDP UDP TCP/UDP TCP TCP UDP TCP/UDP TCP UDP TCP/UDP UDP
NTP SNMP Polling SNMP Traps LDAP MAC Authentication DHCP Failover XHA Radius Adonis Management Port XHA Notification Port XHA
Out Bidirectional Out Bidirectional Bidirectional Bidirectional Bidirectional Bidirectional Bidirectional Bidirectional Bidirectional Bidirectional
Optional Optional Optional Optional Optional Optional Optional Optional Required Optional Required Optional
To enable the firewall, type enable firewall, and then press Enter. To disable the firewall, type disable firewall, and then press Enter. To see the current port protection settings used by the firewall, type show firewall, and then press Enter. To scroll down, press Enter.
52
Version 5.5
Administration Console Service Control To exit the firewall viewer, press Q. To enable or disable the firewall on startup, use the command enable startup firewall or disable startup firewall.
The firewall can also be enabled or disabled using the checkbox on the Security and Admin Settings tab for the server in the Management Console.
SSH
Version 2 Secure Socket Shell (ssh) allows a client to communicate with the appliance and access the Administration Console remotely. You can enable or disable ssh access to Adonis. By default, Adonis ships with ssh disabled for security purposes. To enable ssh, type enable ssh, and then press Enter. To disable ssh, type disable ssh, and then press Enter.
Startup Services
Certain services can be set to start up or not start up the next time the appliance is rebooted. To enable a startup service, type enable startup service, and then press Enter, where service is firewall, ntp, ntp-server, or snmp.
SNMP requires you to enter the IP address of an SNMP controller.
To disable a startup service, type disable startup service, and then press Enter, where service is firewall, ntp, snmp or anycast. To check the status of a startup service. type isenabled startup service, and then press Enter, where service is firewall, ntp, snmp or anycast.
Network Services
These network services are controlled, and to some extent configured from the Administration Console in Adonis.
BIND/DNS
Adonis uses the Berkeley Internet Naming Daemon (BIND) to provide its DNS service. The executable file for BIND is called named, the name daemon. This service can be managed from the main mode of the Administration Console. To start BIND, type start bind, and then press Enter. To stop BIND, type stop bind, and then press Enter. To restart BIND, type restart bind, and then press Enter. To view some statistics on the DNS service, type show status bind, and then press Enter. To check whether BIND is running, type isrunning bind, and then press Enter.
Version 5.5
53
DHCP/DHCPv6
Adonis uses the ISC DHCP server to provide its DHCP service. The executable file for ISC DHCP is called the DHCP daemon or dhcpd. To manage the IPv6 DHCP service on Adonis, use dhcpv6 instead of dhcp as a token. To start DHCP, type start dhcp, and then press Enter. To stop DHCP, type stop dhcp, and then press Enter. To restart DHCP, type restart dhcp, and then press Enter. To check whether DHCP is running, type isrunning dhcp, and then press Enter.
TFTP
Adonis provides a TFTP service to store extra files for configuration and firmware management for certain client devices. The TFTP service is set up using the Management Console, but the TFTP service itself can be managed from the Administration Console. To start the TFTP service, type start tftp, and then press Enter. To stop the TFTP service, type stop tftp, and then press Enter. To restart the TFTP service, type restart tftp, and then press Enter. To check whether the TFTP service is running, type isrunning tftp, and then press Enter.
Management Console Server Controls

The Management Console interfaces with the physical appliance to execute specific commands and to deploy projects and configuration changes. The most common use of this interface is for deploying project file to appliances. Other commands include querying the appliance version, starting and stopping specific services, and controlling the firewall. Generally, real-time control of the Adonis appliance is available through the Administration Console while the Management Console is used to create and edit projects before deploying them to the appliances. Some operations however, need to be performed in real time from the Management Console. The Management Console includes a number of server control functions.
To access the Server Control functions:

1 From the Management Console Server menu, click Server Control. The Server Control dialog box opens.
54
Version 5.5
Management Console Server Controls 2 Select the server, type the password, and then select the appropriate actions.
3 To perform the selected action, click Execute. 4 To see the full range of options, scroll through the Action list: Server Version Queryretrieves the server version number. High Availability Status Queryretrieves the status of the XHA system on this Adonis. Set HA Failure Detection Timethe time interval before a failover occurs. Perform HA Failoverforces a HA failover on the selected Adonis appliance. Detect Servers Appliance Typechecks to see which type of Adonis appliance is installed. Restart Serverreboots the operating system and services on the selected appliance. Shutdown Serverphysically powers off the appliance. Change Deployment Passwordallows an administrator to change the password. Restart Namedrestarts the named daemon (DNS service). Stop Namedstops the named daemon. Start Namedstarts the named daemon. Restart DHCPrestarts the dhcp daemon. Stop DHCPstops the dhcp daemon. Start DHCPstarts the dhcp daemon. Enable Firewallre-enables the firewall after debugging or connectivity testing. Disable Firewalldisables the firewall for debugging purposes or connectivity testing. The firewall is automatically re-enabled when you restart the server. Enable Query Loggingenables the servers query logging feature. Enable SSHenables Version 2 Secure Socket Shell (SSH). Disable SSHdisables Version 2 Secure Socket Shell (SSH). Disable Query Loggingdisables the servers DNS query logging feature.
Version 5.5
55
Chapter 4: Appliance Management Query DHCP Failover Stateif an Adonis is a DHCP failover peer, this command can determine whether it is in the normal, communication-interrupted, or partner-down state. Start DHCP Failover Monitorstarts the servers DHCP failover monitor (fomon) service. Stop DHCP Failover Monitorstops the servers DHCP failover monitor service. Set DHCP Failover Stateforces an Adonis that is a DHCP failover peer into normal, communication-interrupted, or partner-down state. Start Adonis Mirage Adapterstarts the Mirage Adapter service. Stop Adonis Mirage Adapterstops the Mirage Adapter service. Start DHCPv6enables support for IPv6 within the DHCP service. Restart DHCPv6restarts support for IPv6 within the DHCP service. Stop DHCPv6disables support for IPv6 within the DHCP service.
Deploying a Project
When you are satisfied with a project file, you can deploy it to the appropriate appliances and activate your DNS and DHCP services. For more information about file checking, see Checking and Correcting a File on page 90. For more information about deployment, see Deploying the Project File on page 92.
Viewing System Logs

You can view Adonis system logs for the purposes of troubleshooting or gathering information.
You can also view log files from the Server menu using this command, Server View Logfiles.
To view a log file:

1 In the tree-view pane of the Management Console, right-click the name of the server whose logs you want to view, and then select View Log Files. The View Log Files dialog box opens.
2 Select the server from the drop-down list, and then type its administration password. 3 From the Log Type drop-down list, specify the log you want to view:
56
Version 5.5
Viewing System Logs Command Server DNS System Update DHCP 4 Specify how much of the log you want to see by selecting a value from the Nr. of lines dropdown list. 5 Click View Log. The View Log dialog box opens showing the specified text from the log file.
6 Use the icons to save or explore the data: Copy to Clipboardcopy the file so you can paste it into another application. Save to Filesave the log file so you can open it in another program, for example, a spreadsheet or word-processor. Reload Log Filereloads the current log file. Select Log Filecalls the View Log Files dialog box so you can select another log file. Searchcalls a dialog box that prompts you to search the log file for specific text. Go Tocalls a dialog box that prompts you to type a line number in the log file. 7 Click Close.
Configuring System Log Output

You can configure the appliance to send its system log to an external server, which is useful for reviewing logging information in a central location or with a particular viewer.
Administration Console System Log Redirection

You can set up specific system log redirections from the Administration Console. All of the commands in this section use configuration mode. To enter the configuration mode for system log redirection, type configure syslog.
Version 5.5
57
Chapter 4: Appliance Management Adonis automatically enables system log redirection if you have created any configuration statements. In configuration mode, you can configure the system log services daemon to have multiple redirection destinations and redirection selectors.
System Log Custom Action Statements

When setting up system log redirection on Adonis, you can specify selector fields and assign action fields to them. This is only an alternative to creating a redirection, and only one redirection or custom action statement is required to create a redirect configuration while many can exist in the configuration. Selector fields describe types of messages within the syslog, like BIND syslog entries for example. Action fields describe what to do with the entries matching these selectors when they are found. Sending entries matching a particular selector to a specified IP address is the default behavior for redirection statements on Adonis. Custom action statements can have other actions such as writing the selected entries to a named pipe or a separate file. The syntax for custom action statements on Adonis is add selector_field action_field to add and del selector_field action_field to delete. Selectors can be displayed on Adonis with the command show selectors.
Syslog Redirection Statements

You can configure Adonis with syslog redirections using the command add redirection ip_address selectors. They can be deleted with the command del ip_address selectors. Redirections can be viewed with the command show redirections. Syslog entries matching the selector set in the statement are sent to the IP address specified.
Viewing Logs
Adonis keeps several logs that you can view for debugging purposes: commandserver is the command server log. It contains information on commands that have been sent from the Management Console. bind contains information related to the DNS service. syslog is the general system log file. update contains information about server updates.
Using the Log Viewer

The log viewer in the Administration Console has two modes: less and tail. In less mode the viewer shows the entire file. This is useful for administrators who want to examine the entire file to review Adonis operations or diagnose problems. To scroll down, press Enter. To quit, press Q. In tail mode the viewer shows only the last ten lines of the file. The display updates as various processes append new lines to the file. This is useful for administrators who want to monitor the log as it updates in real time. To quit, press Control+C. To set the log viewer mode, type set log viewer=less or set log viewer=tail, and then press Enter. To view a log from the Administration Console, type show log log, and then press Enter, where log is syslog, commandserver, update, or bind. Other logs are available for functions such as XHA. You can find these logs in the directory /var/log.
58
Version 5.5
Simple Network Management Protocol

The Simple Network Management Protocol (SNMP) allows a manager workstation (polling) or trap server to obtain data about devices on the network. This may include the almost real-time status of services and server functionality and the security and service settings on the device. Adonis appliances can behave as managed devices on an SNMP-enabled network. Adonis includes support for SNMP versions 1, 2c, and 3. Versions 1 and 2c do not include any authentication or remote administration capabilities. This means that you only need to enable SNMP and set the appropriate SNMP username (or community string) for it to function correctly. You can also set the polling period to control how often SNMP values are refreshed on the appliance. SNMPv3 includes authentication and access control. To set up SNMPv3, you must also set the SNMP password and the Trap Server username, password, and address. Version 3 has the ability to send information as SNMP traps.
Enabling SNMP
You enable SNMP from the main mode of the Administration Console. To enable the SNMP service type enable snmp, and then press Enter. Type the address of an SNMP manager that is responsible for monitoring Adonis. After you change SNMP settings on Adonis you may need to restart the service by disabling it, and then enabling it again. To disable the SNMP service type disable snmp, and then press Enter. To see the configuration for the SNMP service on Adonis, type show snmp, and then press Enter.
Configuring SNMP
You configure SNMP from the configuration mode of the Administration Console. To enter this mode, type the command configure snmp. In SNMP configuration mode you can use all of the commands listed below. Changes you make in configuration mode do not become active until you have saved or updated them.
Core SNMP Service Settings

The following settings are essential to the functionality of the SNMP service on Adonis. Community StringAll versions of SNMP use community string to validate the SNMP controller asking for updates or registering to receive traps. Adonis uses the SNMPv3 username as the community string for all three versions of the SNMP protocol. Username/PasswordSNMPv3 needs a username and password to protect managed devices. In order for the SNMP manager to access an Adonis appliance with the SNMPv3 protocol, it must use a specific username and password.
The username must be at least four characters long and the password must be at least eight characters.
To set the SNMP username and password:

1 Type set username username, and then press Enter.
Version 5.5
59
Chapter 4: Appliance Management 2 Type set password password, and then press Enter. 3 To display the username type show username, and then press Enter. 4 To display the password, type show password, and then press Enter.
Polling
Adonis SNMP service periodically polls inside the appliance for new values for each of its SNMP objects based on a polling period setting. When the polling period interval elapses, SNMP gathers information about the state of the appliance, and then updates the SNMP objects whose values have changed. For SNMPv3 traps, if an objects new value triggers a trap threshold, then a trap for that object is sent to the SNMP trap server.
To change the SNMP polling period:

1 Type set pollingperiod value, and then press Enter, where value is the length of the polling period in seconds. 2 To display the polling period for this appliance, type show pollingperiod, and then press Enter.
Polling and Traps

When Adonis communicates across the network with the SNMP protocol it uses where possible, the built-in support for authentication in the SNMP protocol itself. However, Adonis is designed to be installed in high-threat topologies, such as the DMZ or on the Internet. Consequently, any management workstation or trap server that communicates with Adonis must first be registered with the SNMP service so that the firewall rules can be modified to permit this communication. Adonis has a setup wizard to configure the SNMP service settings and firewall rules required for management workstations and trap servers. These setup wizards are accessed from within the SNMP configuration mode.
Adonis Trap Servers

The trap server is the server to which Adonis communicates specified changes in its status by sending SNMPv3 traps. This may be a different address from the SNMP polling server or manager address that is set up when enabling the service. In SNMPv3, trap messages must be authenticated with a trap server username and password. You can view and modify the trap settings in SNMP configuration mode: To view the current settings for the SNMP trap server type, show trap. If you changed the trap server settings within the current session and the changes have not been saved, you can view the modified settings typing, show unsaved trap. To set up a trap server type, set trap. This starts a wizard that guides you through the set up process.
The username must be at least four characters long and the password must be at least eight characters.
To set up a trap server:

1 Type set trap. 2 Type the trap server address. This is the IP address for the trap server to which Adonis sends traps. 3 Type the SNMP version. This is the version of the SNMP protocol for use with the trap server. The options are 1, 2 (2c), and 3. If you choose version 1 or 2, you must type a community string, and then close the wizard.
60
Version 5.5
Simple Network Management Protocol 4 Type the level of security to which the Adonis appliance conforms or the version 3 protocol. Choices are 1 for noAuthNoPriv, 2 for authNoPriv, and 3 for authPriv. 5 Type the name for the trap server user. 6 Type either 1 (for MD5) or 2 (for SHA) as the authentication type to use. 7 Type an authentication passphrase. This is your SNMP v3 password. 8 Type a privacy passphrase. This is a second level of authentication available in SNMP v3. 9 Type a context, if one has been provided. This enables a limited view of the available trap objects. 10 To display the settings you have configured for the trap server configuration, type the command "show trap". 11 If you are satisfied with the trap settings, type save and then press Enter.
Additional SNMP Service Settings

The system contact is the person who is the default contact for this SNMP service. This field is often used with system location. The system contact is an email address, while the system location is a descriptive text string.
System Contact and Location

To set the system contact type the command set syscontact email_addr. You can see the system contact with similar syntax, using the command show syscontact. To set the system location type the command set syslocation system_location where system_location is the text describing the system location. You can see the system location with similar syntax, using the command show syslocation.
System Name
You can obtain the SNMP name variable from the SNMP service. This is set to the DNS address of the appliance and the SNMP service using an FQDN. To set the system name on Adonis, type the command set sysname sysname where sysname is the FQDN for the appliance. To see the system name type the command show sysname.
SNMP Manager Setup

After you have completed the local Adonis settings and activated the service, you may need to setup the SNMP monitor or trap server. Adonis provides support for the MIB-II SNMP standard objects and the MIB files can be found in the directory usr/share/snmp/mibs. There are also two Adonis-specific MIB files that you need to copy from Adonis onto the SNMP manager. These files are located in the same directory and are called ADONIS-DNS-MIB.txt and BLUECATNETWORKS-MIB.txt. When these files are loaded into the SNMP manager they provide object IDs and descriptions for all of the Adonis SNMP objects. You may also need to configure the type of authentication in order to log into and poll Adonis from an SNMP manager. Adonis uses MD5 and DES encryption for SNMP.
Version 5.5
61
Adonis Polled Objects

The following table lists the Adonis-specific SNMP polled-objects in the file ADONIS-DNS-MIB.txt:
SNMP Object DNS Objects dnsDaemonRunning dnsDaemonNumberOfZones dnsDaemonDebugLevel dnsDaemonZoneTransfersInProgress dnsDaemonZoneTransfersDeferred dnsDaemonSOAQueriesInProgress dnsDaemonQueryLoggingState Current running state of the DNS daemon. Number of zones loaded Current debug level Number of zone transfers currently in progress Number of zone transfers currently deferred Number of SOA queries in progress Current running state of query logging. dnsStatsSuccess dnsStatsReferral dnsStatsNXRRSet dnsStatsNXDomain dnsStatsRecursion dnsStatsFailure 0 - Not logging 1 - Logging Description
Number of successful queries made to the server since the DNS daemon was started Number of queries that resulted in referral responses since the DNS daemon was started Number of queries that resulted in non-existent record set since the DNS daemon was started Number of queries that resulted in non-existent domain responses since the DNS daemon was started Number of queries that required the server to perform recursive lookups since the DNS daemon was started Number of failed queries that did not result in non-existent domain or record set since the DNS daemon was started DHCP Objects
dhcpDaemonRunning
Current running state of the DHCP daemon. 0 - Not Running 1 - Running
dhcpDaemonSubnetAlert dhcpLeaseTable dhcpLeaseEntry dhcpIP dhcpLeaseStartTime dhcpLeaseEndTime dhcpLeaseTimeStamp dhcpLeaseBindState
The IP address the DHCP Alerts SNMP trap is sent to. Current lease table Information about a particular DHCP lease IP address of the lease Start time of the lease End time of the lease Timestamp of the lease The state of this lease
62
Version 5.5
SNMP Object dhcpLeaseHardwareAddress dhcpLeaseHostname dhcpSubnetTable dhcpSubnetEntry dhcpSubnetIP dhcpSubnetMask dhcpSubnetSize dhcpSubnetUsed dhcpSubnetAlert dhcpPoolTable dhcpPoolEntry dhcpPoolSubnetIP dhcpPoolStartIP dhcpPoolEndIP dhcpPoolSize dhcpPoolUsed dhcpPoolAlert dhcpDefaultLeaseTime dhcpMinLeaseTime dhcpFixedIPTable dhcpFixedIPEntry DhcpFixedIPEntry
Description The hardware address (MAC address) of this lease The client hostname of this lease Current subnet table Information about a particular DHCP subnet IP address of the subnet IP mask of the subnet Size of the subnet The number of used IPs in the subnet Alert level in the subnet Current pool table Information about a particular DHCP pool Subnet IP address of the pool Start IP address of the pool End IP address of the pool The size of the pool The number of used IPs in the pool The alert level of the pool Default lease time in configuration Minimum lease time in configuration Current DHCP subnet tables in configuration Information about a particular DHCP subnet One of the current fixed IP addresses in the DHCP configuration Adonis Appliance Objects
haServiceRunning
Current running state of high availability. 0 - Not running 1 - Running
haServiceNodeType
Type of high availability node 0 - HA not running 1 - Active Node 2 - Passive Node
commandServerDaemonRunning
Current running state of the command server daemon. 0 - Not running 1 - Running
Version 5.5
63
Adonis Traps
The ADONIS-DNS-MIB.txt file also contains trap objects. The Adonis-specific traps fall into four groups: DNS DHCP XHA command server Each of these groups can trap various parameters on the Adonis appliance. The DNS trap group includes both a daemon trap with attributes and a statistics trap with attributes. The daemon trap is called dnsDaemonRunning. It has the following attributes: dnsDaemonZoneTransfersInProgress dnsDaemonZoneTransfersDeferred dnsDaemonSOAQueriesInProgress dnsDaemonQueryLoggingState dnsDaemonNumberOfZones dnsDaemonDebugLevel The DNS services trap is called dnsStatsSuccess. It has the following attributes: dnsStatsReferral dnsStatsNXRRSet dnsStatsNXDomain dnsStatsRecursion dnsStatsFailure The DHCP trap group includes information about the DHCP daemon and the leases table. The trap dhcpDaemonRunning indicates whether the DHCP daemon is running on Adonis. The trap dhcpLeaseTable passes DHCP statistics, including lease information. XHA monitoring uses two traps. The haServiceRunning trap is sent if the XHA service stops running. It has an attribute of haServiceNodeType to describe the node sending the trap. There is also a trapHAServiceFailOver trap that indicates when an XHA failover has occurred. The Adonis command server includes a trap called commandServerDaemonRunning that shows if the command server is running. It also includes a trap for command server notifications called trapCommandServerDaemon.
Updating Adonis
You can update Adonis in one of two ways: online from the BlueCat Networks website, or manually.
Online Updates
The Management Console and appliance are updated regularly to add new features, resolve known issues, and generally enhance product quality. These updates are hosted online at the BlueCat Networks website.
If your organization uses a proxy server for connections to the Web, it should be configured on Adonis before proceeding with updating the software. For more information, see Specifying Proxy Settings on page 37.
64
Version 5.5
Updating Adonis You can find the current Management Console version by clicking Help > About. The versions for each server can be found using a server version query as described in Management Console Server Controls on page 54. To check for updates (including operating system and application upgrades) follow the procedure described below. If updates are available, the Update Wizard guides you through the installation process.
To launch the Update Wizard:

1 On the Tools menu, click Check For Updates. The Update Wizard opens to guide you through the rest of the update process. Click Next. 2 The Update Wizard checks for client updates. Click Next.
Version 5.5
65
Chapter 4: Appliance Management 3 The Server Connection page appears. For each server that you want to update, select the Connect checkbox, type the server password, and then click Next.
The Update Wizard returns a list of servers that you can update. 4 To update a server, select the appropriate Update checkbox (selected by default) and then click Next.
Servers are rebooted one at a time after the update finishes. Ensure that any servers that received updates of any kind remain selected.
66
Version 5.5
Updating Adonis 5 Select the action you want to perform on any server selected on the previous screen, and then click Next.
6 The required update files are downloaded. Click Next.
Version 5.5
67
Chapter 4: Appliance Management 7 The downloaded updates are sent to the servers that require them. Click Next.
8 To apply the server updates, each server must be rebooted sequentially. Click Start Reboot Sequence. Each server in the list reboots and starts its services before the next one reboots.
9 After the update is installed, click Next. 10 To execute the client update (if any) or to finish, click Finish.
If you need to update a client, save your files and accept the installation.
The Management Console Install Wizard guides you through the same installation process used when the program was originally installed. During this process you are asked to determine the local storage
68
Version 5.5
Updating Adonis path and the menu location for the Management Console. The wizard suggests default settings, but these may differ from your current settings.
Manual Updates
To update Adonis manually you must first obtain a copy of the update.jar file from BlueCat Networks, and then place this file in the root of the c: drive on the workstation running the Management Console. Adonis uses this file to update the Management Console and the server.
To update Adonis manually :

1 In the Management Console select Tools > Options. 2 On the Product Updates tab select the Specify Address option. 3 Type jar:file:///update.jar!/adonis-update.xml in the field provided. 4 Click OK.
Version 5.5
69
70
Version 5.5
Chapter 5
Project Files
Adonis works within a client-server architecture that allows you to configure multiple servers from a single client interface and store this configuration in a project file. Project files define most of the functionality for the DNS, DHCP, and TFTP services that Adonis supplies. The project file does not contain the controls for the appliance itself: these are found in the Administration Console and the Management Console. Additionally, project files also define the server architecture for high availability configurations such as XHA and DHCP Failover. This chapter includes the following topics: Creating a New Project File on page 71 describes how to use the New Project Wizard. DNS and DHCP services are created initially in a new project file and TFTP services are added later. Opening and Saving Files on page 84 describes how to open and save local files, as well as check files in and out of an appliance. Both project and certificate files can also be stored in a custom location. Editing a Project File on page 88 describes how to edit a project file to modify the DNS and DHCP service configurations before they are redeployed. Checking and Correcting a File on page 90 describes the tools you use to verify the structure and syntax of a project file. Projects can be checked locally in the Management Console before deployment, and can also be verified live on the network and/or the Internet. The settings for the data check can also be modified in the Management Console. Deploying the Project File on page 92 describes how to deploy your project during testing or production. Deploying a project configures and restarts network services on the appliance. Importing a Project on page 96 describes how to import project files created with a previous version of Adonis.
Creating a New Project File

Adonis guides you through the initial steps of creating a new project file with the New Project Wizard. You can add as many servers and services as required to the newly-created project file. Alternatively, you can use the New Project Wizard to create a very simple project that can be modified and expanded later. You can also create a project file by importing an external DNS or DHCP configuration (for example, a BIND configuration). For more information, see Importing a Project on page 96.
Whenever you create a new project file, Adonis automatically closes any project already open in the Management Console.
Many of the procedures described in this section apply when adding servers to an existing project and when adding services to an existing server. The process is the same in all of these situations.
Version 5.5
71
Chapter 5: Project Files For more information about editing project files to update and modify DNS, DHCP, and TFTP services, see Adding Servers on page 89 , Adonis DNS on page 97 and Adonis DHCP on page 155.
Selecting an Appliance Type

The first steps in creating a new project are to choose the type of appliance you are using, and then select the services you want to set up. The New Project Wizard changes dynamically depending on the appliance and services you choose. As the diagram shows, all appliances require master server information. All models (except the Adonis 250) require additional information depending on the services you are setting up.
To select an appliance:
1 On the File menu select New. The New Project Wizard opens.
72
Version 5.5
Creating a New Project File 2 Click Next. The Configuration Setup page appears.
3 Select an appliance type from the Appliance Type drop-down list. Your selection must match the type of appliance you purchased. Adonis 1750, 1000, 750, XMBThese appliances each support one DNS service and one DHCP service. Adonis 500This model supports only the DHCP service. Adonis 250This model runs a restricted DNS server that can have only stub zones, forwarding zones, and a caching zone. 4 If you selected Adonis 1750, 1000, 750, or XMB, select the checkboxes to configure the services you want to run on the server. 5 Click Next.
Setting up an Initial DNS Service

The following procedures describe the steps necessary to set up the initial DNS service.
To set up the initial DNS service:

1 Select the DNS architecture. 2 Define the DNS and/or master DHCP server. 3 Add slave servers (if necessary). 4 Identify Active Directory domain controllers (if you are working with Microsoft Active Directory). 5 Set up DHCP (if needed).
Selecting a DNS Network Architecture

If you are configuring an Adonis 1750, 1000, 750 or XMB DNS service, the Select Architecture page appears. The various network architectures include different numbers of appliances playing different
Version 5.5
73
Chapter 5: Project Files roles on the network. This step does not appear for the Adonis 500, Adonis 250, or for a server being set up to provide only DHCP. 1 Select a DNS network architecture. To scroll through the options, click the right and left arrows in the upper-right corner of the Select Architecture page.
2 Select an appropriate architecture, and then click Next. The following topics describe the types of architecture available. Single Name ServerAlso known as a master-only architecture, this is useful if your company has a limited budget or you have a company intranet readily available. It is a simple architecture: an inhouse DNS solution and affordable for a small network. However, this is not an architecture recommended for the enterprise or for the Internet, as security is a concern because all clients connect to the master server and there is no redundancy.
Advantages: Simple configuration for in-house DNS solution. Affordable for small networks. Disadvantages: All clients connect to the master server creating security concerns. No redundancyif your server is down you do not have DNS service.
74
Version 5.5
Creating a New Project File Front-End Master with Slave(s)A typical master/slave setup assumes that a company has one master server and one or more slaves in a flat arrangement. These components are structured horizontally across the network rather than vertically, allowing for the ability to load-balance the queries across multiple servers.
Advantages: Redundant DNS configuration. The slave servers are kept consistent with master server. The load can be distributed among the master and its slaves. Disadvantages: The master is not protected from the outside world. Not recommended for external DNS because the NS record can be viewed. In this scenario, if the master or slave fails, one of the remaining servers accepts its load and carries on. If the master server fails, you can promote a slave to become the master until you can bring the master back online. This is a redundant DNS architecture because slave servers are kept consistent with the master server and the load is distributed among the master and its slaves. However, the master is not protected from the outside world. Consequently, this architecture is not recommended for Internet DNS. Front-End Slaves with Hidden MasterThis architecture allows you to place the master server behind a firewall and hide it. In addition to increased security, the load can be distributed among the slaves. It does require at least 3 servers (2 slaves and 1 master) and may require networking expertise especially if the slaves are on different networks.
Advantages: No outside access to master, so it is less vulnerable to outside attacks.
Version 5.5
75
Chapter 5: Project Files If a failure causes the master to go down, there is little loss of service to external clients because they do not query it directly. Performance on a master server increases, especially when performing zone transfers for a large number of zones. Disadvantages: Needs at least 3 serverstwo slaves and a master to provide the necessary redundancy. May need networking expertise if the slaves are on a different network. The increased security of this architecture makes it the best solution for Internet DNS. This architecture features an option in the Add Slave Servers page to designate a slave (secondary) server as the master server for SOA records. Setting a slave as a primary server (instead of a master server) for SOA records avoids exposing the hidden masters IP address because other name servers query the designated SOA Primary Server instead of the hidden master.
DNS Caching ServerCaching servers decreases the time needed for name lookups by retrieving and caching other servers DNS information. This type of server performs the lookup, and then stores it in memory for a pre-determined time. At the end of this time, the information is deleted unless a query comes in before the time is up, in which case, the information is refreshed.
Advantages:
76
Version 5.5
Creating a New Project File Caching server can reduce the time needed for name lookups. Can stand-alone, or can forward unresolved queries to another name server. Windows Active DirectoryThis architecture enables the appliance to host DNS services for a Windows Active Directory environment. Select this configuration if your appliances are participating in an Active Directory infrastructure.
Advantages: Configures the server to operate within the Windows Active Directory environment. Custom ConfigurationThis architecture allows you to define name server parameters and the form of your network. It is useful for networks that do not fit into any of the more traditional network architectures, or those that involve a more complex architecture with many servers.
Advantages: You can add your own name servers.
Version 5.5
77
Defining the Master/DHCP Server

All DNS architecture models in a new file require a master DNS server. The master server must be defined at this point. DHCP servers also require the same information. These changes are implemented in the new project file upon completion of the wizard.
To define a master server:

1 Type a Fully Qualified Domain Name (FQDN) in the Server Name field: do not use a relative name for this server. This FQDN creates a forward zone in a default DNS view based on the name that you specify containing a name server record and a glue record for this server. The server name is also used to populate the Start of Authority (SOA) record for the zone. If you use an FQDN for a DHCP-only server name, it is automatically added into any new DNS service added later. 2 Type an IPv4 or IPv6 address in the IP Address field. This creates a corresponding reverse DNS zone that contains a name server record for this server. 3 Type an e-mail address with no periods (.) before the at sign (@) in the Contact e-mail field. 4 Type a phone number in the Phone Number field using hyphen separators. (optional) 5 Type a mobile phone number in the Mobile Number field. (optional) 6 Type a department or division in the Dept./Division field. (optional) 7 Click Next.
78
Version 5.5
Adding Slave Servers to a New Master

If you chose either the Front-End Master with Slave(s) or the Front-End Slaves with Hidden Master architecture on the Select Architecture page, you must add slave servers to the configuration.
Add each slave using the following information: Namea meaningful name (FQDN) for each slave server (for example, ns2.example.com). IP addressthe IP address for each slave server (for example, 192.168.127.3).
Version 5.5
79
Chapter 5: Project Files If you are using the Front-End Slaves with Hidden Master architecture, you can select a slave server to act as the start of authority (SOA). This server plays the role on behalf of the hidden master so that none of the slaves carries a direct reference to the master for any required functionality.
Identifying Active Directory Domain Controllers

If you chose a Windows Active Directory configuration, you are prompted to identify the IP address for each Active Directory Domain Controller.
80
Version 5.5
Creating a New Project File Click Add, and then enter the IP address for one of your domain controllers.
Repeat the above procedure for all required domain controllers, click Next, and then click Finish.
Configuring DHCP
If you are using a multi-server architecture, you must choose one server to host the initial DHCP service for this project.
Setting up a New DHCP Server or Service

After you decide which appliance to use as host for the initial DHCP service, configuring DHCP is very easy. You can create a new DHCP service in several ways: by creating a new project file by creating a new server in an existing project file by adding the DHCP service to an existing server In each case, the procedure for configuring DHCP is the same. The New DHCP Service Wizard needs the following information: Group declaration Subnet declaration Subnet or pool range You can add additional declarations as needed after the wizard has finished.
If you want to create a DNS service as well as configure DHCP, you must configure the DNS service first.
To create a new DHCP service:

1 If you are creating an Adonis 1750, 1000, 750, or XMB DHCP service in the New Project Wizard, make sure you select the DHCP Service checkbox. 2 If you are adding DHCP service to an existing project, right-click a server and then follow the instructions in the New DHCP Service Wizard.
Version 5.5
81
Chapter 5: Project Files 3 Type the information for the new DHCP server, and then click Next. The Get DHCP Group Information page appears.
4 Type a group name for the DHCP service, and then click Next. The Get DHCP Subnet Information page appears.
5 Select either the Network or Subnet option. If you select Network, type the network identifier using classless internet domain routing (CIDR) notation, for example 192.25.200.0/24. If you select Subnet, type the network identifier for example 192.25.200.0 in the Subnet field and the subnet mask, for example 255.255.255.0 in the Mask field.
82
Version 5.5
Creating a New Project File Optionally, you can select the Add the DHCP subnet to a new shared network checkbox. Type the name of a shared network in the Shared Network field that appears beneath the checkbox.
You can create a subnet range or a pool range: you cannot create both. Because pools offer additional functionality, we recommend pools and pool ranges instead of subnet ranges.
6 Click Next. The Add DHCP Subnet/Pool Ranges page appears.
7 To add a subnet range or a DHCP pool, click Add. The Add Address Range dialog box appears.
8 Type the IP address at the start and at the end of the range. To add an exclusion range within the range you are creating, right-click the Exclude Ranges area of the Add Address Range dialog box, and then select New Exclude Range from the context menu. Type the IP addresses at the beginning and end of the exclusion range, and then click OK. 9 In the Add Address Range dialog box, click OK to add the range.
Version 5.5
83
Chapter 5: Project Files 10 Click Next, and then click Finish.
To create a pool:
1 In the Add DHCP Subnet/Pool Ranges dialog box select the Create a new pool for the DHCP subnet checkbox. The pool ranges area appears in the dialog box.
2 Click Add, and then type the beginning and end addresses. 3 Click Next, and then click Finish. The DHCP service appears in the directory tree under the selected server at the same level as the DNS service for the server.
Like the DNS service, the DHCP configuration can be checked for errors before deployment. In some cases, the errors may simply be informational.
The Management Console creates a new project file using the settings you have specified. No changes are made to the appliances at this point. The appliance configurations and services are updated and restarted when you deploy the project.
Opening and Saving Files

Adonis has two methods for storing project files: you can store the file on your workstation or you can store it on the appliance. Storing the project file on the appliance has some advantages: Several administrators can have access to the file without needing to maintain separate copies. Access to the file on the server is restricted while any administrator has it checked out.
84
Version 5.5
Creating a New Project File Networked storage is useful for ensuring that the file is always backed up to a central location. In many environments, this can be achieved by storing the file on a network drive that is backed up centrally. To open a file, from the File menu select Open. Select the .dns project file as you would any other type of file. To save a file, from the File menu select Save or Save As. Save the project file as you would any other type of file.
Checking Files Into and Out Of an Adonis Server

The Check In/Check Out features enable you to store the project file centrally on the Adonis server. You can check-out a file, modify it, deploy the changes, and then check the project back into the server. This allows several administrators to work on the same project one at a time without overwriting each others changes. The process creates a copy of the project file where changes are made, and then the local copy is updated on the appliance. This resets the lock on the appliances copy of the file so that it can be checked out by another administrator. Lock-out prevents other administrators from checking out a project file that is already checked out.
Check In is not the same as deployment. Check In is a process for storing the latest project file on the appliance. Deployment is a process designed to install and activate the latest project changes on the appliance(s).
Before checking the project file in or out, you can view the log of all check-in/check-out server activity by clicking View Log. This log indicates who has checked the project file in or out of the appliance.
Checking In a Project File

When you are satisfied with the changes you made to the project file, you should check in the file so another administrator can work on it.
Checking a project into Adonis does not activate any changes that were made to the configuration data. To activate changes, first deploy the project, and then check the project file into Adonis.
To check in a project file:

1 Click Tools, and then click Options. 2 On the General tab select the Auto save local copy for check in/out checkbox. This ensures that Adonis saves a backup copy of the project file to the requested path. 3 Click OK.
Version 5.5
85
Chapter 5: Project Files 4 After you deploy the project, select Check-In from the File menu. The Check-In dialog box appears.
5 Type a comment describing the changes you have made to the file, and then click Check-In. Adonis performs an SSL handshake to ensure that you have the correct credentials to check-in the project. The current project is checked-in and overwrites any existing file on the appliance.
After you check-in a project, it disappears from the Management Console. This is very important: it is impossible to deploy a project file after you check it in. You can force a check-in, if necessary. If another administrator had the configuration file checked-out and you needed to check in a different version select the Force check-in (break existing lock) checkbox. You need to be particularly careful when forcing a check-in. Are you absolutely sure your changes are more important than somebody elses?
Checking Out a Project File

If you need to make changes to a project, check out the latest version from the server. To update the project for subsequent check outs, remember to check the project file back into the appliance after you have completed and deployed your changes.
86
Version 5.5
To check out a project file:

1 From the File menu, click Check-Out. The Check-Out dialog box opens.
2 Type the server IP address in the Server field (if necessary). 3 Type your deployment password in the Password field (if necessary). 4 Click Check-Out. Adonis performs an SSL handshake, and then removes the project from the server and displays it in the Management Console.
The name of the file that you have checked out is always the named listed after the IP address of the server itself. If you need to check out a file, but it is locked, select Force check-out (break existing lock). However, before you do this make sure another administrator is not currently using the file.
5 Deploy the configuration in the checked-out file.
Typical Management Session

The following scenario describes a typical Adonis management session using the check in/check out features. The steps assume that a project already exists (the file has been checked in) on the appliance and has been deployed.
To use Check-In and Check-Out:

1 Launch the Management Console. From the Welcome dialog box select Check out Project from server, and then click OK. The Check-Out dialog box opens. 2 Specify the IP address and password for the server that contains the project.
You can view the Check-In/Check-Out log to see all previous activity on the server. The last log entry must be a check in (in order to check the project out from the server).
3 Click Check-Out to get a local copy of the project and lock it.
Version 5.5
87
Chapter 5: Project Files 4 Make the necessary configuration changes, and then deploy the project to activate your changes immediately.
If you do not want to activate the changes, you can check the project back in, and deploy it later.
5 When deployment is complete, select Check-In from the File menu to place the project file back on the appliance. 6 When the project has been checked back in to the server, the session is complete and you can close the Management Console.
End the session by checking the project file back in to the server to make it available for future management sessions.
Modifying File Location Settings

You can change the default locations for project files and server certificates.
To change the default locations:

1 From the Tools menu select Options. Click the File Locations tab.
2 Click in the Project Files or Certificates box to display the Select Directory dialog box and browse to the new location. Alternatively, you can type the directory name manually. 3 Click Select, and then click OK.
Editing a Project File

Editing a project file may involve wizards and other tools that Adonis uses to help you create a wellformed and efficient project.
88
Version 5.5
Adding Servers
Adding a server or service to an existing project file is similar to defining the server for a new project file.
If you want to create a DHCP service, follow the steps in Configuring DHCP on page 81 now or after you have configured the DNS server.
To add a server to an existing configuration file:

1 Right-click Servers (the root of the project file tree). 2 Click New Server from the context menu. The New Server Wizard appears. 3 Click Next. 4 Select an appliance type from the drop-down list. Your selection must match the type of appliance you purchased. Adonis 1750, 1000, 750, XMBThese appliances each support one DNS service and one DHCP service. Adonis 500This model supports only the DHCP service. Adonis 250This model runs a restricted DNS server that can have only stub zones, forwarding zones, and a caching zone. 5 If you selected Adonis 1750, 1000, 750, or XMB, select the checkboxes for the services you want to run on the server.
6 Click Next.
Version 5.5
89
Chapter 5: Project Files 7 Type the appropriate server information. This screen shows different fields, depending on the options you selected in the previous screen.
8 Because you are creating a new server in an existing project, select Master, Master Hidden, Slave, or Caching as the type of server. 9 If you are creating a slave server, select its corresponding master from the Master Server list. 10 Type a FQDN in the Server Name field: do not use a relative name for this server. This FQDN creates a forward zone in a default DNS view based on the name you specify containing a name server record and a glue record for this server. The server name is also used to populate the Start of Authority (SOA) record for the zone. If you use an FQDN for a DHCP-only server name it is automatically added into any new DNS service you add later. 11 Type an IPv4 or IPv6 address in the IP Address field. This creates a corresponding reverse DNS zone that contains a name server record for this server. 12 In the Contact e-mail field type an e-mail address (without periods) before the @ sign. 13 In the Phone Number field type a phone number (use hyphens as separators). This field is optional. 14 In the Mobile Number field type a mobile phone number. This field is optional. 15 In the Dept./Division field type a department or division. This field is optional. 16 Click Next. 17 Click Finish.
Checking and Correcting a File

Adonis provides several kinds of data checking to help ensure the accuracy of files and their ability to deploy successfully. Despite the controls built into the Adonis management console, errors can be designed into a project file. This section outlines some of the data checking that can occur within a project file.
90
Version 5.5
Checking the Data

Before transferring the project file to the appliance, you should perform a data check on the information that the file contains. This procedure normally takes a few minutes, but it can save you time in the long run because it allows you to resolve issues before you deploy the project. If you have imported external data or a project file from an older version, this step is strongly recommended. Further tools for checking DNS integrity can be found in Checking the Data on page 132.
You can right-click on the Check data table, and then use the Collapse Related Issues and Expand Related Issues commands.
To check your project data:

1 From the Tools menu, select Check Data or click Check Data on the toolbar. The Check Data pane appears at the bottom of the Management Console.
2 Use this list to review issues that exist in your project file. The Type column identifies three types of issues: Errorsserious problems that interfere with the correct operation of the server Warningsless serious problems that still require your attention Informationitems of interest that do not affect deployment 3 Double-click an issue. The left and right panes display the location of the issue within the project file and the setting that needs to be modified (you can also select the issue, and then click Go to...). 4 To see an explanation of the issue, click Explain. 5 Make the modifications necessary to resolve the issue. 6 Repeat the previous steps to continue checking your data until the Management Console reports that there are no problems with your project file.
Click Re-check to run the data check again. Click Explain to see an explanation for the issue you selected.
Modifying Data Check Issue Settings

You can customize the severity level that is reported for every test the data checker runs.
Version 5.5
91
To modify data check issue settings:

1 From the Tools menu click Options, and then select the Data Check Issue Settings tab.
2 To change a setting, select the severity for an issue, and then select the desired severity level to be reported from the corresponding drop-down list. 3 Click OK.
Deploying the Project File

Deployment is the process that converts a project file in the Adonis Management Console into a running set of services. Service configuration files are generated and transferred to the servers that provide services. The services are then restarted, and the new project becomes live on the servers. Upon deployment, the project file creates the appropriate DNS, DHCP, and TFTP service configurations and starts the services. If you selected the Set auto data check before deployment checkbox in the Tools > Options > General tab the server performs an automatic data check during deployment. A results screen appears and gives you the option to continue the deployment, or abort it, based on the results of the data check. If there are no errors in your project file, or you elect to proceed anyway, the Deployment Wizard opens. Aborting the deployment returns you to the Management Console.
To deploy your configuration:

1 On the Management Console, click Deploy on the toolbar, or select Deploy from the Server menu. The Deployment Wizard opens.
92
Version 5.5
Deploying the Project File 2 Click Next. The Server Connection dialog box opens.
3 Select the checkbox for each server you want to deploy, and then type the password. 4 Click Next. 5 After the connection is made, the following screen appears.
Version 5.5
93
Chapter 5: Project Files 6 When connection is established, click Next. The Select Action dialog box appears.
7 Select one of the following actions: Do NothingNo processing is required. Update ClientTransfer data from the server to the client. This uses configuration data from the server to rebuild the configuration file on the client. Refresh ClientTransfer dynamic updates from the server to the client so that the client has a snapshot of the running services and information about the current state for dynamic objects such as DHCP leases, DDNS entries, and MAC Authentication status. Update ServerTransfer data from the client to the server. Once you have finished making changes to a configuration file, use this option to transfer it to an Adonis appliance and start the services. Update Server (Force)Normally, updating a server involves making iterative changes to the configuration files. In the event that an appliance has been upgraded or is in an indeterminate functional state, this option should be used. The force option completely rewrites all of the configuration files on the appliance.
94
Version 5.5
Deploying the Project File 8 To continue the deployment and display a status screen, click Next.
9 To display the summary screen, click Next.
10 To complete the deployment, click Finish.

When deploying a disabled service, the current service stops if it is running.
Version 5.5
95
Importing a Project
There are several ways to import existing data into the Management Console. You can import data from a previous version of the Management Console, import an external DNS or DHCP configuration (for example, a BIND 9 configuration), or perform a live zone transfer. This section covers importing a project file created with an earlier version of the Management Console. Imports from external sources are discussed in Migration Tools on page 223.
Importing from a Previous Version

Opening a project file created using a previous version of the Management Console prompts you to select the servers that need their appliance type queried. This lets the Management Console adjust the available settings to match the appliance. Because all Adonis appliances are now manageable from a single software console, this step should only be required when upgrading from Adonis 3 or earlier.
To detect the appliance type:

1 From the pop-up screen that automatically appears when you load a project file from a previous version, select the checkboxes corresponding to the servers for which you want to detect the appliance type.
2 Type the password for each server, and then click Detect Type. Closing the detection screen without detecting the appliance type sets the type to Adonis 1000 by default. If the appliance type is set to Adonis1000 and the appliance itself is a different type, the configuration cannot be deployed. If the appliance type is not detected, a warning message appears when you start deploying the project. All appliances must be detected before the project can be deployed.
If the appliance type is not being successfully detected, try using the Detect Appliance Type function from the Server Control menu.
96
Version 5.5
Chapter 6
Adonis DNS
DNS is a wide-ranging topic and a detailed explanation is beyond the scope of this administration guide. Server configuration and administration is intuitive with Adonis, and the critical topics are covered. This chapter includes the following topics: Adonis DNS Implementation on page 97 describes the Adonis-specific implementation of DNS services. DNS Services on page 98 explains how DNS services are controllable through the Administration Console. Managing Servers and Zones on page 104 describes how DNS zones and sub-zones form the hierarchical structure of the DNS system. Resource Records on page 101 describes how resource records define the characteristics of the individual hosts that are referred to in a DNS zone. Managing Resource Records on page 117 describes how resource records can change dramatically and how to manage those changes using the tools provided with Adonis.
Adonis DNS Implementation

The following features highlight the strengths of the Adonis DNS implementation. BIND ViewsBIND views allow you to configure a single name server so it responds differently, based on who performed the query. With BIND views, a single Adonis appliance can return an intranet response to a query that originates from within the corporation and an external address to a query received from an external address. For example, you can run your company's internal and external DNS data on the same server, instead of configuring separate name servers. Before BIND 9, presenting one view of a zone to one community of hosts and a separate view to others called for a very complex configuration, running multiple name servers, or multiple name server processes on a single host. Recursive QueriesRecursion allows a DNS server to respond to requests for zones for which it is not authoritative. It does this by passing the request along to the server for which it is authoritative. Adonis allows recursion to be enabled at the service or view level, through the option Allow Recursion. Recursion is actually provided by Cache Zones and Forwarding Zones. Both the option and the zone must be configured for recursion to work properly. Enable/Disable ZonesAdonis can disable and enable zones intelligently. Network administrators can create live configurations, serving only DNS data for zones that are fully prepared with online web, email, and database servers that are ready for production. When a zone is disabled, Adonis selectively disables dependent records outside the zone without the manual intervention of the administrator. Delegation-Only Zones/Root Delegation OnlyDelegation-only zones are useful when filtering out wildcard or synthesized data from Network Address Translation (NAT) servers, or authoritative name
Version 5.5
97
Chapter 6: Adonis DNS servers containing undelegated zone data of no interest. Root delegation only is a server option enabled directly from the Management Console. It is used to enforce delegation-only for top-level domains (TLD) and root zones, with the option to add specific domains to exclude or load the default list. Enable/Disable Resource RecordsWhen a zone is disabled, the Management Console selectively disables dependent records outside the zone without the manual intervention of the administrator. This is similar to the enable/disable zone feature, but on a per-record basis. Auto GenerateAuto generate can be used where a BIND $GENERATE statement is employed. It creates a series of resource records differing only by an iterator (for easily generating the record sets required to support sub-/24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA delegation). The process of automatically generating resource records creates a single host entry in the project file. When synchronized, Adonis creates the actual records on the server. Configuration MigrationExisting DNS configurations can be migrated with the Management Console, eliminating tedious recreation and re-entering of zone data. Migration imports DNS files created with both current and earlier releases of the BIND software (including versions 4.x, 8.x, and 9.x). Microsoft Windows DNS configurations can be extracted with the Adonis Extraction Tool. After importing the configuration into the Management Console, check for previous errors and perform data validation using Data Checker, and the Live Data Check and Validation tools. Automatic Serial Number GenerationThe Start of Authority (SOA) resource record for a zone identifies which primary master name server is authoritative the best source of information for the zone. SOA records contain important settings for refreshing the data in the zone. One of these settings is the serial number, a unique identifying number that applies to all data in the zone. This option is set by default to auto, enabling a special algorithm to determine the correct setting. Configuration StatisticsGenerate a statistical summary of your DNS configuration using the Management Console. Statistics on the number of servers, zones, and addresses provide useful data on the size of your network infrastructure. Supported DNS RFCsAdonis is fully compliant with the following DNS RFCs: 1034, 1035, 1995, 1996, 2136, 2317, 2782.
DNS Services
Adonis uses ISC BIND to provide its DNS service. Normally, this service is configured in a text editor. Adonis provides graphical configuration of this network service. You can create a DNS service in three different ways: Creating a new project file is described in Creating a New Project File on page 71. Creating a DNS service on an existing server is described in Editing a Project File on page 88. Creating a new server in an existing project file is described in Adding Servers on page 89.
BIND/DNS Service Control

The executable file for BIND is called named, the name daemon. This service can be managed from the normal mode of the Administration Console. To start BIND, type start bind, and then press Enter. To stop BIND, type stop bind, and then press Enter. To restart BIND, type restart bind, and then press Enter. To view some statistics on the DNS service, type show status bind, and then press Enter.
98
Version 5.5
DNS Services To check whether BIND is running, type isrunning bind, and then press Enter.
Specifying Server Version Information

Profiling hackers check for any information they can find about your servers and the services running on them, including version information, so their attempts to breach security are better targeted. DNS services answers a server version query by default. You can provide a custom text string that comprises the version information reported when the server is queried. This is a powerful defence against the profiling that tends to precede incidents of hacking. You can choose from the following options to specify the response given to a server version query: [Disabled]Send no response. Adonis ServerSend the version of the appliance. [BIND Version]Send the version of BIND that is running on the appliance. Custom TextSend a customized text response.
Setting the Server Version Information

To set the version query response:
1 In the tree-view pane of the Management Console, click the DNS service for which you are setting the query response. 2 In the detail pane, click the General tab.
3 Using the Display drop-down list in the Version Information section, select the version information to display when a version query is issued to the server. 4 Choose from the following options to specify the response given to a server version query: [Disabled]Send no response. Adonis ServerSend the version of the appliance. [BIND Version]Send the version of BIND that is running on the appliance. Custom TextSend a customized text response. 5 If you select Custom Text, click Browse, and then type the version text in the Edit Version Text dialog box.
Version 5.5
99
Adjusting DNS Service Options

Every time you define a new name server, create a project file, or add a new name server to an existing project the Management Console automatically enters the default BIND sub-statements in your project file. You can modify any of these options as your needs change.
Setting DNS Service Options

To adjust server options for a name server:
1 In the tree-view pane of the Management Console, double-click the DNS service whose options you want to set. A list of the servers zones and views appears. 2 In the detail pane, select the Options tab. A list of options appears.
3 To change a server option, double-click it. A dialog box appears to allow you to make changes to that particular option. For some options, deselect the Use default checkbox, to enable the other options in the dialog box. 4 Make the necessary changes, using Add, Edit, Remove, Move Up and Move Down on the dialog boxes to open additional dialog boxes, whenever applicable.
For numeric options, you can type a number in the available field. For yes/no options, you can select yes, no, or default. For the transfer-format option, select one-answer, many-answers or default. For some options, the Add and Edit dialog boxes include an Exclude option which, when selected, indicates that the address should be ignored. This lets you add an entire subnet, and exclude individual IP addresses.
5 Click OK.
Available DNS Options

When configuring DNS you can set options at different levels. For example, you can configure a DNS server to allow zone transfers at the following levels: DNS service level Views level Zones level Options configured at the DNS service level are global and are inherited by all views and zones. However, options that are set at lower levels take precedence. Options configured at the Views level
100
Version 5.5
Resource Records are inherited by all zones within that view and take precedence over the options configured at the DNS service level. Options configured at the zones level only affect the zone itself and take precedence over the options configured at both the DNS service level and the views level.
Resource Records
You create Resource Records on the Resource Records tab in the detail pane. The Resource Records toolbar appears when you select a zone and includes tools that allow you to create the following types of record:
New Host Record (A) A host record resolves a Fully Qualified Domain Name (FQDN) to an IP address for a device. A host record requires a name and an IP address (multiple addresses may exist for the same device). You can set the TTL for this record to override the value assigned in the SOA record. New Quad-A Record (AAAA)You can use host records in Adonis to indicate IPv6 hosts by including an IPv6 address rather than an IPv4 address in the record. Using the AAAA host record format several names can refer to a single address. This can be done with multiple host records rather than using a CNAME or Alias record. Also, a single name can refer to several different addresses. When multiple host records are associated this way, they should be listed together, as BIND processes them in a round-robin fashion in responding to queries. IPv4 and IPv6 addresses can be mixed together within the same zone. New Alias Record (CNAME)This is a Canonical Name record, used to specify an alias for a host name. The Alias record type only requires a name to be supplied. You can set the TTL for this record to an override value. New Name Server Record (NS)Name Server records are always used in conjunction with a host record, also known as a glue record. The NS record refers to the DNS name for the server that hosts this zone. With DNS delegation a subzone can be hosted on any server, so these records are essential in answering DNS queries and making the system work. This NS record is qualified within the same zone by a host record that points to the actual IP address of the server. Along with the SOA record for the zone, this defines the server that has been delegated the hosting for this zone. New Mail Exchanger Record (MX)A Mail Exchanger record designates the host name and preference value for a mail server or exchanger for this zone as defined in RFC 974. An MX record requires a name and a priority value (an integer value). Priorities with lower values are chosen first in assessing delivery options. You can set the TTL for this record to an override value. New Service Record (SRV)Service records define services that are available within the zone, such as LDAP. A Service record requires a name by which it is known within Adonis. You can set the TTL for this record to an override value.
Options
Priority Port Weight
Description
The lowest value has greatest precedence. This is an integer. The port on which the service is available. If two services within Adonis have equal priority, the weight value is checked. If the weight for one object is higher than another, the one with the higher weight has its resource records returned first. This is an integer.
Version 5.5
101
New Pointer Record (PTR)Pointer records are used to resolve IP addresses to FQDNs. They can
be thought of as the opposite of a host record. Within an in-addr.arpa zone, PTR records associate an IP address with DNS information. For more information, see Reverse DNS on page 123.
New Text Record (TXT)Text records can be used to associate arbitrary text with a host name.
They include Name and Text fields, and support record types such as those used in Sender Policy Framework (SPF) email validation. You can set the TTL for this record to an override value.
New Naming Authority Record (NAPTR)NAPTR records are used to specify settings for
applications such as VoIP. They are used in Adonis to populate ENUM zones. For more information, see
ENUM and VoIP on page 123. New Custom Resource Recordcreate custom resource records.
Custom Resource Records

To use the following DNS record types, you must create a new custom Resource Record. To do this, select the relevant DNS zone in the tree-view pane, and then click New Custom Resource Record. DNAMECreates an alias for an entire subtree of the DNS name space. This type of record differs from a CNAME record, which maps only a single node of the name space. HINFOSpecifies the type of CPU and operating system for the host/server. Application protocols such as FTP use this information for special procedures when communicating with computers of known CPU and operating system type. ISDNMaps a domain name to an ISDN (Integrated Service Digital Network) telephone number. The ISDN phone number or DDI (Direct Dial In) should follow the pattern shown in this example: 12125551234 Where: 01 = United States (country code) 212 = New York City area code 5551234 = phone number The ISDN sub-address is an optional decimal number. RPSpecifies the mailbox of the person responsible for individual domain names contained within the zone. To specify the mailbox, replace the @ symbol in the email address with a period. RTIndicates an intermediate host that provides routing to the domain name (host) of the record. This information can be used by computers not directly connected to the Internet or any Wide Area Network. If you are using multiple intermediate routing hosts, a preference value is used to set the priority. Lower values have a higher priority, and are tried first. For each intermediate host, a corresponding host (A) address resource record is required in the current zone.
102
Version 5.5
Resource Records
Resource Record Fields

Each type of Resource Record presents a different New dialog box (for example, the New Host dialog box looks different from New Mail Exchanger dialog box), but they share many common fields. These fields appear in all New Records dialog boxes: NameType the name you want to use for the record you are creating. Provide NameIf you want the record name to be the same as the Zone, click the down arrow, and then select Same as Zone from the drop-down list. Time to Live (TTL)This is automatically set to default. To change the TTL, double-click inside the field, and then type a different value. CommentType additional information about the record in this field. These fields appear in some of the New Records dialog boxes, depending on the type of record you are creating: AddressType the IP address of the host, or click the down arrow, and then click the (...) button. Use the Select Host or View dialog box to select the appropriate server. This field appears in New Host and New Quad-A dialog boxes. DataIn Custom records, this field shows any other information required by the type of resource record that you are creating. For instance, if you chose to add a Mail Group (MG) record, use this field to record the email addresses of the persons in the group. FlagsFlags control the rewriting and interpretation of records and are usually single alphanumeric characters (AZ and 09). This field appears in the New NAPTR dialog box. HostThis field appears in Alias, Mail, Name Server, Pointer, and Service dialog boxes. Type a name of the Host, or click the down arrow, and then click the (...) button. From the drop-down lists select Link to Another, and then select a host from the Select Host or View dialog box. Maintain Reverse Lookup RecordThis checkbox appears in New Host and New Quad-A dialog boxes. It controls whether or not reverse pointers are maintained on this server for the record you are creating. In most cases, you can leave this option selected. Order Specifies the order in which records must be processed to represent the ordered list of rules. Ordering runs from lowest value to highest. This field appears in the New NAPTR dialog box. PortType the number of the port on which the service runs. This field appears in the New Service dialog box. PreferenceSpecifies the order in which records that have equivalent order numbers should be processed. Ordering runs from lowest value to highest. This field appears in the NAPTR dialog box. PriorityType a value that corresponds to the target that you specified in the Host field. Lower numbers have a higher priority when client machines search for a host offering a given service. This field appears in Service and Mail Exchanger dialog boxes. Provide AddressIf you select this you can type the hosts IP address in the Address field, or click the down arrow, and then select Link to Another. Regular ExpressionIt contains a substitution expression to construct the next domain name to lookup. This field appears in the New NAPTR dialog box. ReplacementThe next domain name to look up depending on the potential values found in the Flags field. This field appears in the New NAPTR dialog box. ServicesIt is a character string that specifies the Service Parameters that apply to a particular delegation path. This field appears in the New NAPTR dialog box.
Version 5.5
103
Chapter 6: Adonis DNS TypeThis field appears in the New Other dialog box. For more information, see Custom Resource Records on page 102. TextShows descriptive text. This field appears in the New Text dialog box. WeightThis value controls the distribution of load balancing for a service running on multiple servers. It accepts values between 0 and 65535. Higher values are used more often than lower values. A value of zero indicates load balancing does not occur. This field appears in the New Service dialog box.
Managing Servers and Zones

DNS is hierarchical: a domain or namespace may contain sub-domains, and a domain may contain several zones. A zone contains all the hosts that fall into a single namespace. You can set up zones for the servers in your project file. You can only work on one project file within the Management Console. However, one project file may contain multiple servers, each with domains and zones. Internal DNS provides name resolution of internal resources (that is, file servers) to internal clients. Internal clients access external resources on the Internet by accepting recursive queries and performing name resolution on the Internet on behalf of clients, or by forwarding them to caching-only servers. External DNS provides authoritative responses to external queries regarding public resources (that is, web sites). External DNS is set up on servers that usually are configured in a master-slave architecture. For security reasons, these servers should be configured to respond to queries for which only they are authoritative, and with recursion turned off.
Authoritative DNS and Delegation

Every DNS zone has one or more servers listed as being authoritative for that zone. This means that the final word on the DNS information for that zone resides on that master server where the zone is maintained. This authority is defined in two important ways. The SOA record for a zone lists the master server for the zone using its DNS name rather than its IP address. This is to prevent network changes from breaking DNS services. SOA records are discussed in Defining the Start of Authority for a Zone on page 113. The NS or name server records in the zone list all of the authoritative servers, whether master or slave servers for the zone. These are CNAME records that also refer to the DNS name of the server. These are always accompanied by a special host record called a glue record that refers to the IP address of the name server. Adonis manages these NS and glue records during most operations within the Management Console. However, some editing may require that these records be re-established in order to maintain DNS functionality on the servers involved.
Adding Zones
You can add the following zone types: Master Zones (see Adding a Master Zone on page 105) Slave Zones (see Adding a Slave Zone on page 106) Cache Zones (see Adding a Cache Zone on page 108) Forwarding Zones (see Adding a Forwarding Zone on page 109) Stub Zones (see Adding a Stub Zone on page 110) Delegation Only Zones (see Adding a Delegation Only Zone on page 110)
104
Version 5.5
Adding a Master Zone

A master zone contains one or more DNS zone files that are authoritative for these zones. DNS information on a master server is edited and read from a local file system. A master zone likely receives requests to transfer zone files through zone transfer operations to one or more slave servers whenever the zone file changes. In this case, the term master relates to the fact that this is the authoritative source of information about these zones. There are two types of master zone mapping, forward and reverse. A forward master zone defines the zone characteristics and the IP addresses used by any hosts and services within the zone. It also matches queries containing domain names to the IP addresses that they represent. A reverse master zone matches IP addresses to the host names that represent them.
To add a forward master zone:

1 In the tree-view pane, right-click the group to which you want to add a zone. From the context menu select New Zone, and then select Master Zone. The New Master Zone dialog box appears.
2 In the Name field type the name of the zone, and then click OK.
To apply a template to the new zone, select the Apply Template checkbox. This checkbox and the associated drop-down list are inactive until you create at least one zone template.
To add a reverse master zone:

1 In the tree-view pane, right-click the group to which you want to add a zone. From the context menu select New Zone, and then select Master Zone. The New Master Zone dialog box appears.
Version 5.5
105
Chapter 6: Adonis DNS 2 From the Zone Type drop-down list, select Reverse Zone.
To apply a template to the new zone, select the Apply Template checkbox. This checkbox and the associated drop-down list are inactive until you create at least one zone template.
3 Specify the zone parameters using one of these options: By Address Type in-addr.arpa notation 4 If you choose By Address Type, select one of the following classes from the Size Type dropdown list: Class A Class B Class C Class C (subnet)
If you select Class C (subnet), you must also indicate the Zone Format, Start Offset, Size, and Separator.
5 Complete the Partial Address field, and then click OK. 6 If you choose in-addr.arpa notation, type the zone address, and then click OK.
Adding a Slave Zone

A slave zone obtains its information from a master zone using DNS zone transfers, but it responds as authoritative with zones for which the master server is authoritative. Zone data on a slave server can expire, so the slave remains authoritative only for zone files and resource records that have not expired.
106
Version 5.5
To add a slave zone:

1 In the tree-view pane, right-click the group to which you want to add a zone. From the context menu select New Zone, and then select Slave Zone. The New Slave Zone dialog box appears.
2 Specify the zone name using one of these options: Choose MasterUse this option if the master zone that this slave mirrors resides within the same Adonis configuration (which it should). Click the field for this option to display the Select Master Zone dialog box and select a zone to associate with the slave zone. Provide MasterUse this option if the master zone does not reside within the same Adonis configuration and a remote server is being referenced. Enter a zone name in the Name field and the IP address for the server containing the master zone in the IP Address field. 3 Modify the allow transfer and notify options on the master to include this slave.
Master Zone Dependencies

Slave zones are dependencies of the master zone. In a large network that includes many slave servers you can view all the dependencies simultaneously from the tree-view pane.
To view zone dependencies:

1 In the tree-view pane right-click the master zone, and then select Show Dependencies from the context menu. The Zone Dependencies dialog box appears. 2 Scroll through the list until you find the dependency you want to examine, and then doubleclick it. In the tree-view pane the server object that contains this dependency expands to show you the location of the slave zone. 3 To see the master zone right click the dependency, and then select Go To master Zone from the context menu.
Authoritative DNS Options

These options are used on authoritative DNS servers that host master or slave zones. Options for DNS objects are set on their Deployment Options tabs. For more information, see Zone Transfer Options on page 116. additional-from-auth/additional-from-cacheThese options are used to specify whether out-of-zone CNAME and DNAME references are followed. They are intended for use in authoritative-only servers, or in authoritative-only views. Attempts to set it to no without also specifying recursion no causes the server to ignore the option and log a warning message.
Version 5.5
107
Chapter 6: Adonis DNS When these options are set to yes (default) and a query is being answered from authoritative data, the additional data section of the reply is completed using data for this alias record from other authoritative zones. If only additional-from-cache is set to yes, then the server provides the extra data if it is available within its cache. All other combinations generate a REFUSED response to the query. This option is used at the service and views levels. auth-nxdomainIf this option is set to yes, the name server can answer authoritatively when returning an nxdomain (domain does not exist) response. If it is set to no, the server cannot answer authoritatively.
Recursive DNS
Recursive DNS is necessary for answering queries that are not within a zone for which the DNS server is authoritative. A query can automatically be sent to another name server through the use of a forwarder or stub zone, but often recursive DNS is used to refer to a non-authoritative DNS server taking responsibility for a query. The caching DNS server uses iterative queries to all of the required DNS servers starting at the root zone, then to a top-level domain server and so on, until it has a final answer for the client or resolver. This section describes the zone types and DNS options related to recursive DNS.
Adding a Cache Zone

A cache zone is used to store temporary DNS entries that are derived using recursive queries. For this reason, the Allow Recursion option must be set to Yes for the view in which the cache zone appears. Custom root servers can be specified for a cache zone to prevent recursive queries from leaving an organizations network. This option is often used to maintain organizational security.
To use this option, select the Use Custom Root Servers checkbox.
When you provide new zone information, the new zone appears beneath the name of the view or zone in the tree-view pane of the Management Console.
Caching DNS Options

These are DNS options that apply to DNS caching servers. They are generally set at the service level. Allow RecursionThis option can be set to yes, no, or default. It configures whether the server does recursive queries. This option is used at the service and views levels. In order for the server to actually respond to recursive queries, you must create a cache zone or a forwarding zone. Configure RecursionThis option defines a match list of IP addresses allowed to issue recursive queries to the server. If the answer to the query already exists in the cache, it is returned. If not specified, all hosts are allowed to make recursive queries. This option may only be specified at the service level. Match Recursive OnlyThis option is set either to yes or no. If set to yes, the server answers only recursive queries. This option is used at the views level.
108
Version 5.5
Managing Servers and Zones max-cache-sizeThis option uses an unsigned 16-bit integer value to define the maximum size for the DNS cache in bytes. This option is used at the service and views levels. max-cache-ttlThis option defines the upper limit in seconds of the Time to Live (TTL) for cached records. The default setting is 604800 seconds (one week). This option is used at the service and views levels. max-ncache-ttlThis option limits the TTL in seconds for cached negative records. The default setting is 10800 seconds (three hours). This option is used at the service and views levels. root-delegation-onlyThis option enables the enforcement of delegation-only in TLD and root zones, with an optional execute list. This option is used at the service level. Sort ListThis creates a list of IP addresses that the server uses to sort the results of a name lookup. If a query generates multiple addresses, the resolver refers to the sort list and tries the items in the list. This option is used at the service and views levels. cleaning-intervalThis is the time period in minutes for which the server checks for, and removes, expired resource records from the cache (default is 60 minutes). This option is used at the service and views levels. lame-ttlThis option specifies the time interval in seconds that the server avoids requesting data from a remote server that is listed as authoritative, but is not responding authoritatively. The default value for this option is 600 seconds. This option is used at the service level.
Adding a Forwarding Zone

A forwarding zone is used as a shortcut to zones for which the name servers are not authoritative, but that the clients may access frequently. Forwarders are useful security tools because internal DNS servers can use forwarding zones to forward requests for external resources to servers that allow recursive queries.
To add a forwarding zone:

1 In the tree-view pane, right-click the group to which you want to add a zone. From the context menu select New Zone, and then select Forwarding Zone. The New Forwarding Zone dialog box appears.
2 Specify the zone name using one of these options: Choose MasterUse this option if the master zone resides on an Adonis appliance. Click the field to the right of this option to open the Select Master Zone dialog box and select a zone. Provide MasterUse this option if the master zone does not reside on an Adonis appliance, or if you are referencing a remote server. Type the Name and IP Address of the master zone in the available fields.
Version 5.5
109
Chapter 6: Adonis DNS Forwarding zones require recursion to be enabled. You must set the Allow Recursion option for the view or DNS service to Yes. Two DNS options apply directly to forwarders. ForwardingThis is a list of the IP addresses of servers that are designated as forwarders. Off-site queries requiring recursive resolution are sent to these forwarders, thereby helping to efficiently manage traffic on your network. These addresses are listed by order or preference. This option is used at all levels. Forwarding ModeThis option indicates whether requests are forwarded to the forwarders with precedence only, or are forwarded there first, and if not answered, are answered by this server. This option is used at the DNS service level.
Adding a Stub Zone

A stub zone is useful for managing the delegation of sub-domains, as it keeps a dynamic link between the parent and the delegated child domains. Stub zones are often used to reference Windows Primary Domain Controllers in an Active Directory-based network. Adonis tries to use the name server specified here as if the results from that name server existed in its cache. If this fails to resolve the query, it is answered using a standard recursive query.
To add a stub zone:

1 In the tree-view pane, right-click the group to which you want to add a zone. From the context menu select New Zone, and then select Stub Zone. The New Stub Zone dialog box appears.
2 Specify the zone name using one of these options: Choose MasterUse this option if the master zone resides on an Adonis appliance. Click the field to the right of this option to open the Select Master Zone dialog box and select a zone. Provide MasterUse this option if the master zone does not reside on an Adonis appliance, or if you are referencing a remote server. Type the Name and IP Address of the master zone in the available fields.
Adding a Delegation Only Zone

Queries to a delegation only zone return a referral or a delegation.
110
Version 5.5
To add a delegation only zone:

1 In the tree-view pane, right-click the group to which you want to add a zone. From the context menu select New Zone, and then select Delegation Only Zone. The New Delegation Only Zone dialog box appears.
2 Type the zone name in the Name field, and then click OK.
Working with Zones

Adonis has several different kinds of operations for working with zones: rename refresh delete disable
Renaming Zones
To rename a zone:
1 In the tree-view pane, right-click the zone that you want to rename, and then select Rename from the context menu. The Rename Zone dialog box opens.
2 Type the new name in the Zone Name field. 3 To allow Adonis to update all your resource records within this zone and reflect changes, select the Rename all sub-zones checkbox. 4 Click OK. The dialog box closes and the new name displays in the tree-view pane.
Refreshing Zones
If you are using DDNS to update master DNS zones automatically (for example, to keep up-to-date with your DHCP service) the changes take place on the Adonis server, but not in the Management Console.
Version 5.5
111
To refresh a zone from the server:

1 Click Refresh from Server. The Refresh Master Zone dialog box appears.
2 Type the server password. 3 Click OK. This updates the entries in the Management Console. After you have refreshed a zone, the connection to the server stays open. If you need to refresh the same zone again or another zone, click Refresh from Server.
Deleting Zones
To delete a zone:
1 In the tree-view pane, right-click the zone that you want to delete, and then select Delete from the context menu.
If you accidentally delete a zone, from the Edit menu, select Undo. This function can be used to step back through multiple changes in the console.
Disabling Zones
You can create live configurations and serve DNS data only for zones that are fully prepared (for example, all web, email, and database servers are online and ready for production). When you disable a zone, Adonis automatically disables all resource records associated with that zone. For more information, see Editing and Deleting Resource Records on page 121.
To disable a zone:
1 In the tree-view pane of the Management Console, right-click the zone you want to disable. 2 Select Disable Zone from the context menu. The zone is now disabled.
To enable a disabled zone, right-click the zone and then select Enable Zone.
Setting Zone Options

When you set up zones, the Management Console automatically enters a series of substatements and settings into your project file. These configuration settings represent the default settings for BIND, but you can change them to suit your needs.
112
Version 5.5
To set the options for a zone:

1 In the tree-view pane of the Management Console, double-click the server that you want to work with and view its corresponding zones. A list of the servers views and zones appears. 2 Click the zone you want to edit, and then click the Options tab in the detail pane of the Management Console. A list of options and settings appears.
3 To change a setting, double-click the option. An option-specific dialog box opens. Use it to make changes for that particular option. For some options, you must clear the Use default checkbox first to enable the other options in the dialog box. 4 Make the necessary changes using Add, Edit, Remove, Move Up, and Move Down. Additional dialog boxes may open, depending on the option you select.
For most options, the Add and Edit dialog boxes have an Exclude checkbox, which indicates that the address should be ignored. You can then add an entire subnet and exclude individual IP addresses.
5 Click OK.
Defining the Start of Authority for a Zone

The SOA resource record for a zone identifies the primary master name server that is authoritative for the zone. Together with the name server and glue records for the zone, this is used to control where a zone is hosted. The SOA records contain important settings for refreshing the data in the zone. They also provide general information, including contact information for the zone.
Version 5.5
113
To set the start of authority for a master zone:

1 In the tree-view pane, right-click a view. From the context menu select Set Master Zones SOA. The Set Master Zones SOA dialog box appears.
2 Clear the Default Settings checkbox, and then type new values in the fields you want to change: Primary ServerThe name of the primary master name server for the zone. Contact e-mailThe zone administrators email address. Serial #A unique identifying number that applies to all data in the zone.
The serial number is set to auto because Adonis uses a special algorithm to determine the correct setting : you cannot change it.
Refresh IntervalThe time period in seconds that slaves for the zone check to make sure the zone data is up-to-date. The default setting is 10800 seconds (three hours). Retry IntervalThe time period in seconds that slaves try to reconnect to the master name server if the first attempt failed after the refresh interval. The default setting is 3600 seconds (one hour). Expiry TimeThe time period in seconds after which slaves that have failed to connect with the master name server stops providing information about the zone. After the time has passed, the resource records for the zone are considered too old to be useful. The default setting is 604800 seconds (one week). Minimum TTLThe minimum duration in seconds that the caching server stores zone data before discarding it and acquiring updated data. The default setting is 86400 seconds (one day). Default TTLThe default duration in seconds that the master name server caches zone data before discarding it and acquiring updated data. The default setting is 3600 seconds (one hour). 3 Select the time values you want to use from the drop-down lists, and then click OK. 4 To see your edited values click a master zone, and then select its Start of Authority tab.
114
Version 5.5
To modify the SOA records for a zone:

1 Click the zone that contains the SOA you want to modify, and then click the Start of Authority tab in the details pane.
2 To modify a setting, click the field you want to edit. A dialog box opens for you to make the necessary changes. 3 Type a new value, and then select a time value from a drop-down list. 4 To return a setting to its default value, select the Use Default Setting checkbox. 5 Click OK.
Zone Templates
Adonis supports the use of zone templates for creating zones. A template is a generic zone with settings that can be applied to a new or existing zone. Records in the template are automatically added to the zone, as are configuration settings. Records added to the template are updated in each zone whenever they are updated in the template. However, template configurations are not updated when they are modified in the template after a zone is updated once. Manually editing a record or setting in a zone linked to a template breaks the link between the record or setting in the template and the zone .
Records in a particular zone that came from a template are no longer updated from the template after they have been updated once in that zone.
To create a zone template:

1 Right-click the Zone Template icon of any view in the tree-view pane of the Management Console, and then select New Master Zone Template. 2 Set up the options for the zone template the same way that you would for a regular zone.
To apply a zone template:

1 Select the Apply Template checkbox in the New Master Zone dialog box when you are creating a new master zone. or 2 In the tree-view pane of the Management Console highlight an existing zone.
Version 5.5
115
Chapter 6: Adonis DNS 3 In the detail pane click the the Template tab. 4 Click the Link To: field. The Select Zone Template dialog box opens.
5 Select a template from the list, and then click OK. To unlink a zone template: 1 In the tree-view pane of the Management Console highlight the zone you want to unlink. 2 In the detail pane click the the Template tab. 3 Click the Link To: field. The Select Zone Template dialog box opens. 4 Select the Unlink zone from template option, and then click OK.
Zone Transfer Options

These options control the way in which the DNS service manages zone transfers, and the transfers themselves.
Access Controls
These options control whether transfers takes place, and which servers are notified of changes to master zones. Allow TransferThis option prevents zone transfers between Adonis and any IP addresses except those specified in the option. As a zone option, it restricts transfers of one particular zone. As a server option, it restricts all zone transfers and is set by default to allow only your slave servers to transfer zones (you can expand this permissions list). The list for a particular zone overrides the list for the corresponding server. This option is used at all levels. notifyThis option indicates whether or not zone transfers from the primary master to the slaves occur immediately after zone updates on the master. The default setting is yes, which helps to avoid lengthy propagation times. This option is used at all levels. Notify ListThis option is a list of IP addresses that receives zone transfers from the primary master immediately after zones are updated on the master. For servers, the default list includes the IP addresses of all name servers that you have set up within the Management Console. This option is used at all levels.
116
Version 5.5
Managing Resource Records
Transfer Controls
These options control the relevant time intervals, format, number of connections and dial-up properties associated with zone transfers. max-transfer-idle-inThis option is only applicable to master servers. It is the maximum time in minutes that an inbound zone transfer remains idle without timing out. The default for both servers and zones is 60 minutes. This option is used at all levels. max-transfer-idle-outThis option is only applicable to master servers. It is the maximum time in minutes that an outbound Zone Transfer remains idle without timing out. The default for both servers and zones is 60 minutes. This option is used at all levels. max-transfer-time-inThis option is the maximum time in minutes allowed for a single inbound zone transfer connection to a slave server. The default for both servers and zones is 120 minutes. This option is used at all levels. max-transfer-time-outThis option is the maximum time in minutes allowed for a single outbound zone transfer connection to a slave server. The default for both servers and zones is 120 minutes. This option is used at all levels. transfer-formatThis option controls whether the format of zone transfers from the master to the slaves is one-answer, which carries only one resource record in each DNS message, or many-answers, which carries as many resource records as possible in each DNS message. The default setting is manyanswers. This option is used at the service and views levels. transfers-inThis option limits the total number of inbound zone transfers from all remote servers that the local name server requests at any one time. The default setting is 10 transfers. Increasing this setting may speed up the convergence of slave zones, but it may also increase the load on the local system. This option is used at the service level. transfers-outThis option limits the total number of concurrent outbound zone transfers per master server to all remote servers. The default value is 10. This option is used at the service level. transfers-per-nsused by slave servers, this option limits the total number of inbound zone transfers from any single remote name server that this server requests at any one time. The default is 10 transfers. This option is used at the service level. dialupThis option marks whether or not zone transfers occur as if they are across a dial-on-demand dialup link. For servers, this option refers to all of the servers zones. The setting for a particular zone overrides the setting for the corresponding server. The default for both servers and zones is no. This option is used at all levels. heartbeat-intervalThis option indicates the frequency in minutes at which the name server brings up its dial-on-demand connection for all zones marked as dialup (default is 60 minutes). This is a service level option.

You can use the Resource Records toolbar to add resource records to the zones in your project file. The following tools are useful for adding new records.
In addition to using the Resource Records toolbar, you can right-click a blank area on the Resource Records tab, select New on the context menu, and then select the type of resource record you want to create.
Version 5.5
117
Adding Resource Records

Adonis supports two ways of creating Resource Records New Auto Generate Resource Recordcreates records as a single line in the Management Console. Generate Records Incrementallycreates all host and pointer records in the Management Console. You can use either tool to create Host, Alias, Pointer, or Name Server records. Each method performs a similar function, but there are some distinct differences: New Auto-Generate Resource Recordsuses the BIND $GENERATE control statement to create a single line in the zone file. This tool creates a series of records that differ by a specific numerical iterator: for example, workstation1, workstation 2. Generate Records Incrementallycreates all records in the zone in the Management Console. This tool creates the resource records in the zone so that they are visible in the Management Console and on the appliance.
Auto-Generating Resource Records

Automatic generation of resource records creates a single host entry in the project file. When synchronized, Adonis creates the actual records on the server.
This tool does not create Host PTR records in the corresponding reverse zone.
To create auto-generated resource records:

1 In the tree-view pane of the Management Console, click the zone for which you want to create auto-generated resource records. 2 Click New Auto Generate Resource Record on the Resource Records toolbar. The New Auto Generate Record dialog box opens.
3 In the Start and End fields, type the values to start and stop numbering your records. 4 In the Step field, type the increment that you want to use between iterations. 5 In the Name field, type the name for your auto-generated records. Type the dollar symbol ($) as a place-holder for the generated number. For example, if the Start value is set at 5, the
118
Version 5.5
Managing Resource Records End value is 25, the Step value is 5, and the Name value is mytest$, Adonis auto-generates the following incremental records: Mytest5 Mytest10 Mytest15 Mytest20 Mytest25 6 From the Type list, select a type of record (Alias, Host, Name Server, or Pointer). 7 In the Host field, type the IP address for the first auto-generated record, using $ as the place holder for the auto-generated integer. The following list shows the auto-generated record addresses: 172.16.0.5 172.16.0.10 172.16.0.15 172.16.0.20 172.16.0.25 8 Click OK. The Auto-Generated records appear in the detail pane of the Management Console. These records are created on the appliance when you deploy the project file and it synchronizes with the server.
Generating Records Incrementally

This tool creates the resource records in the zone so that they are visible in the Management Console and on the appliance.
This tool creates Host PTR records by default in the appropriate reverse zone files. You can choose not to create the PTR records if you prefer. The tool does not re-create records that already exist.
To generate records incrementally:

1 In the tree-view pane of the Management Console, click the zone for which you want to generate incremental records.
Version 5.5
119
Chapter 6: Adonis DNS 2 On the Resource Records toolbar, click Generate Records Incrementally. The Generate Records Incrementally dialog box opens.
3 In the Start and End fields, type a value for the start and end numbers of your records. 4 In the Step field, type the increment that you want to use between iterations. For example, type 1 if you want to step up one at a time. 5 In the Name field, type a name for your incremental records. Type the dollar symbol ($) as a place-holder for the generated number. For example, if the Start value is 5, End value is 25, Step is 5, and Name is mytest$, Adonis generates the following incremental records: mytest5 mytest10 mytest15 mytest20 mytest25 6 From the Type list, select a type of record (Alias, Host, Name Server, or Pointer). 7 In the Host field, type the name or IP address of the host with which the records are to be associated: For Alias, Name Server, and Pointer records type the host name. For Host records type the host IP address.
To create and maintain reverse address pointers for host records, select the Add reverse entries checkbox. This checkbox is not active until you select Host as the record type.
8 To prevent a record from being created if one already exists, select the Prevent duplicate records checkbox. 9 Click OK. The list of incremental records appears in the detail pane.
120
Version 5.5
Editing and Deleting Resource Records

To edit or delete resource records:
1 In the tree-view pane of the Management Console, click the zone containing the resource record that you want to edit or delete. The detail pane lists all of the resource records for the selected zone. 2 To edit a resource record, double-click it, and then make changes in the dialog box that appears. 3 To delete a resource record: right-click the record, and then select Delete from the context menu select the record, open the Edit menu, and then select Delete select the record, and then press the Delete key on your keyboard.
If you delete a resource record accidentally, click Undo. Alternatively, on the Edit menu, select Undo.
Disabling Resource Records

You can disable resource records to hide them or make them unavailable to queries.
To disable a resource record:

1 In the tree-view pane of the Management Console, click the name of the zone containing the resource record that you want to disable. 2 In the detail pane right-click the name of the resource record, and then select Disable Resource Record(s) from the context menu.
You can also disable several resource records at the same time. Hold down the Control key while selecting the resource records you want to disable, right-click them, and then select Disable Resource Record(s). To enable a disabled resource record, click the zone containing the resource record, right-click the resource record, and then select Enable Resource Record(s).
Version 5.5
121
122
Version 5.5
Chapter 7
Advanced DNS
Adonis has advanced DNS capabilities that can support complicated network topologies. This chapter includes the following topics: Reverse DNS on page 123 discusses Reverse DNS as an integral part of modern dynamic networks. Dynamic DNS on page 128 explains how Dynamic DNS can update reverse DNS zones with information about dynamic network clients. Integrating Active Directory on page 130 contains information about integrating Microsoft Active Directory (AD) with Adonis. Checking the Data on page 132 discusses the tools available to check the integrity and efficiency of the DNS data in a project file. Transaction Signatures on page 140 introduces Transaction Signatures (TSIG) and how they provide a certificate-based authentication system for DNS and DDNS from DHCP servers. This enables trusted transfers and modifications of DNS information. Adonis appliances use TSIGs to protect all transfers between them. DNS Queries on page 144 describes how Adonis can control access for DNS queries and deliver a customized response using DNS Views. Sophisticated query logging capabilities also provide Adonis with in-depth DNS tracking and auditing. DNS and IPv6 on page 151 describes how to use DNS in an IPv6 environment with Adonis.
Reverse DNS
Reverse DNS is used to translate IP addresses into DNS names. It is a critical component in dynamic networks to ensure proper routing. The zones used to store this information contain special records (for example, PTR and NAPTR records) that are designed to provide reverse DNS information for a given address. Reverse DNS is an essential component of the Microsoft Active Directory service, and it provides the DNS functionality necessary to operate VoIP packet-based telephony. Reverse DNS is often populated using DDNS in conjunction with a DHCP server. For more information, see Dynamic DNS on page 128. Some ISPs delegate the responsibility for maintaining reverse DNS to their clients. For more information, see Delegating Subnets on page 126.
ENUM and VoIP

VoIP technology provides the framework to evolve the telephone from a simple two-way voice communication device to a network-attached node with multifaceted capabilities. VoIP devices are addressed in more than one way. An URI string provides custom forward locator references for these
Version 5.5
123
Chapter 7: Advanced DNS devices as defined in RFC 3401. Reverse DNS is used to discover the relevant information for a device based on its phone number alone and NAPTR records are used to represent this information. ENUM zones, also known as in-addr.arpa zones or e.164 zones, provide VoIP functionality within a DNS server. ENUM zones contain special sub-zones called prefixes that represent telephone exchanges and can contain the records for the actual devices. Within the prefixes, the last four digits of the phone number after the exchange are the only ones entered for the record. The structure of the zones and prefixes dictates the exchange and area code for this number. Provisioning a VoIP service requires many systems, including DNS to manage the phone numbers associated with client end points. Adonis uses a reverse DNS zone to create the ENUM structure for each desired area code. This reverse zone is populated with sub-zones that represent all of the required telephone exchanges. Finally, NAPTR records are added to represent the individual VoIP devices. The naming convention for the ENUM and prefix zones involves reversing the numbers and placing a dot between each number. Thus, for the phone number 1-416-555-1212, the ENUM zone is 6.1.4.1, and the prefix zone is 5.5.5. This could also be represented with a 1 zone for the country exchange with a 6.1.4 ENUM zone beneath it, depending on your requirements. When you add the ENUM zone, a reverse master zone is added with the button highlighted for the in-addr.arpa notation option. The following figure shows an ENUM zone within the Management Console.
124
Version 5.5
Reverse DNS
To add a NAPTR record:

1 On the Resource Records tab, click New NAPTR Record. The New NAPTR dialog box appears.
2 Type information in the following fields: NameThe name for the record. OrderSpecifies the order in which NAPTR records are read, with the lowest match being selected first. PreferenceDetermines the order in which NAPTR records with the same order should be processed. It functions similarly to the preference field in an MX record. FlagsValues 09 and az can be used as flags to control aspects of the rewriting and interpretation of the fields in the NAPTR record. Because different replacements and interpretations can be required when using NAPTR records, these flags can be useful in dictating behaviors for the host VoIP application. ServiceThe service that this NAPTR record uses. The available service types are described in the IANA ENUM Service definition, available from IANA. A client attempts to match against this service type. Regular ExpressionRegular Expressions or URIs are strings that are used in the Dynamic Delegation Discovery System as described in RFC 3401. ReplacementIf the regular expression statement is being used as a simple replacement, this field can provide a domain name. Returning both fields is considered an error, so simple replacement using the regular expression field is the only case where this field should be used. TTLThis is a standard Time To Live value for this record. CommentType any comments that should be associated with this record. 3 Click OK.
Version 5.5
125
Delegating Subnets
The Subnet Delegation Wizard enables the management of a block of addresses for delegation to another reverse DNS server. This is useful, for example, where an ISP wants to delegate management of a organizations reverse DNS resolution to that company. The ISP delegates a block of addresses and the company maintains all of the reverse-PTR Records for the subnet. When DNS changes occur, they can be managed by the organization instead of the ISP. This feature also enables organizations to manage their own DNS architecture and security. For more information, see Adding a Master Zone on page 105.
To create a reverse zone that can have addresses delegated to it:

1 In the tree-view pane, right-click the object under which you want to create the zone. 2 Select a new master zone, specify a reverse zone in the drop-down box, and then click OK. 3 Right-click the new zone and choose Subnet Delegation Wizard. Click Next. The Delegated Address Space dialog box appears.
126
Version 5.5
Reverse DNS 4 Specify the offset from the beginning of the zone for the subnet that is delegated, choose the CIDR notation to indicate the proper size for the subnet, select a separator, and then click Next.
5 Click Add, and then type the name server address in the New Delegate dialog box.
6 Click Next, and then click Finish. On the Resource Records tab Adonis adds an auto-generated Alias record and Name Server records.
The subnet is now delegated.
Version 5.5
127
To edit a delegation:
1 On the Resource Records tab, double-click the Name Server record for the delegated server. The Name Server dialog box appears.
2 Edit the Name and Host information, and then type a TTL and an optional comment. 3 Click OK.
To delete a delegation:
1 On the Resource Records tab, right-click the record for the delegated server. 2 From the context menu select Delete.
Dynamic DNS
Dynamic DNS (DDNS) is the system by which updates to DHCP address assignments are reflected in the DNS records for these hosts. DDNS is a essential part of reverse DNS. It also plays a critical role in Microsofts Active Directory technology, because it looks up dynamically configured hosts using reverse DNS. DDNS enables a DNS server to accept updates regarding the IP addresses of dynamic IP or DHCP clients. Every time a dynamic client changes its IP addresses the DNS server receives an update, and the DNS server associates this IP address with a DNS name for the client. Dynamic data for an address is maintained if the DDNS Updates option is deployed in the DHCP range that contains that address. Any records that are generated dynamically are clearly marked as such when looking at the records for this zone. Dynamic updates are always deployed immediately to the Adonis server where they were generated. DNS on the internal side often allows dynamic updates to the DNS server. DDNS allows hosts to update zone data dynamically. This process makes administration easier, especially with internal DNS, when it is common for a large number of internal hosts to be represented as records in the DNS database. Dynamic DNS eliminates the need to enter large numbers of records manually. Rather than using dynamic updates, authorized users, or DHCP servers themselves, can add, delete and change records on the fly. However, making use of DDNS does have the potential to open your network to certain vulnerabilities. In the wrong hands, dynamic updates can allow a user to dynamically update records on an organizations DNS server with bogus information. As such, dynamic updates should be restricted
128
Version 5.5
Dynamic DNS as much as possible. Best practice dictates ensuring that the DHCP servers are the only source of dynamic updates to records on the DNS server. This can be further secured using TSIG keys on the DHCP server. The Allow Dynamic Updates DNS option should be employed to create an Access Control list (ACL) for each dynamically updated zone. Only addresses matched on this list are allowed to send updates to the server for that zone.
Required DNS Options

Before DDNS can function you must configure the following DNS options: Allow-UpdateThe Allow-Update option takes an IP address or block, ACL, key, or Adonis item as data for its match list argument. Only servers or clients matched on the list are allowed to send updates for that zone to the master DNS server hosting it.
This DDNS option can be valuable for integrating Active Directory, but it presents challenges to DNS security.
Allow Update ForwardingThis option lets you specify which hosts are allowed to submit DDNS updates to slave zones to be forwarded to the master. The default is none, which means that no update forwarding occurs. Specifying values other than none is counterproductive unless required with Active Directory, because the responsibility for update access control must rest with the master, not the slaves.
Enabling the update forwarding feature on a slave could expose master servers to cache poisoning attacks by relying on an insecure slave IP address-based access control. This option is used at the service and views levels.
Required DHCP Service Options

Before DDNS can function you must configure the following DHCP options in the Advanced Options tab. For more information, see DHCP Client Options on page 165. Client UpdatesThe Client Updates option indicates whether client updates should be used to maintain DDNS records for this client. If this checkbox is selected when the option is added, then the client updates its own DNS record on the server. If the option is added without the checkbox selected, the DHCP server performs the update. This option is required for DDNS. DDNS Domain NameThis is the domain name that is appended to this clients hostname to form the FQDN. This is also the name of the zone that is updated with this clients record. DDNS UpdatesThe DDNS updates option indicates whether the server should attempt a DDNS update when the lease is confirmed.
Optional DHCP Service Options

The following DHCP Service options enhance the functionality of DDNS in Adonis: DDNS HostnameThis option specifies the hostname that should be used for DDNS updates for this client. If no value is specified, the zone creates a name for the records. DDNS Reverse Domain NameThis is the reverse domain name that is appended to this clients hostname to form a reverse record. By default this value is in-addr.arpa, but can be overridden here. DDNS TTLThis is number of seconds (between 0 and 4,294,967,295) indicating the default TTL for DDNS records.
Version 5.5
129
Configuring DDNS
DDNS works by notifying a name server of any changes to a hosts IP address. This is useful when you are using DHCP to lease IP addresses dynamically. To set the IP address of the name server to which you want to send updates, type this command set name-server address, and then press Enter, replacing address with the appropriate address. To view the current address of the DDNS name server, type show name-server, and then press Enter.
On an XHA cluster, both Adonis nodes should be set to the same name server through their respective consoles.
In network configuration mode you can manage other DDNS settings and the name server: To set the DDNS name server, domain, or search suffix, use the following commands:
set ddns name-server data set ddns domain data set ddns search data
where name-server, domain or search is used as the parameter being set, and data is the data to populate the domain or search setting. To delete these settings, use del instead of set in the command. To display all of the DDNS settings use show ddns in network configuration mode.
Integrating Active Directory

Microsoft Active Directory is the backbone of the Windows Server architecture, and is centered on the LDAP service. Adonis fully supports Active Directory DNS integration. The Management Console has an Active Directory Wizard to guide you through the process of enabling Active Directory integration on Adonis. For more information, see Active Directory Integration on page 231.
Both the forward and reverse zones for a namespace should be Active Directory-enabled. Active Directory depends upon the use of Host (A), Service (SRV), and Reverse Pointer (PTR) records for navigation functionality.
Enabling Active Directory Support

To enable Active Directory Support you must complete a process in the Management Console for both the forward and reverse zones involved.
To enable Active Directory support:

1 Right-click the zone in which you want to enable Active Directory. 2 From the File menu, select Enable Active Directory. The Active Directory Wizard opens.
130
Version 5.5
Integrating Active Directory 3 Click Next. The Add Domain Controllers page appears.
4 To add the IP addresses of each of your Active Directory domain controllers, click Add. The Add Active Domain Controller dialog box opens.
5 Type the IP address of the Active Directory domain controller, and then click OK. 6 Repeat steps 4 and 5 until you have added all the Active Directory domain controllers. 7 Click Next, and then click Finish. Your zone icon changes to red, showing that you have enabled Active Directory.
An ACL is automatically created for your Active Directory domain controller(s). It is also added to the Allow Transfer and Allow Update options, which you can view by clicking the Options tab of the zone.
Windows Active Directory Synchronization

You must deploy the project file before seeing any integration results.
The Active Directory synchronization procedure may take hours, depending on the replication schedule of your Active Directory domain controllers. To shorten the synchronization time, type the following command at the command prompt on your Active Directory domain controller:
C:\>IPCONFIG /registerdns
After synchronization takes place, _SRV (service records) are displayed in the Active Directory zone in the Management Console. Service records have the following format:
Version 5.5
131

_ldap._tcp.default-first-site-name._sites.dc._msdcs
An alternate synchronization method is to restart the Active Directory service on the Windows servers using the Net stop netlogon and Net start netlogon commands.
Checking the Data

The following topics explain how to check your project file before you deploy it to the appliance, and how to verify the data after the project has been deployed.
Data Check
Before transferring the project file to the appliance, you should perform a data check on the information. This procedure takes a few minutes, but it saves you time in the long run because it allows you to resolve issues in advance. If you have imported a project, this step is strongly recommended. For more information, see Checking the Data on page 91. You can customize data check rules for an Adonis project. For more information, see Modifying File
Location Settings on page 88.
Using the DNS Fixup Wizard

The DNS Fixup Wizard can check your project file for errors. You should check the data every time you make a major change to the project. If you are using an imported project, run the DNS Fixup Wizard before you deploy the file.
To check your project files:

1 From the Tools menu, select DNS Fixup. The DNS Fixup Wizard opens.
132
Version 5.5
Checking the Data 2 Click Next. The Choose Action page appears.
3 Select one of these options: Auto Match Resource RecordsIn an imported project file, this synchronizes all records in the zone with any correlated records and creates the required glue records. Auto Create PTR RecordsCreates the PTR records required for matching host records in a zone. Add Delegation Records To Parent ZonesEnsures that all required NS records for a given zone exist in the Adonis project. Delete Orphan PTR RecordsDeletes PTR records that do not have a matching forward DNS entry.
Version 5.5
133
Chapter 7: Advanced DNS 4 Click Next. The Select Name Server, View, and Zone page appears.
5 Select the server from the Name Server drop-down list. 6 If this server has BIND views implemented, select a view from the View drop-down list. 7 To select the master zone select the Select Zone checkbox. If this checkbox is clear, all zones for the view in question are selected. 8 Click Select master zone... and then select a zone in the Select Zone dialog box. 9 Click Next. The Inspecting Resource Records For Fixup page appears.
10 After viewing the results, click Next, and then click Finish.
134
Version 5.5
Checking the Data
Live Data Check

After deploying the project file to the appliance, you can use the Live Data Check feature to validate the data in the deployed project file. This also lets you ensure that no one else with access to the project files has inadvertently changed the setup. All of the records are verified live on the network(s) and the Internet.
To perform a Live Data check:

1 From the Tools menu, select Live Data Check. The Live Data Check dialog box opens.
2 From the Name Server drop-down list select the server that you want to check. 3 From the View drop-down list select the view that you want to check. 4 Click an option to specify the location from which you want to resolve issues: Name ServerThe name server itself that you previously specified. Another ServerA different name server with another IP address or host name that you must specify in the available field. 5 If you want recursion, select the Allow recursion checkbox. 6 To perform recursive queries when recursion is not enabled on the server, select the Perform recursive queries when recursion is not available checkbox. The client performs recursive queries when checking data. 7 Select the communication method from the Communication Method list. The options are UDP (Datagram) or TCP (Socket). 8 Click Check.
Version 5.5
135
Chapter 7: Advanced DNS The data check begins and displays a progress bar to show you the status as it processes the queries. When the data check is complete, the Live Data Check Results dialog box appears.
9 Correct any outstanding errors. 10 When you are finished reviewing the results, click Close.
The Whois Lookup Tool

The Management Console includes a Whois lookup tool that you can use to determine the registration information for any domain name belonging to a public TLD. The Whois lookup tool can also verify whether a domain is available (unregistered).
136
Version 5.5
Checking the Data
Using the Whois Tool

To determine domain registration information:
1 In the tree-view pane of the Management Console right-click a domain, and then select Whois Lookup. The Whois Lookup dialog box opens.
2 In the Domain field, type the name of the domain you want to examine, and then click Look Up. A list of results appears in the Whois Lookup dialog box.
Version 5.5
137
Chapter 7: Advanced DNS 3 To select a Whois Server to perform the lookup, click []. The Whois Servers List dialog box appears.
4 To add a server to a domain, select the domain, and then click Add. The New Server dialog box opens.
5 Type the FQDN of the server you want to add, select the appropriate server port from the drop-down list, and then click OK. 6 To edit a server select it, and then click Edit. The Edit Server dialog box opens.
7 Edit the server name or change the server port, and then click OK. 8 To restore default values click Restore Defaults. The Restore Defaults dialog box opens.
138
Version 5.5
Checking the Data 9 Select the appropriate option, and then click OK.
DNS Configuration Statistics

Adonis provides useful statistics to help you manage your network infrastructure. You can generate a statistical summary of your DNS configuration using the Management Console. The following statistics are available as a summary or on a per-server basis: Total number of name servers hosted on the selected appliance or all appliances Number of master name servers on the selected appliance or all appliances Number of slave name servers on the selected appliance or all appliances Number of hidden name servers on the selected appliance or all appliances Number of views for name server X Number of zones for the default view of name server X Number of master zones for the default view of name server X Number of slave zones for the default view of name server X Number of forwarding zones for the default view of name server X Number of hint zones for the default view of name server X Number of resource records for zone X in the default view on name server X Number of ACLs for name server X
To view DNS statistics:

1 Select Tools > DNS Statistics. The DNS Statistics dialog box appears.
2 In the left pane you can select from the following choices: SummaryView a summary of all servers in the project file. Server nameView a summary of the statistics for a particular server. 3 In the right pane, scroll through the list to see the details. 4 Click Close.
Version 5.5
139
Transaction Signatures
By default, Adonis uses Transaction Signatures (TSIGs) to authenticate systems such as DHCP servers initiating DDNS updates and other DNS servers participating in zone transfers. When more than one Adonis appliance is deployed on a network, a shared secret TSIG key is configured on both appliances to secure all transfers of DNS information between them. A custom TSIG key can also be configured between the Adonis appliance and another kind of DNS or DHCP (DDNS) server. The DNS service on Adonis computes a hash value to determine if the TSIG key that the other machine is passing with the DNS information is authentic. TSIG uses a shared secret and a one-way hash function to certify the data source and integrity for every zone transfer or dynamic update. This is much more secure than an ACL, because the data source is more difficult to spoof and the data integrity is also assured. This system works by including a special type of resource record with every transfer. The TSIG resource record contains a special hashed signature and it is never cached by either server. This signature is created through a one-way hash function, ensuring that it accurately represents the original data without revealing the original data. This hash function has two inputs: data being transferred the shared secret key (TSIG) Thus, the receiving server can ensure that the correct shared secret is present and that the data has not been modified in transit. If either of these conditions fails the transfer or update is rejected. Because TSIG is based on a shared secret rather than public key cryptography, there is an issue about transporting the key to all of the servers that need it. Any time that the key is exposed during transfer is an opportunity for it to be compromised. Traditionally, these keys are transported using secure email, SSH, or by courier. The Management Console handles all of these details on behalf of users, ensuring that keys are securely deployed to the required appliances during project file deployment. When configuring keys to additional servers, alternative methods must be employed. The additional key is securely deployed to Adonis, but must be manually configured on the other server. The default TSIG configuration set up when the Adonis appliance is deployed should ensure the appropriate level of security for most situations. However, the following situations exist where additional TSIGs besides the defaults may be required: Adonis acting as a master DNS server for a remote DNS slave server Adonis acting as a slave to a remote DNS master server Restricting DDNS updates between two Adonis appliances or Adonis and a remote server With all three of these types of TSIG implementation situations, the DNS allow transfer option is implemented and the TSIG keys are used to validate the transfer. Because allow transfer accepts a TSIG key as a valid condition to check against, a server presenting the correct TSIG is allowed to perform a transfer of DNS information, whether it be a zone transfer or a DDNS update.
TSIG for Remote Slave DNS

Several steps need to be performed before Adonis can interact using TSIGs with a remote server that is acting as a DNS slave: The remote server and TSIG keys need to be created in the Management Console. Server deployment roles need to be created. The allow transfer and notify options on Adonis and the remote server need to be set up.
140
Version 5.5
Transaction Signatures
To configure TSIGs when using Adonis with a non-Adonis DNS slave server:
1 In the tree-view pane select your master DNS service, and then click the Security tab.
2 Right-click in the Keys section. On the context menu, select New. The New Key dialog box appears.
3 To generate a transfer key, type a name for the new key, click Generate, and then click OK.
If a key is currently in use on the DNS slave, you can type it into this field. Alternatively, you can use the drop-down list to select Link to Another.
4 If you select the Link to Another option from the drop-down list, browse and select the transfer key from the Select key dialog box. The available keys are any TSIGs explicitly configured on another server within the same project file. Click OK.
Version 5.5
141
Chapter 7: Advanced DNS 5 To add a remote (slave) server, right-click the Remote Servers area, and then select New. The New Remote Server dialog box opens.
6 Type the IP address of the remote server, or select Item from the drop-down list. 7 If you selected Item, click [...], the Select Remote Server dialog box opens.
8 Locate the remote server, select it, and then click OK. 9 In the New Remote Server dialog box select the key you want to use, and then click OK. After you have set up TSIG you must configure the Adonis master server or zone to use the key to authenticate all zone transfers and updates.
To use the key for transfers and updates:

1 In the tree-view pane of the Management Console, select a DNS service node.
142
Version 5.5
Transaction Signatures 2 Select the Options tab, and then double-click the Allow Transfer option. The Allow Transfer dialog box appears.
3 Clear the Use default checkbox, and then click Add. The Add dialog box appears.
4 From the drop-down list select the key, or the IP address of the slave server that contains the key. Click OK. 5 Double-click the Notify List option, and then add the IP address of the remote slave server. 6 Double-click the notify option, and then select Yes (default). 7 Set up the Allow Transfer option on the remote slave server to permit transfers from the Adonis master.
TSIG for Remote Master DNS

This procedure is similar to the one described for a remote slave DNS. With the TSIG key here, you are probably copying or typing the text string for the key from the remote master server. Adonis needs to have the Allow Transfer option set on the zones that are slaved to the remote master. You need to set the Allow Transfer, notify, and Notify List options on the remote master.
TSIG for Remote DDNS

For DDNS with TSIG to work, a TSIG key must be generated for the Adonis master DNS server. This TSIG key is then configured on the remote DHCP service. It should be noted that if Adonis appliances from the same project are hosting both the DNS and DHCP sides of this transaction, DDNS is protected with TSIG keys by default. For more information, see TSIG for Remote Slave DNS on page 140 for details on using the New key dialog box.
Version 5.5
143
Chapter 7: Advanced DNS The options described in Dynamic DNS on page 128 should be implemented on both the Adonis DNS master and on the remote DHCP server. If all of the required options are configured and the key is configured then DDNS updates from the remote DHCP server are protected by TSIG.
Overriding the default TSIG Configuration

To force all zone transfers to use the TSIG key:
1 In the tree-view pane of the Management Console, select the DNS service node. 2 Select the Options tab, and then double-click the Allow Transfer option. The Allow Transfer dialog box appears. 3 Clear the Use default option, and then click Add. The Add dialog box appears. 4 From the left drop-down box select Key, and then select the key you want to use from the right drop-down box. Click OK. 5 Save the project and deploy it to your server(s). To force all zone updates for the master server to use the TSIG key, repeat the process above using the Options tab for each required zone.
DNS Queries
This section describes the tools available in Adonis DNS to restrict queries, deliver selective responses, and log all of this on the appliance for later reference.
Using BIND Views

BIND views allow you to configure a single name server to present a different configuration to different user communities. For example, you can run your internal and external DNS on the same server instead of setting up separate sets of name servers. Views can be essential for creating a secure DNS configuration. For example, you can configure a single DNS server in a company to respond differently to different departments workstations, or you might use a view to serve PCs that have not yet registered their MAC address with the Adonis MAC-based filtering system. This lets you provide secure access to the network for authenticated clients and an authentication portal for non-authenticated clients. Because of the level of security implemented in Adonis, DNS views allow many permutations.
Matching Order
The most important consideration when setting up views is the matching order for the views. Views are matched against an ACL of client addresses. If the clients address matches an ACL entry, then that client is granted access to a view. This process actually grants a client access to the first view that is a match for the client address. Thus, if the first view listed matched against any address, all other views are ignored. This could present challenges to the desired view design. Also, if many clients are being matched against a large number of views, processing considerations come into play. When designing the matching order for views you should ensure that the desired logic is achieved in the client matching, and then adjust the order such that each client is testing against the fewest possible number of view ACLs. Refining the matching order in this way ensures that the system operates as efficiently as possible. Views can be reordered using the up and down buttons in the Management Console. For more information, see Queries and the DNS Service on page 148.
144
Version 5.5
DNS Queries
Creating a New View

Use the New View Wizard to add a new view to your project file.
To create a New View:

1 In the tree-view pane of the Management Console, right-click the DNS service to which you want to add a view, and then click New View. The New View Wizard opens. 2 Click Next. The General Information page appears.
3 Type a name for the view and specify a Published Address. This is the address that a client uses to resolve authority records for master and slave zones for this view.
Version 5.5
145
Chapter 7: Advanced DNS 4 Click OK. The Match Clients page appears. Use this screen to add, edit or remove addresses served by this view.
5 On the Match Clients page, click Add. The Add dialog box appears.
6 From the drop-down list select one of the following options: IP or BlockSelect this item to match clients by address. ACLSelect which pre-configured ACL you want to match against. ItemClick [...] to browse to the item within the main Adonis interface that should be matched against. 7 Click OK. 8 To edit an address, click Edit, and then type the information in the Edit dialog box. 9 To remove an address, select it, and then click Remove. 10 To update your project file click Next, and then Finish.
Managing Access Control Lists

Access Control Lists (ACLs) give you increased authority over who can view and manipulate your network's internal name space. ACLs prevent unauthorized remote servers from transferring zones from your local name servers.
ACLs increase the workload on a name server because the server must compare each query against the ACL.
146
Version 5.5
DNS Queries You can use ACLs while setting server options or zone options. The Management Console makes it easy to create new ACLs for your network, including populating these lists with IP addresses, and then editing them later to satisfy your network's changing requirements. ACLs consist of two elements, the list itself and the IP addresses that make up the list. ACLs are given a name that is used as a unique identifier.
Adding, Editing, and Deleting an ACL

To add an ACL:
1 In the tree-view pane of the Management Console, select the DNS service to which you want to add an ACL. 2 On the ACLs tab, right-click in the list pane, and then click New on the context menu. The New ACL dialog box opens.
ACL names cannot contain spaces. Use an underscore ( _ ) as a separator instead.
3 Type a name in the Name field, and then click Add. The Add dialog box opens. 4 Type the IP address for the ACL, or click the down arrow and then select an Item or ACLfrom the drop-down list. 5 Click OK. The ACLs appear in the detail pane of the Management Console.
To edit or delete an ACL:

1 In the tree-view pane of the Management Console, click the DNS service that uses the ACL you want to modify. 2 In the detail pane, click the ACLs tab. A list of all ACLs defined for this server appears. 3 To edit an ACL, double-click it. The Edit ACL dialog box opens.
Version 5.5
147
Chapter 7: Advanced DNS 4 Select an IP address, and then click Edit. The Edit dialog box opens.
5 To delete an ACL, right-click it, and then click Delete, or press the Delete key on your keyboard.
If you delete an ACL accidentally, click Undo. Alternatively, you can select Undo from the Edit menu.
Queries and the DNS Service

The following options can be configured on the Adonis DNS service to control the way that the appliance responds to queries. Allow QueryThis option provides a list of the IP addresses of servers or clients that are allowed to send queries to the local server (for server options), or to a specific zone (for zone options). A list for a zone overrides the list for the corresponding server. This option is used at all levels. BlackholeThis is a list of IP addresses of remote name servers to which your local name server does not respond because they are known to supply incorrect, poorly formatted, old, or even deceptive data. Your server does not query these IP addresses nor accept queries from them. This option is used at the service and views levels. Match DestinationThis option works similarly to the ACL described in Managing Access Control Lists on page 146. However, instead of matching a client making a request, this list represents destination addresses. If this option is used, and the destination address for the query is on this list, then the DNS server resolves the query. This option is used in conjunction with the ACL for views and is used at the views level. recursive-clientsThis option restricts the maximum number of simultaneous recursive clients. It is specified using an unsigned 16-bit integer. This option is used at the service level. tcp-clientsThis option restricts the number of concurrent TCP connections that the server processes. The default is 100 clients. This option is used at the service level.
Query Logging
Adonis includes a powerful query logging feature that creates detailed DNS logs according to the settings that you specify. Although you must configure query logging in configuration mode, you can view query logs in normal mode.
Query Logging is a powerful feature that can create large logs that require a log management strategy.
148
Version 5.5
DNS Queries
Viewing Query Logs

Query logs are divided into channels. Each channel logs a particular category at a particular severity level and then outputs its errors to a log file. For example, you can configure a channel to log critical errors in the query category. The following command works in normal mode: To view the current status of querylogging, type show status querylogging, and then press Enter. The following commands work in configure querylogging mode: To show a list of the querylogging channels, type show querylogging channels, and then press Enter. To show detailed information about all querylogging channels, type show querylogging settings, and then press Enter. To show detailed information about just one querylogging channel, type show querylogging channel=channel_name, and then press Enter, where channel_name is the name of the channel you want to view. The following commands work in both modes: To show the current log file for a channel, type show log querylogging channel=channel_name, and then press Enter. To show a specific log file, type show log querylogging file=file_name, and then press Enter.
Configuring Query Logging

Query logging can be used to record various errors, warnings, notices, and other types of information as the DNS service runs. A log file consists of entries, each of which can be marked with the time, severity, and category. These markings are optional.
You may omit the word querylogging from the query logging commands if you are working in query logging configuration mode.
To access query logging configuration mode, type configure querylogging, and then press Enter.
Adding a Channel
When you create a channel, you must specify a name, a file path, the maximum number of versions of the file to create, a file size, a severity level, and a message category. You must also specify whether the query logging system should mark each entry with its time, severity, and category.
To add a channel:
1 Type add querylogging channel, and then press Enter. 2 Type a channel name. If your name includes spaces place quotation marks around it, and then press Enter. 3 Type the absolute path for the log file (for example, /var/log/named/mynamed.log) and then press Enter. 4 Type a value that defines the maximum number of log file versions to create (by appending a number to the input file starting with 0). The maximum is 99. Press Enter. 5 Type the number of bytes to allocate to the log file (1024 = 1kB, 1048576 = 1MB). Press Enter. 6 Type a value for the severity level, as defined in the following table, and then press Enter.
Version 5.5
149
Chapter 7: Advanced DNS Severity levels are cascaded, so each error level includes all the messages from the previous severity levels. Value
1 2 3 4 5 6 7
Includes Messages of Severity

critical critical, error critical, error, warning critical, error, warning, notice critical, error, warning, notice, info critical, error, warning, notice, info, bebug critical, error, warning, notice, info, debug, dynamic
7 To include a time stamp, severity stamp, or category stamp on each message, type 0. To exclude these stamps, type 1. Press Enter. 8 Type a value for a message category, as described in the following table, and then press Enter.
Value 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Category database security config resolver xfer-in xfer-out notify client network update queries dispatch dnssec lame-servers general default Description Name server database messages Requests that are approved or denied Parsing and processing of the configuration file Name resolution (including recursive lookups) Details about the zone transfers received by the server Details about the zone transfers sent by the server NOTIFY operations Client requests Network operations DDNS transactions Query transactions Incoming packets dispatched to the server modules Processing of DNSSEC and TSIG protocols Lame serverfor example, when the NS record for a domain specifies a server that is not authoritative for the domain Default category Logs values not defined in category statements
150
Version 5.5
DNS and IPv6
Deleting a Channel
To delete a channel:
1 Type del querylogging channel, and then press Enter. 2 Type a channel name. If your name includes spaces, place quotation marks around it. Press Enter. 3 Type the name of the channel you want to delete, and then press Enter.
DNS and IPv6

DNS is necessary in an IPv6 environment because IPv6 addresses are four times longer than IPv4 addresses and are much more difficult to memorize. DNS includes a new type of record, called AAAA (read quad-A), defined in RFC 3596. The quad-A record performs the same name-to-address mapping as an IPv4 A record, but uses IPv6s 128-bit address format. The NS and PTR types of records remain unchanged, except that now they accept IPv6 input.
The A6 record was an alternative format for an IPv6 host record, but it has been moved to experimental status and is no longer used.
AAAA Records
The AAAA record maps a domain name to a 128-bit IPv6 address. The address is presented in eight 16bit blocks in hexadecimal notation, separated by a colon. For example: 2001:0DB8:0000:0000:0202:B3FF:FE1E:8329 To make the notation simpler, you can delete leading zeros (zeros before any other digit) in a 16-bit block. For example, the block 0202 may be written as simply 202. The next line shows a simplified form of the previous example: 2001:DB8:0:0:202:B3FF:FE1E:8329 To further simplify notation, you can use a double colon to replace single or consecutive blocks with a value of 0. For example, the two blocks between DB8 and 202: 2001:DB8::202:B3FF:FE1E:8329 However, in addresses that contain two or more non-consecutive zero blocks, you can replace only one with the double colon; otherwise the notation is ambiguous. In the following example, the first 0 block is separated from the other two by 56. This means that you can use a double colon to replace either this block or the two consecutive 0 blocks after 56, but not both. For example: 2001:DB8:0:56:0:0:EF12:1234 may be presented as 2001:DB8::56:0:0:EF12:1234 or 2001:DB8:0:56::EF12:1234
To create an IPv6 host record:

1 From the tree-view of the Management Console select or create the master zone in which you want to add the record.
Version 5.5
151
Chapter 7: Advanced DNS 2 Click New Quad-A Record in the toolbar on the Resource Records tab. The New Quad-A dialog box appears.
3 In the Name field, type the host name. 4 In the Address field, type the address using the notation guidelines above. 5 Select the Maintain reverse lookup record checkbox.
If you do not select this checkbox you must the reverse lookup pointer record manually: this is very tedious in IPv6.
6 Edit the Time to Live or type a comment (optional). 7 Click OK.
Reverse Lookup
The reverse lookup domain for IPv6 is ip6.arpa. Pointer records are written with the hexadecimal digits of the address in reverse order and separated by a period. For example, the address 4321:0:1:2:3:4:567:89ab might have this pointer record in the ip6.arpa zone: b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4. The Management Console usually maintains reverse lookup records automatically.
To create an IPv6 reverse lookup record manually:

1 Select or create the zone ip6.arpa in the tree-view pane of the Management Console.
152
Version 5.5
DNS and IPv6 2 In the Resource Records toolbar click New Pointer Record . The New Pointer dialog box opens.
3 In the Name field, type the reverse lookup address in the format described above. 4 In the Host field, type the host name. 5 Optionally, edit the Time to Live or type a comment. 6 Click OK.
NS Records
NS records behave exactly the same in IPv6 as they do in IPv4. The record only needs to contain the name of the server that is authoritative for the zone (for example, ns1 in the example.com zone).
Mixed Environments
Mixed IPv4 and IPv6 environments are fully supported. A single host can have both an IPv4 address and one or more IPv6 addresses. In this case, you can create an A record and one or more AAAA records for the host.
Version 5.5
153
154
Version 5.5
Chapter 8
Adonis DHCP
Adonis DHCP (Dynamic Host Configuration Protocol) securely supports many different types of network clients with advanced network configuration options. This chapter contains topics useful for designing, building, and managing DHCP implementations, even in the largest networks. This chapter is supplemented by white papers available on the BlueCat Networks web site, especially with respect to DHCP VoIP support and integration. This chapter includes the following topics: Background on page 155 describes the DHCP protocol and its role in the network. Adonis DHCP Implementation on page 156 describes the implementation specifics of Adonis DHCP. Setting up DHCP services requires an existing DHCP server. To create a DHCP server, see Configuring DHCP on page89. on page 172 describes the different kinds of settings tabs for DHCP services. DHCP Client Options on page 165 describes DHCP client options that can provide advanced configurations to client devices. DHCP Advanced Options on page 171 explains how DHCP advanced options control the behavior of DHCP clients and servers.
Background
To be a member of a TCP/IP network, a client requires configuration of network settings, including a valid IP address. DHCP automates and centralizes your TCP/IP network configuration for client computers. The Adonis appliance can dynamically allocate IP addresses for hosts on your network from a pool of available addresses. New hosts, or frequently relocated hosts, can automatically acquire new IP addresses for a limited time period through a process known as leasing an IP address. DHCP services are available with all Adonis appliances except the Adonis 250 appliance. On all of these appliances, the Adonis DHCP service runs the ISC DHCP server. DHCP is also important for assigning parameters such as default gateway, DNS servers, and several other parameters. DHCP networks are divided by groups, shared networks that share physical hardware, and subnets. DHCP server level configurations include various client and advanced options. A DHCP server can communicate with a DNS server and a failover peer, and can be configured to receive communications with an OMAPI (Open Mobile Application Processor Interface) client.
Version 5.5
155
Adonis DHCP Implementation

The following features highlight aspects of the Adonis implementation of DHCP. Management ConsoleThe Management Console allows you to add vendor and custom options, vendor profiles, shared networks, groups, subnets, pools, hosts, classes, subclasses, DNS zones, and relay agents. Server Level ConfigurationsDHCP server level configurations include client and advanced options, and OMAPI for querying and modifying remote objects. DHCP Resource ManagementQuickly and easily add relay agents, locations, shared networks, subnets, hosts, classes, subclasses, pools, groups, and zones using the Management Console. Add vendor profiles and support for custom DHCP options. Advanced DHCP MAC Authentication for Network Access ControlAdonis provides organizations with advanced Network Access Controls for DHCP users. With an advanced web-based DHCP authentication portal, Adonis quarantines all users requesting access to the network while authenticating their access rights against RADIUS/LDAP/AD or Kerberos to protect network access. If user authentication is successful, the users are released from quarantine and granted an IP lease and given access to the network. Complete with a customizable web-based authentication portal, Adonis provides end-to-end security and access controls for DHCP-enabled networks. DHCP Lease ViewerConveniently view (in tabular and graphical formats) the status, type, lease start and end times, hardware address, and client hostname per IP address of each block without having to stop the server using the Management Consoles Lease Viewer. Data CheckerResolve any IP address or resource allocation conflicts in the system (before live deployment) using the Data Checker. Access ControlEnforce DHCP access control for user management at administrator level, group level, and other user levels.
Adonis DHCP Files

/etc/dhcpd.confThis is the file that Adonis uses to configure the dhcpd service with all of the settings made in the Management Console. usr/local/bluecat/subnet.csvThis file contains subnet and pool information that is used to construct the data found in the DHCP Lease Viewer. /var/state/dhcpd.leasesThis contains all of the leases that the DHCP service has handed out, with new entries written at the end of the file. It is automatically created when the first lease is issued. To maintain a reasonable file size, the service occasionally moves the current file to dhcpd.leases~ and only maintains the most current information in the dhcpd.leases file.
Adonis DHCP Services

A new DHCP server can be created using the method detailed in Setting up a New DHCP Server or Service on page 81. All DHCP services use the same wizard for initial setup. When you have created the DHCP service you can customize it to your requirements, beginning with the information presented in
Setting up DHCP services requires an existing DHCP server. To create a DHCP server, see Configuring DHCP on page89. on page 172.
156
Version 5.5
Adding a DHCP Relay Service

Because DHCP traffic is broadcast-based it is not usually allowed to pass through a router. However, having a DHCP server on every subnet is an impractical solution for many networks. If DHCP clients are located on different subnets from the server, a mechanism must be put in place to allow the traffic to pass from client to server and vice versa. This situation is avoided through the use of DHCP Relay Agents.
In Cisco terminology, the DHCP relay mechanism is known as an IP helper address.
Typically, relay agents are configured on router or switch interfaces. The Adonis 1750, 1000, 750, XMB and 500 servers can also perform as relay agents, if required. However, an appliance cannot be both a DHCP server and a relay agent at the same time.
To add a DHCP relay (instead of a DHCP service):

1 In the tree-view pane of the Management Console right-click the name server. From the context menu, select New Service > Relay. The Add DHCP Relay Service dialog box opens.
2 Specify the DHCP relay address, and then click OK. 3 On the General tab in the details pane, select the Append Agent Information checkbox to have the relay agent append an agent option field to each DHCP request before forwarding the request to the server.
Option 82
Adonis includes support for DHCP option 82, which allows you to see DHCP relay agent information in the lease viewer. A router or switch configured to support DHCP Relay Information (a Relay Agent) allows communication between a DHCP client and a DHCP server on different subnets. No specific DHCP options are required to configure a DHCP Relay Agent; however, the benefit of option 82 is that it allows a DHCP server to receive DHCP client information from a specially configured Relay Agent.
An Adonis DHCP server that does not have option 82 configured ignores Option 82 fields.
You can also use option 82 to configure an Adonis DHCP server to limit the number of IP leases handed out to a specific subnet. For example, when a DHCP client located on a remote subnet issues a DHCPDISCOVER request for a new IP address, a Relay Agent forwards information about the subnet in the form of a circuit ID to the Adonis DHCP server. You can configure this circuit ID to use a DHCP Class to limit the number of assigned leases. The Adonis Lease Viewer displays both Circuit ID and Remote ID parameters for DHCP allocations. For more information, see DHCP Lease Viewer on page 196.
Version 5.5
157
To configure Option 82:

1 Right-click on the DHCP Service node. 2 Select New > Class. 3 In the Name field type the name of the circuit-id (for example, 0:0:0:10). 4 Select the circuit-id class. 5 Select the Conditions tab, right-click in the empty area, and then select New Condition. 6 Select Lease limit, the Lease limit dialog box appears. 7 Type a value for the maximum number of leases for this circuit ID, and then click OK. 8 Right-click in the empty area, and then select New Condition. 9 Select Spawn with, the Select Option dialog box appears.
10 Select agent.circuit-id, and then click OK.
DHCP Declarations and Scope

A DHCP project uses the concept of scope to determine which options control client behavior. Statements can be declared at different scope levels, depending on the clients to which the statements apply. This allows options to be set at a high level within a configuration and to be overridden by an option set at a more local level. Options and statements applied at the DHCP service level apply to all clients regardless of the group, subnet, or class in which they are located. Statements and declarations set at lower levels apply only to those clients that fall under the scope of the particular level. In a situation where an option is set locally but in conflict with those set at a higher level, the more local option has precedence. For example, a domain name statement set at a subnet declaration overrides a domain name set at the service or group declaration level.
158
Version 5.5
Adonis DHCP Services Some options such as OMAPI port, shared secret key information, and failover peer servers are configured only at the DHCP service level. Client or custom options set at this level are inherited by all declarations set at lower levels unless overridden. Vendor profiles are also set at the DHCP service level.
Common Object Types

DHCP contains several different types of objects used in the configuration of a network. These objects include Groups, Shared Networks, Subnets, Pools, Classes, Subclasses, and Reverse DNS Zones. These objects are used to configure the DHCP server, and to configure DHCP clients. This section describes the various object types to show their uses and interactions with each other.
DHCP Groups
You can declare groups to provide a common scope for hosts with the same parameters. At least one group declaration is mandatory for a DHCP service. A group provides a common scope for whatever is declared within it. You can use groups in different ways: You can declare a group to represent each physical location for an organization. You can declare a group to provide a common scope for hosts requiring the same network configuration parameters on the same or different subnets.
Declaring Groups
To declare a host group for the DHCP service:
1 In the tree-view pane of the Management Console right-click the DHCP service, and then select New Group.
2 Type a name for the new group, and then click OK. 3 Select the group in the tree-view pane, and the set the client and advanced options for the group using the tabs in the detail pane.
Subnets
Subnets let you divide the local network into several parts and logically separate it in a way that makes sense and makes packet routing more efficient. A DHCP server needs to know about all network segments, or subnets, so that it can properly respond to address requests on those segments. For each subnet, there must be a subnet declaration on the server, even if the given subnet has no dynamically allocated addresses.
Version 5.5
159
Chapter 8: Adonis DHCP After you have declared a subnet, you can create a range of IP addresses to serve DHCP clients. Exclusion ranges can be set within a single subnet range to reserve addresses for statically-addressed clients. Both client and advanced options can be set at the subnet level.
Declaring Subnets
You can use any name for a subnet, although it is best to use a descriptive name. For example, the name might refer to a department or a location within a building. Address ranges are used to specify the addresses available on this subnet.
To declare a host subnet within the shared network or group:

1 In the tree-view pane of the Management Console right-click the relevant DHCP service level (below the service itself), and then select New > Subnet.
2 Name the subnet and specify the network with CIDR notation, or by using a network and subnet address combination. Click OK.
Classless Inter Domain Routing (CIDR) is a method for assigning IP addresses without using the standard IP address classes like Class A, Class B, or Class C.
3 To specify an address range, right-click the Range section of the General tab of the new subnet, select New Address Range, and then specify the range limits. 4 Click OK. 5 Set the client and advanced options for the subnet using the tabs in the detail pane.
You can copy a row of information from one subnet to another. For example, you can copy a DHCP host entry from one subnet to another.
Shared Networks
Shared networks can be declared when IP subnets share the same physical network. Like a subnet declaration, the shared-network declaration describes a network segment. However, it is used when more than one logical subnet is located on the same physical network segment. This is helpful because all hosts on a shared network receive link-layer broadcasts sent by other hosts. Therefore, hosts that require different DHCP options can still reside on the same segment and communicate using ARP broadcasts, rather than using routed packets. Options set at this level are inherited by all member subnets.
160
Version 5.5
Declaring Shared Networks

To declare a shared network for subnets within the host group:
1 In the tree-view pane of the Management Console right-click the group, and then select New Shared Network.
2 Type a name for the new shared network, and then click OK. 3 Set the client and advanced options for the shared network.
Shared networks are used to inform the DHCP service that the subnets declared are connected to the same network segment.
Pools
You can declare unique IP address pools at the shared network and subnet levels. These are the pools from which addresses are allocated to clients. They also provide a rich level of configuration options. Often, a pool range is configured in favor of a subnet range because you can configure the permit lists and class memberships for pools. Pool ranges can be used in place of subnet ranges. Pools are also required when using DHCP failover between two servers. Pools can be defined at the shared network or subnet level. On the shared network level, the pools must be within the range of a previously declared subnet within the same shared network.
Permit Lists
Address allocation within pools can be controlled using permit lists. Permit lists govern whether a client is able to receive a DHCP configuration and address from the pool. You can set allow or deny flags to differentiate between clients based on any of the following criteria: all clients dynamic bootp clients known/unknown clients known/unknown status For example, permit lists can be set up so that only clients with host declarations (known clients) receive an IP address. All others are denied an IP address. To configure this, unknown clients are set to deny and all others are set to allow. Pools can also be configured to allocate addresses based on whether the client is a bootp client or not.
Declaring Pools
Declaring pools requires you to set the client and advanced options for the pool. For more information, see Required DHCP Service Options on page 129 and Optional DHCP Service Options on page 129.
Version 5.5
161
To declare a pool:
1 In the tree-view pane of the Management Console, right-click the relevant subnet. On the context menu, select New > Pool. The New Pool dialog box opens.
2 Type a name for the new pool, and then specify its address range. 3 Click OK. The new pool appears in the detail pane. 4 To edit the address range, double-click the pool. The Edit Address Range dialog box opens. 5 To add a new address range to the pool right-click the pool, and then select New Address Range from the context menu. The New Address Range dialog box opens. 6 Type the address range you want to add, and then click OK. 7 On the Flags tab click the relevant row of the Value column, and then use the drop-down list to select whether to allow or deny the following options: All ClientsDetermines allocation from the pool to all clients. Dynamic Bootp ClientsDetermines allocation from the pool to any bootp client. Known ClientsDetermines allocation from the pool to any client that has a (known) host declaration.
A client is known if it has a host declaration in any scope, not just the current scope.
Unknown ClientsDetermines allocation from the pool to any (unknown) client that has no host declaration. 8 On the Members tab, select the checkbox in the Include column of any relevant class that you created at the DHCP service level. 9 To allow access to the pool to be differentiated by class membership, click the Access column. 10 From the drop-down list select whether to allow or deny allocation from this pool to any client that is a member of the named class.
Hosts
Hosts can be declared at the DHCP service, group, shared network, and subnet levels, provided that a host name is never duplicated within a single DHCP service. The host declaration provides a way for a DHCP server to identify a specific DHCP client.
162
Version 5.5
Adonis DHCP Services There are three main reasons to use a host declaration: Assigning a static IP address to a client. This acts like a reservation to ensure that the client gets a specific IP address and no other host can get that address. Declaring a client as known. A client with a host declaration is considered known whereas a client without a host declaration is considered unknown. This can control the way addresses are handed out when used in conjunction with a permit list. Assigning specific options to the a particular host. For example, a host can be assigned the address of a specific DNS server.
Declaring Hosts
Declaring a host involves selecting the relevant DHCP level. You must provide a name for the host, specify its hardware address, and the type of interface in use (Ethernet, Token Ring, or FDDI). You can also specify a fixed IP address and add a comment if you want to. For more information, see Required DHCP Service Options on page 129, Optional DHCP Service Options on page 129, and Declaring Classes on page 176.
To declare a host:
1 In the tree-view pane of the Management Console select the relevant DHCP service, group, shared network, or subnet for the host declaration. 2 Click the Hosts tab in the detail pane. 3 Right-click in the detail pane, and then select New from the context menu. The New Host dialog box appears.
4 Type a name in the Host Name field, and then type a 48-bit hexidecimal address in the Hardware field. 5 Select the appropriate type of interface (Ethernet, Token Ring, or FDDI) from the drop-down list, and then click OK. The new host name and MAC address appear in the detail pane of the Management Console.
Version 5.5
163
Chapter 8: Adonis DHCP 6 In the detail pane, double-click the new host. The Edit Host Details dialog box appears.
7 On the General tab, you can specify the DDNS Host Name, and the Site Option Space (if any). The DDNS Host Name parameter lets you set a different hostname in dynamic DNS. By default, DHCP uses the supplied hostname of the client computer when it updates dynamic DNS. The Site Option Space parameter specifies options above 128 used to implement options for sitespecific uses but are sometimes used by vendors of embedded hardware that contain DHCP clients. 8 On the Flags tab you can set each of the following parameters to allow, deny or ignore: bootingDetermines whether the DHCP server responds to queries from the client. If it is disabled, the client cannot get an address from the DHCP server. Booting is allowed by default. bootpDetermines whether the DHCP server responds to bootp queries. Bootp queries are allowed by default. client-updatesDetermines whether the DHCP server honors the client's intention to update its A record. It is only relevant when doing interim DNS updates. Updates are allowed by default. declinesDetermines whether the DHCP server honors DHCPDECLINE messages. If set to deny or ignore in a scope, the DHCP server does not respond to DHCPDECLINE messages. This situation occurs where the client has determined through other means that the network address being offered is already in use. Declines are allowed by default. duplicatesIf the DHCP server receives a request from a client that matches the MAC address of a host declaration, any other leases matching the MAC address should be discarded by the server, even if the UID is not the same. (This is a violation of the DHCP protocol, but it can prevent clients whose identifiers change regularly from holding many leases at the same time.) Duplicates are allowed by default. 9 On the Fixed Address tab you can specify a fixed address for the host, if you did not include one in step 4. This is similar to using an address reservation applied only to a single host. You can also add a comment, or edit an existing comment in the Edit Fixed Address dialog box.
164
Version 5.5
DHCP Client Options 10 On the Client Options tab, set the appropriate DHCP Client options. Options defined at the host level apply only to that host. 11 On the Advanced Options tab, set the appropriate Advanced DHCP options. Options defined at the host level apply only to that host.
DHCP Client Options

In addition to IP addresses and subnet masks, a DHCP server can assign other configuration options to clients, such as the IP address of a DNS server or a router. These options can be assigned at various levels, with the most local options taking precedence in the event of a conflict. The IP address of a router might be assigned at the subnet level whereas the IP address of a DNS server might be assigned at the DHCP service or group level. Any object within the DHCP configuration that allows you to set these options includes Client Options and Advanced Options tabs. It is important to consider which clients should receive which options. DHCP classes are often used to differentiate between clients on a single subnet. Options can then be assigned based on client identifiers. Certain options can be assigned to a VoIP handset or a thin client that requires specific configurations. These are the DHCP options that can be added to a DHCP configuration to specify deployment instructions relating to extra settings for client configuration. For more information about these options, refer to RFCs 2132, 2241, 2242, 2610, and 2485. Users are also encouraged to read RFCs 1122 and 1497 for more background information. Options that accept Boolean values are activated by a value of 1 unless otherwise specified. When specifying a list of IPv4 addresses, the first address takes precedence.
Subnet Mask
The subnet mask specifies the network in which a particular address resides by stipulating the portions of the IP address that represent the network and the host identifiers. RFC 950, Internet Standard Subnetting Procedure defines this system.
IP Layer Parameters Per Host

These options specify values that are applied to the entire host system, and do not necessarily apply just to a single interface.
Most Common Options

These options are almost always configured for the client: Routers (3)Option code 3 indicates the default router for this configuration. In Windows DHCP, this option is known as Default Gateway. The data consists of one or more IP addresses. DNS Servers (6)Option code 6 specifies one or more DNS servers that the client contacts for DNS resolution. These are comparable to the Windows primary and secondary DNS servers that are configured for clients.
Version 5.5
165
Servers
These options define some of the servers that clients can reference: Time Servers (4)Option code 4 indicates RFC 868 time servers that are available to a client. The data consists of one or more IP addresses. IEN Name Servers (5)Option code 5 is used to specify IEN name servers: these are not the same as BIND name servers. Log Servers (7)Option code 7 specifies a log server for the client to use. It is an UDP log server identified with an IPv4 address. This option could be a list of IPv4 addresses, with the first address entered taking precedence. Cookie Servers (8)Option code 8 refers to Quote of the Day servers as described in RFC 865. They are specified with IPv4 addresses. LPR Servers (9)Option code 9 is a list of line printer servers as defined in RFC 1179. They are defined using a list of IPv4 addresses and are matched in the order specified. Impress Servers (10)Option code 10 is a list of Imagen Impress servers. They are defined using a list of IPv4 addresses and are matched in the order specified. Resource Location Servers (11)Option code 11 is a list of resource location server addresses for the client to use on the local network as specified in RFC 887. They are defined using a list of IPv4 addresses and are matched in the order specified.
Client-side
These options configure functionality on the DHCP client: Time Offset (2)Option code 2 specifies the time offset from GMT for the DHCP client. This offset is expressed in seconds, with a negative value representing locations west of Greenwich. Thus Eastern Standard Time, which is 5 hours behind Greenwich Mean Time, could be expressed as -18000. Host Name (12)Option code 12 specifies a host name for the client. This can be qualified with the local domain name. Boot Size (13)Option code 13 describes the size of the boot file image for the client, expressed as a number of 512-byte segments. Merit Dump File (14)Option code 14 is the complete path and file name of the server to which the client dumps its core image in the event that the client crashes. Domain Name (15)Option code 15 specifies the domain name for the client system. Swap Server (16)Option code 16 specifies a swap server for the client. Root Path (17)Option code 17 specifies the path as a text value. A root disk contains essential startup file for client system in several schemes, including NFS. Extensions Path (18)Option code 18 specifies the path to a file as a text value. The file contains options or vendor-specific configuration settings to be used in DHCP device configuration.
166
Version 5.5
DHCP Client Options
IP Forwarding
These options deal specifically with IP Forwarding: IP Forwarding (19)Option code 19 is a Boolean value. It indicates whether a client with more than one network interface should forward packets between its interfaces. Non-Local Source Routing (20)Option code 20 is a Boolean value. It indicates whether a client should forward packets from a non-local source. Policy Filter Masks (21)Option code 21 is a list of one or more addresses and submasks used with IP forwarding. If this option is specified, a forwarded packet goes to one of these addresses as its next hop or else the packet is dropped.
Packets
These options define the clients packet handling: Max Datagram Reassembly (22)Option code 22 is an unsigned 16-bit integer value. It specifies the maximum size of datagrams that the client should be prepared to reassemble. This minimum legal value is 576 and the maximum should not exceed the limits of the 16-bit integer (65535). Default IP TTL (23)Option code 23 specifies the Time-To-Live (TTL) value that clients should specify for outgoing packets. This is expressed as an unsigned 16-bit integer with a value between 1 and 255. Path MTU Aging Timeout (24)Option code 24 specifies the aging timeout for PMTU values in seconds as an unsigned 32-bit integer. For more information about PMTU, refer to RFC 1191.
Interface-Specific Options
The following DHCP options are applied to a specific interface on the client. Therefore, it is possible for a client-device containing multiple interfaces to have different values for these options for each interface: Interface MTU (26)Option code 26 specifies the Maximum Transfer Unit (MTU) size for packets being sent from a specific interface. This is specified as an unsigned 16-bit integer value. All Subnets Local (27)Option code 27 indicates whether all local subnets have the same MTU as the network to which the client is attached. This is specified using a Boolean value. Perform Mask Discovery (29)Option code 29 is a Boolean value that indicates whether an ICMP address mask request message is sent to the gateway to receive a subnet mask. This process is explained in RFC 950. Mask Supplier (30)Option code 30 is a Boolean value that indicates whether or not a client responds to subnet mask requests using ICMP. This process is explained in RFC 950. Router Discovery (31)Option code 31 is a Boolean value that indicates whether the client performs Router Discovery as explained in RFC 1256. A router can be specified with DHCP option 32. Router Solicitation Address (32)Option code 32 is an address used in conjunction with DHCP Option 31. It specifies a particular router address with an IPv4 address. This address is used by the client when submitting router discovery messages in accordance with RFC 1256. Static Routes (33)Option code 33 is a list of static routes for the client to store in its routing cache. The first address specified is the destination address; the second address is the router for that address. The route 0.0.0.0 is an illegal entry for this option.
Version 5.5
167
Link Layer Interface-Specific Options

These options are applied to a specific interface on a client, but they deal with the link layer of the interface, rather than the IP layer: Trailer Encapsulation (34)Option code 34 is a Boolean value that indicates whether the client should negotiate the use of ARP trailers in accordance with RFC 893. ARP Cache Timeout (35)Option code 35 accepts an unsigned 32-bit integer value that specifies the timeout for ARP cache entries in seconds. IEEE 802.3 Encapsulation (36)Option code 36 is a Boolean value that indicates the type of encapsulation used for Ethernet interfaces. A value of false indicates Ethernet 2 encapsulation (RFC 894) and a value of true indicates IEEE 802.3 (RFC 1042).
TCP Interface-Specific Options

These options apply to Transport Control Protocol settings on a per-interface basis for client interfaces: Default TCP TTL (37)Option code 37 is the default TLL value that client systems use for the TCP segments they send. It is specified with an unsigned 8-bit integer representing the number of seconds. TCP Keep Alive Interval (38)Option code 38 is the number of seconds, specified with an unsigned 32-bit integer, that the client waits before sending a TCP keep alive message. A value of 0 prevents the client TCP from sending keep alive messages. TCP Keep Alive Garbage (39)Option code 39 is a Boolean value used in conjunction with option code 38. It indicates whether a client should send keep alive messages with an octet of garbage to comply with older TCP implementations.
Application and Service Options

These options deal with the Network Information Service (NIS): NIS Domain (40)Option code 40 is text used to define the clients NIS domain using the ASCII character set. NIS Servers (41)Option code 41 is a list of NIS servers specified using IPv4 addresses in order of preference. This option is used to specify client settings for Network time Protocol (NTP): NTP Servers (42)Option code 42 is a list of NTP servers specified using IPv4 addresses in order of preference. These options deal with Microsoft WINS and NetBIOS: WINS/NBNS Servers (44)Option code 44 is a list of Windows Internet Name Service/NetBIOS Name Service (WINS/NBNS) servers (RFC 1001/1002), specified using IPv4 addresses in order of preference. NetBIOS over TCP/IP NBDD (45)Option code 45 is a list of NetBIOS Datagram Distribution (NBDD) servers (RFC 1001/1002) specified using IPv4 addresses in order of preference. WINS/NBT Node Type (46)Option code 46 accepts an 8-bit integer value that specifies the type of NetBIOS node (NetBIOS over TCP/IP) for the client. Here are the values: 1B-node 2P-node 4M-node
168
Version 5.5
DHCP Client Options 8H-node NetBIOS Scope ID (47)Option code 47 is text that specifies the NetBIOS Scope ID for a client. These options are X-Windows specific: X-Window Font Servers (48)Option code 48 is a list of X-Window font servers (RFC 1198). They are specified in order of preference using IPv4 addresses. X-Window Display Manager (49)Option code 49 is a list of X-Window Display Manager servers (RFC 1198) available to the client. It is specified using IPv4 addresses in order of preference. This option identifies a client uniquely: DHCP Client Identifier (61)Option code 61 is a unique identifier used to specify individual DHCP clients. This value should be unique for all clients on a network and is defined in RFC 2132. These options identify NIS services: NIS+ Domain (64)Option code 64 is a text value that identifies, using the ASCII character set, the name of the NIS+ domain to which the client belongs. NIS+ Servers (65)Option code 65 is a list of NIS+ servers specified using IPv4 addresses in order of preference. These options configure clients requiring advanced information such as Preboot eXecution Environment (PXE) clients: TFTP Server Name (66)Option code 66 identifies, using a text field for input, the name of a TFTP server. Boot File Name (67)Option code 67 identifies, using a text field for input, the name of the boot file for this client. This option configures Mobile IP home agents: Mobile IP Home Agent (68)Option code 68 is a list of the Mobile IP home agents available to the client. They are specified using IPv4 addresses in order of preference. These options configure commonly used Internet services. SMTP Server (69)Option code 69 is a list of the Simple Mail Transfer Protocol (SMTP) servers available to the client. They are specified using IPv4 addresses in order of preference. POP3 Server (70)Option code 70 is a list of the POP servers available to the client. They are specified using IPv4 addresses in order of preference. NNTP Server (71)Option code 71 is a list of the Network News Transfer Protocol (NNTP) servers available to the client. They are specified using IPv4 addresses in order of preference. WWW Server (72)Option code 72 is a list of the World Wide Web (WWW) servers available to the client. They are specified using IPv4 addresses in order of preference. Finger Server (73)Option code 73 is a list of the Finger servers available to the client. They are specified using IPv4 addresses in order of preference. IRC Server (74)Option code 74 is a list of the IRC servers available to the client. They are specified using IPv4 addresses in order of preference. These options configure StreetTalk services: StreetTalk Server (75)Option code 75 is a list of the StreetTalk servers available to the client. They are specified using IPv4 addresses in order of preference. StreetTalk Directory Assistance Server (76)Option code 76 is a list of the StreetTalk Directory Assistance servers available to the client. They are specified using IPv4 addresses in order of preference.
Version 5.5
169
Chapter 8: Adonis DHCP These options configure SLP services: SLP Directory Agent (78)Option code 78 (RFC 2610) is a list of the SLP Directory Agents available to the client. They are specified using IPv4 addresses in order of preference. If the checkbox is selected, the client must not use either active or passive multicast discovery of directory agents. This option also requires the use of DHCP option 79, SLP Service Scope. SLP Service Scope (79)Option code 79 is a list of the SLP scopes that a client is configured to use. If the checkbox is selected, the clients static SLP Service Scope settings are overridden by the settings specified by this option. Cable modems generally require an advanced configuration in order to participate effectively in authentication and billing schemes. Cablelabs modems are configured with this option. Cablelabs (122)This option is used to configure cable modems and media terminal adapters according to the PacketCable security standard. More information can be found in this standard, or in RFC 3495. The following fields are available to customize this option:
Field primary-address secondary-address provisioning-address as-req_as-rep-backoff-and-retry ap-req_ap-rep-backoff-and-retry kerberos-realm-name Description This is the IPv4 address for the primary DHCP server that this client is allowed to accept DHCP offer messages from. This is the IPv4 address for the secondary DHCP server that this client is allowed to accept DHCP offer messages from. This is the address or FQDN for the provisioning server that this modem or MTA may be contacting. Requests to the Kerberos Authentication Server or the Ticket Granting Server are managed by the values in this option. This option controls the timeout and retry values for kerberos authentication headers. This field lists the Kerberos realm that should be used to authenticate against. Realm names are always specified in capitals and this instance must be specified in domain style as described in RFC1510. Check this box if the option should use a Ticket Granting Ticket when obtaining service from a PacketCable application server. This option accepts an integer value between 0 and 255 defining the timeout in seconds that the provisioning process has to complete.
granting-server-utilization provisioning-timer
Trivial File Transfer Protocol (TFTP) service is commonly configured to enable DHCP clients to download a complex configuration. TFTP service is configured with this option: TFTP Server Address (150)Option code 150 is the IPv4 address for the TFTP server that the client uses. Some devices, such as certain VoIP phones, download their initial configuration from a TFTP server. This option is not yet in an RFC, but was most recently proposed in internet draft VoIP Configuration Server Address Option on November 16, 2007.
170
Version 5.5
DHCP Advanced Options
DHCP Advanced Options

DHCP advanced options control how a DHCP server responds to client requests. Option
Always Broadcast Always Reply rfc1048 Authoritative
Explanation
Indicates whether the DHCP server should always broadcast its responses. You should restrict the use of this feature to as few clients as possible. Indicates whether to send RFC 1048 options to bootp clients that expect RFC 1048-style responses. Indicates whether the DHCP server is authoritative and should send DHCPNAK messages based on client requests. In a subnet that has only one choice of DHCP server, you should enable ensure this option. However, on networks where clients can expect to interact with multiple DHCP servers, enabling this option may create loops that prevent clients from obtaining an address. Indicates whether client updates should be used to maintain DDNS records for this client. If this checkbox is selected when the option is added, then the client updates its own DNS record on the server. If the option is added without the checkbox selected, the DHCP server performs the update. This option is required for DDNS. Specifies the domain name that is appended to this clients hostname to form the FQDN. This is also the name of the zone that is updated with this clients record. Specifies the hostname that should be used for DDNS updates for this client. If no value is specified, the zone creates a name for the records. Specifies the reverse domain name that is appended to this clients hostname to form a reverse record. By default this value is in-addr.arpa, but you can override it here. Specifies the number of seconds indicating the default time-to-live for DDNS records (between 0 and 4,294,967,295). Indicates whether the server should attempt a DDNS update when the lease is confirmed. Specifies the duration of the lease that the DHCP server assigns unless the client that requests the lease wants a specific expiration time. Specifies the length of the leases the server assigns to dynamic bootp clients. Specifies the file name of the initial boot file to be loaded by a client. Many clients first try to contact the specified TFTP server. If they cannot download the file from there they connect to the DHCP server, and then attempt to download the file by FTP. Enables DHCP to look up the FQDN corresponding to each address in the lease pool, and uses that address for the DHCP hostname option. Specifies the maximum lease time for address leases within the scope on which the option is set. The value indicated for this option must be equal to, or greater than, the current Default-Lease-Time option value.
Client Updates
DDNS Domain Name DDNS Hostname DDNS Rev Domain Name
DDNS TTL DDNS Updates Default Lease Time Dynamic bootp Lease Length Filename
Get Lease Hostnames Maximum Lease Time
Version 5.5
171
Option
Minimum Lease Time
Explanation
Specifies the minimum lease time for address leases within the scope on which the option is set. The value indicated for this option must be equal to, or lower than both the current default-lease-time and the Maximum-Lease-Time option values. Specifies the minimum amount of time (seconds) for the DHCP server to respond to a clients request for a new lease. Specifies the host address of the server from which the client attempts to load an initial boot file. Determines whether the DHCP server sends an ICMP echo request, to probe the availability of an IP address, before the address is offered to a DHCP client. Specifies the IP address for the DHCP server that is reachable by all clients. This option is useful in cases where a physical network interface has more than one IP address. If the address referenced by default is not appropriate for some or all clients served by that interface, this option can substitute the appropriate address. Specifies the name of the server from which the client is booting. Specifies the option space name used to indicate the site-local options for the client. Indicates whether relay agent information (option 82) is saved for use when renewing an address. If these options are not saved, then no relay agent information is included in the clients DHCP renewal request. Specifies whether the server should perform a DNS update every time the client renews its lease, or only when it appears to be necessary. Specifies whether the server should perform DNS updates for clients even if those clients are being assigned their IP address using a fixed-address statement. Determines whether the IP address of the clients own lease is assigned as the router value for the client, instead of the value specified in the routers option. This is useful for networks that use an ARP proxy on the local router because the clients can ARP every address lookup. NOTE: This is not a recommended option for most configurations, because it does not work with many DHCP clients.
Minimum Seconds Next Server Ping Check Server Identifier
Server Name Site Option Space Stash Agent Options
Update Optimization Update Static Leases
Use Lease Address for Default Route
Setting Up DHCP Services

Setting up DHCP services requires an existing DHCP server. To create a DHCP server, see Configuring DHCP on page89.
When you create the DHCP service, it is enabled by default. To disable it, right-click the DHCP service and select Disable DHCP. To re-enable it, right-click and select Enable DHCP.
Several options are available at both the DHCP service level and for various objects below this level. The most local instance of any option is the option that is used in the configuration. The following
172
Version 5.5
DHCP Advanced Options procedure refers to the DHCP service itself. However, other DHCP objects can be configured using many of the same techniques.
To set up DHCP per configured name server:

1 In the tree-view pane of the Management Console select the DHCP service. 2 On the General tab click Port, and then specify the OMAPI port (usually 7911). 3 Click Key. The Select OMAPI Key dialog box appears. 4 Select a key from the drop-down list, and then click OK. 5 Set up any DHCP failover peers for this DHCP service. 6 Click the Hosts tab, and then declare a new host. 7 Click the Client Options tab, and then set the DHCP client options.
Client options include custom options required for VoIP services.
8 Click the Advanced Options tab, and then set the DHCP advanced options. 9 Add any Vendor Options that are required. 10 Add any Custom Options that are required. 11 Save your project.
Version 5.5
173
174
Version 5.5
Chapter 9
Adonis Advanced DHCP
This chapter includes the following topics: Custom Client Configurations on page 175 describes the classes and vendor profiles used to identify devices so that they can receive appropriate configuration information from the DHCP server. DHCP Custom Options on page 181 describes DHCP custom options that provide support for nonstandard or manufacturer-specific DHCP. TFTP Service on page 182 introduces TFTP, which provides complex network configuration files to clients. DDNS and Zones on page 183 describes how DDNS updates the DNS service with information about DHCP clients. Network Access Control on page 184 explains security issues and network access before clients receive a dynamic configuration and an IP address. DHCP/TFTP Service Control on page 195 describes the controls over these services, including a section on OMAPI. DHCP Lease Viewer on page 196 describes how the DHCP Lease Viewer can provide a real-time view of the DHCP service and how it can be used to control leases in real time. DHCP Failover on page 197 introduces the concepts of DHCP failover. DHCPv6 on page 197 describes how Adonis provides dynamic network configuration with support for DHCPv6.
Custom Client Configurations

There are two mechanisms by which Adonis DHCP clients can be identified and given customized network configurations: Classes can match various aspects of a client, and then provide DHCP options specific to that class of clients. For more information, see Classes on page 175. Vendor identifiers can identify clients and give them a vendor profile that contains all the required options for network configuration. For more information, see Vendor Profiles on page 178.
Classes
Classes are a means of grouping clients based on the information that they need to receive from the DHCP service. Unlike subnets that group clients based on their IP addresses, DHCP classes group clients based on information that the client sends about itself. For example, a client can identify itself as a printer or a VoIP handset during communications with the DHCP server.
Version 5.5
175
Declaring Classes
Class declarations are created on the server, and clients can identify themselves as belonging to a particular class. The DHCP server can then assign common configuration options that apply only to clients from that class. For example, members of a class representing the engineering department can be allowed an IP address from a particular pool, while members of a class representing the sales department are denied addresses from that pool. Based on the class membership, the client can be allowed or denied an IP address and associated network settings. For example, in addition to being assigned an IP address, a VoIP phone can be allocated the IP address of a TFTP server. A client may be a member of several classes, but the first match creates most of the client settings, while further matches may override some client options for more specific cases. Subclasses represent a subset of their parent class, and their settings only modify the settings for the parent class. User class options allow the user or administrator to conform with the configuration requirements of the class to which the client belongs.
To declare a class for the DHCP service:

1 In the tree-view pane right-click the DHCP service. From the context menu, select New Class. The New Class dialog box appears.
2 Type a name for the class, and then click OK. The new class appears in the tree-view pane of the Management Console below the DHCP service. 3 Select the Conditions tab, right-click on the empty area, and then select New Condition. 4 Select one of the following conditions: MatchSpecifies a condition that client must match completely. For example, you could configure a class to match a computers 48-bit hardware MAC address. Match ifAllows you to define a wider set of conditions using elements such as wildcards. For example, you can create a match-if statement using the first 24 bits of a MAC address. Any clients that match this condition would match the class. Match-if statements are a key component of DHCP Option 82. Spawn with A spawning class automatically produces subclasses based on information sent by a client. The Spawn with condition allows you to create lease-limited classes instantly. For example, a cable-modem environment in which a client requires additional IP addresses. The clients cable modem is represented as a circuit-id. A service provider can create a class that uses the Spawn with condition to provide the additional IP addresses. The Spawn with class works with the lease-limit condition. In the Select Option dialog box, select one of the client options that must evaluate to a non-null value, and then click OK. Lease limitDHCP limits the number of class members that can hold an address lease at any one time. This limit applies to all addresses that the DHCP server allocates in the class, not just the addresses on a specific network segment.
176
Version 5.5
Custom Client Configurations 5 To set the Client Options for the class double-click an option value, and then select new values in the dialog box that appears.
6 To set the Advanced Options for the class double-click an option value, and then select new values in the dialog box that appears.
Subclasses
A subclass has the same name as a parent class, but it has a specific submatch expression that examines criteria to match clients more specifically. A spawning class is a class that automatically generates subclasses based on the options that the client sends. Subclasses are very useful for adding extra options to a specific subset of your DHCP clients.
Declaring Subclasses
To declare a subclass:
1 In the tree-view pane right-click the class to which you want to add a subclass. From the context menu, select New Subclass. The New Subclass dialog box appears.
2 Type a name for the subclass, and then type the class data as a text string enclosed in quotation marks, or as a list of bytes in hexadecimal format separated by colons. Click OK. 3 Set the Client Options and Advanced Options for the subclass by double-clicking an option, and then selecting new values in the dialog box that appears.
Version 5.5
177
Vendor Profiles
Vendor profiles are a necessary part of the evolution of DHCP. Adonis implements vendor profiles so devices can set up non-standard parameters including the settings needed to enable devices such as VoIP handsets and to provide them with IP-layer options and resources. Vendor profiles also help to account for roaming networks and rich media services. Adonis examines a clients vendor-class-identifier (option 60) to determine if the client should be configured with a vendor profile and its associated options. Option 43, vendor-specific information can also be used to convey option information that is outside of the standards track. Vendor profiles are created first at the DHCP service level and then implemented at the service, group, or subnet level. You can select a predefined class or create a new custom class.
Pre-defined Vendor Classes

Predefined vendor profiles are XML files that define a class listing its name, identifier, and the various options it contains. You can add vendor profiles to your systems %systemroot% \Program Files \BlueCat Networks \ Adonis \vendor profiles directory. You can create a new profile using an XML editor. Adonis includes an example called Sun Ray. The following example shows the XML file that defines it:
<?xml version="1.0" encoding="UTF-8"?> <vendor_options identifier="SUNW.NewT.SUNW" name="Sun Ray"> <option id="21" name="AuthSrvr" type="ip" comment="Sun Ray server IP address to connect to"/> <option id="22" name="AuthPort" type="number" comment="Sun Ray server port to connect to"/> <option id="23" name="NewTVer" type="text" comment="Which firmware version to upgrade to"/> <option id="24" name="LogHost" type="ip" comment="Log level for host"/> <option id="25" name="LogKern" type="number" comment="Log level of kernel"/> <option id="26" name="LogNet" type="number" comment="Log level of network"/> <option id="27" name="LogUSB" type="number" comment="Log level for USB"/> <option id="28" name="LogVid" type="number" comment="Log level for video"/> <option id="29" name="LogAppl" type="number" comment="Log level for application"/ > <option id="30" name="NewTBW" type="number" comment="Limits bandwidth available for Sun Ray"/> <option id="31" name="FWSrvr" type="ip" comment="Firmware server IP address"/> <option id="32" name="NewTDispIndx" type="number" comment=""/> <option id="33" name="Intf" type="text" comment="Interface used for Sun Ray service"/>
178
Version 5.5
Custom Client Configurations
<option id="34" name="NewTFlags" type="number" comment=""/> <option id="35" name="AltAuth" type="ip" comment="Alternate set of Sun Ray server IP addresses"/> <option id="36" name="BarrierLevel" type="number" comment="Barrier level firmware download"/> </vendor_options>
The following example shows how the XML encoded options appear in the Management Console.
To add or create a vendor profile:

1 In the tree-view pane select the DHCP service. 2 In the details pane select the Vendor Profiles tab. 3 Right-click in the empty area, and then select New. 4 The New Vendor Option Class dialog box appears.
5 To select a predefined class, click the (...) button, and then navigate to the XML file that contains the vendor profile information. 6 Click OK.
Version 5.5
179
Chapter 9: Adonis Advanced DHCP 7 To create a custom class, select the Custom option, type a name in the Vendor Name field, and then type a Vendor Class Identifier that matches the one provided by clients during DHCP discovery. 8 Click OK. After you have assigned a name and identifier to your custom vendor profile, you must populate the profile with attributes.
You must assign a value for every attribute you have created.
These are the options that are assigned to clients: Namea descriptive name for the attribute. IDthe numerical ID for the attribute. Typethe format of the attribute. Use one of the following types: IPa single IP address. IP_Lista list of IP addresses separated by commas. Number (Unsigned 8)a number between 0 and 255. Number (Unsigned 16)a number between 0 and 65,535. Number (Unsigned 32)a number between 0 and 4,294,967,295. Textan NVT ASCII string, which must be enclosed in double quotation marks (). Rawan NVT ASCII string enclosed in double quotation marks, or a series of octets specified in hexadecimal, separated by colons. Commentan optional comment regarding the attribute.
To populate a vendor class with attributes:

1 Double-click the vendor option name. The Edit Vendor Option Class dialog box appears.
180
Version 5.5
Custom Client Configurations 2 Right-click in one of the rows under Attributes, and then select New Attribute from the context menu. The New Attribute dialog box appears.
3 Type an attribute Name and an ID.

Attribute names must not contain spaces.
4 From the drop-down list select Type, and then type a comment (optional). 5 Click OK. The new attribute appears in the Edit Vendor Option Class dialog box.
DHCP Custom Options

You can define custom options at the DHCP service level and use them throughout the DHCP service wherever you assign a client option. Custom options have three required elements: CodeThe code field requires a DHCP option code value. To avoid conflict with standard client options we recommend a value above 150. The client device that receives this option uses the same code to reference it. NameThis is a user-recognizable name that refers to this option within the Adonis project. TypeAll custom options can be assigned a data type to which all values must conform. Any values for this option are checked against this type, or limited to selections based on data type.
To create a custom option:

1 At the DHCP service level, select the Custom Options tab in the details pane. 2 Right-click a blank area of the pane, and then select New from the context menu. The New Custom Option dialog box appears.
Version 5.5
181
Chapter 9: Adonis Advanced DHCP 3 Type a number in the Code field.

If you select a number that is already in use a message appears informing you that the option code already exists.
4 Type a name in the Name field.

Names must not include spaces.
5 Select the option type from the Type drop-down list, and then click OK. The new custom option appears in the list of client options in the DHCP configuration wherever client options can be assigned.
TFTP Service
Adonis can provide TFTP service on the appliance for clients who need to download a configuration or boot file. This is useful for organizations that run certain VoIP systems and cable modems because these devices often need to obtain their startup configuration as a file from a TFTP server.
To add TFTP service:

1 In the tree-view pane, right-click the server that hosts TFTP. On the context menu, select New Service > TFTP. 2 Click TFTP Service, the TFTP Server Control tab appears in the details pane.
3 Click Manage TFTP Files. The TFTP Server Control dialog box appears.
182
Version 5.5
DDNS and Zones 4 Select the server from the drop-down list, type the password, and then click OK. The TFTP Server Files dialog box opens.
After you log in, the service is inspected and the Management Console populates the File List On Server field from the actual service. 5 To refresh the File List On Server field, click Refresh. 6 To select files use the (...) button next to the Upload File field. 7 To upload the selected files that appear in the list, click Upload. 8 To download the selected files, click Download. 9 Click Close.
DDNS and Zones

Reverse DNS facilitates network navigation by converting numbers into names. It uses a DNS zone to represent the IP address mappings within a network. Host address registrations are made using DDNS. In Adonis DHCP, DNS zones can be added to associate them to DHCP networks. For more information, see Dynamic DNS on page 128.
Adding Zones
You can add zones at the DHCP server level and at the group level.
Version 5.5
183
To add a new zone:

1 In the tree-view pane, right-click a group. From the context menu, select Zone. The New Zone dialog box appears.
2 Type a name for the zone, and then type the primary address for the server that hosts this zone. 3 Click the browse button to open a browse dialog box. Select a portion of the DNS structure for linking the zone name. 4 If the zone should be part of a DNS configuration, select Link to Another from the drop-down list. 5 Click OK.
If you are using TSIG, on the General tab select the key to associate with the zone (recommended).
Network Access Control

Networks need a technology that screens possible member devices before allowing them onto the network. However, this systems restricts network access control (NAC) to the domain level. Adonis has a type of pre-admission NAC that verifies the MAC or hardware address of the device and prevents unauthorized systems from obtaining configuration information from DHCP.
MAC Address Filtering

Adonis can filter client requests based on the originating MAC address of the workstation hardware that makes the request. When a client requests an IP address, Adonis checks the MAC address of the network interface from which the request originated against a deny list. Matching MAC addresses are denied an IP address.
To enable MAC address filtering:

1 From the Server menu of the Management Console, select MAC Address Filtering. The MAC Address Filtering Wizard opens.
184
Version 5.5
Network Access Control 2 Click Next. The MAC Address Filtering page appears.
3 Select Enable MAC Address Filtering, and then click Next. The Server Action page appears.
4 Select one or more servers to perform filtering, type a password for each, and then click Next. A Status column indicates whether or not the action was successful. 5 Click Next. The Finish page appears, indicating that wizard has completed operations. Click Finish.
Version 5.5
185
To manage the filter list of MAC addresses:

1 In the tree-view pane, right-click Servers. From the context menu select MAC Address Filter. The MAC Address Filter dialog box opens.
2 Select the MAC filter server from the drop-down menu, type the administrator password for the server, and then click OK. 3 The MAC Address Filter dialog box opens. This shows the Deny Filter list stored on the server.
186
Version 5.5
Network Access Control 4 To add an address, right-click an empty part of the Deny Filter list, and then click Add MAC Address. The Add MAC Address dialog box opens. Type the MAC address and add a comment, if desired.
5 Type the 48-bit address you want to deny in the MAC Address field. You can type the address using any of the following formats: 123456123456 (no delimeters) 12:34:56:12:34:56 (colon delimiters) 12-34-56-12-34-56 (hyphen delimiters) Use the Comment field for related or explanatory notes that appear in the MAC Address Filter window. 6 To export the Deny Filter list, right-click an empty area of the list, and then select Export Deny List. A Save dialog box opens and prompts you to save the list as a Comma Delimited MAC Address CSV file.
Version 5.5
187
Chapter 9: Adonis Advanced DHCP 7 To import a list, click Import MAC Addresses. The MAC Address Import dialog box opens.
The imported list should be a comma-separated value (CSV) file of MAC addresses. Type the path to the file in the Import File field or use the adjacent [...] button to locate the file. You can ignore all duplicates or overwrite them by using the toolbar buttons. 8 On the toolbar, click Import List. When you are finished importing files, click OK. 9 To save changes, click Commit Changes on the MAC Address Filter toolbar. The MAC filtering system operates at the server level and uses a static list of addresses that must be modified by the administrator. This makes the MAC filtering system very secure, but does not provide the opportunity to manage MAC-based access dynamically or at the pool level rather than at the server level. There is an alternative system called MAC authentication that addresses both of these issues, but requires an additional open port on the Adonis appliance.
MAC filtering does not take effect on the server until the MAC filtering configuration has been deployed to the appliance.
MAC Authentication
DHCP MAC authentication gives administrators a system that can add MAC addresses to the system dynamically instead of loading them as a list. MAC authentication is applied at the pool level rather than at the server level, giving more precise control of the parts of the DHCP configuration that have access to MAC-based security. MAC authentication requires a web server on the Adonis server to facilitate the dynamic validation of addresses. This may increase security concerns for some administrators. Networks can opt for a MACbased security system without the use of a web server through the use of MAC address filtering. However, MAC filtering is limited to denying access for specific IP addresses (essentially, a list of banned addresses). The MAC authentication system uses the ability of DHCP pools to differentiate between known and unknown clients to decide whether to respond to a client request. A known client has a host entry on all of the subnets where MAC authentication is in operation.
188
Version 5.5
Network Access Control If a client is unknown, an address (with a short lease time) is issued from an unknown users pool, and a DNS entry is configured on the client to redirect all DNS queries back to the master MAC authentication server. When the client reaches the master server, a web page appears and prompts for a network username and password. These can be authenticated against a Radius, LDAP, or Kerberos (Active Directory) server.
If the user is authenticated successfully against the external authentication server, the MAC address of the users computer is registered as a known host with all of the MAC authenticated subnets. Because the lease time is short, the users computer requests renewal of its IP address, but instead receives a less restricted IP address from the known users pool. In this way, MAC addresses are added dynamically using the most up-to-date user information possiblethe primary user authentication system for the network itself.
Version 5.5
189
Adding MAC Authentication to a DHCP Service

To set up MAC authentication for an entire project, you must add it to one of the servers.
To set up MAC authentication:

1 Right-click on a DHCP service, and then click Add MAC Authentication. The General tab of the MAC Authentication Service appears.
The General tab contains several settings for configuring the web portal for unauthenticated users. The HTTP Connection Data area is used to set up the portal and the Web Data area is used to customize its look and feel.
190
Version 5.5
HTTP Connection Data

Shared SecretThis value is used to seed the HTTP service. Login Session TimeThe amount of time that the users session is maintained on the MAC authentication portal.
To set the HTTP Connection Data:

1 Click the empty field to the right of Shared Secret; the HTTP Shared Secret dialog box appears.
2 Type the shared secret, and then click OK. 3 Click the empty field to the right of Login Session Time, the Login Session Time dialog box appears.
4 To change the session time, clear the Use Default Setting checkbox, and then type in the value you want to use. Select the appropriate time interval from the drop-down list.
MAD Settings
Default Authorization TimeThis is the amount of time that the users MAC address remains on the MAD list before the user needs to re-authenticate through the web portal. Shared Secret StringThis value is used as a password for the MAD service.
To set the MAD Settings:

1 Click the empty field to the right of Default Authorization Time, the Default Authorization Time dialog box appears.
2 To change the authorization time, clear the Use Default Setting checkbox, and then type in the value you want to use. Select the appropriate time interval from the drop-down list.
Version 5.5
191
Chapter 9: Adonis Advanced DHCP 3 Click the empty field to the right of Shared Secret String, the MAD Shared Secret dialog box appears.
4 Type the shared secret, and then click OK.
Web Data
You can use default values for the following parameters, or select customized ones. Welcome MessageTo display a greeting on the portal, click this field, and then type your message in the Welcome Message dialog box. Your message can include up to 150 characters, but it is better to keep the message brief. Logo FileTo specify a custom logo for the portal, click this field, and then navigate to the logo you want to use. This should be a graphic file, such as a jpg, gif, or png. EULA FileTo specify an EULA file for the portal, click this field, and then navigate to the file you want to use. HTML is the recommended format, but you can use txt files too. SSL CertificateTo select an SSL certificate, click this field, and then navigate to the certificate you want to use.
MAD Servers
The MAD Servers tab allows you to add servers to the MAD service for this configuration. After you have added servers you can create MAC Authentication Pools on their subnets.
To add a MAD server:

1 Select the MAD Servers tab, right click in the empty area, and then select New. The New MAD Server dialog box appears.
2 Select the servers IP Address from the drop-down list. 3 Type the MAD port (default is 1067), and then click OK. The Adonis you chose as the MAD server maintains the master lists of MAC addresses for authentication.
Authenticators
Authenticators for the MAD service are set up in exactly the same way as those used for user management. For more information, see Configuring External Authenticators on page 29.
192
Version 5.5
To add a MAD authenticator:

1 Select the Authenticators tab, right click in the empty area, and then select New. The New Authenticator dialog box appears.
2 In the New Authenticator dialog box, specify the following values: NameThe name of the authenticator object within Adonis. HostThe host name or IP address of the server that you are contacting to authenticate Adonis users. TypeThe type of authenticator object you want to use. PriorityThe lower this value, the more priority an authenticator has in the MAD service.
The dialog box contents change if you select a Radius or LDAP authenticator type. Make sure you type all the required information for the authenticator you intend to use.
3 To ensure that the authenticator is configured properly, click Test Authenticator. This checks to see if a socket connection to the server can be formed. It returns a pop-up with status information on the authenticator connection. 4 To create this authenticator object, click OK.
MAC Authentication Pools

After you have added a server to the MAC Authentication service, you can add MAC Authentication Pools to any of its subnets.
Version 5.5
193
To add MAC Authentication pools:

1 Right click on the subnet, and then select Add MAC Authentication Pools from the context menu.
2 The primary pool is the address pool from which known users receive their addresses. Consider naming the pool to reflect this using the Name field. 3 Use the Start Offset and End Offset fields for entering a range of addresses on the subnet to which this pool applies. 4 The Default Lease Time should be set to the standard default lease time for the network. In this case, it has been set to 172800 seconds (2 days). 5 Use the Temporary Pool area to issue addresses to unknown clients. Type a name for the pool that reflects this in the Name field. 6 Use the Start Offset and End Offset fields to specify only a range of IP addresses that is sufficient to service unknown clients waiting to authenticate and receive a fully functional DHCP configuration. 7 The lease time should be set very short, such as 300 seconds (5 minutes). This enables the client machine to maintain its limited IP address long enough to authenticate through the MAC authentication portal, but it is short enough that the client receives a full network configuration shortly after being authenticated. 8 To finalize this part of the MAC authentication setup, click OK.
MAC Authentication DNS Setup

Setting up MAC authentication DNS on the Adonis server or on another DNS server requires two views, one for unauthenticated clients and one for clients with full access. Deny ViewThis view requires two important settings to capture queries from unauthorized clients: Set the Allow Recursion option to No. This prevents the unknown clients from reaching the Internet using this view. Configure an ACL to match the IP addresses for the unauthorized pool.
194
Version 5.5
DHCP/TFTP Service Control Allow ViewThis view is set up similarly to a typical DNS service. It does not need an ACL, but you can create one if necessary. To create an ACL for this view, follow the method described for the Deny View.
The Allow View entry should appear below the Deny View entry on the ACL match list. If this is the case it should not represent a serious security issue.
ACLs are discussed in Managing Access Control Lists on page 146. Because pool ranges can contain any range of IP addresses, the addresses can be entered into the ACL individually or using a combination of Classless Inter-Domain Routing (CIDR) notation and individual addresses. The CIDR notation can generally encompass most of the required addresses, and you can modify the others individually. A root (.) zone must also be created with an A (host) record that uses the wildcard (*) to match all queries and send them to the Adonis IP address on which the MAC authentication portal is running.
MAC Authentication Menu

The web server used for MAC authentication is controlled through the Administration Console. The following commands help you check the MAC authentication status: show authenticatorsdisplays all authenticator information used on the appliance. Any changes to this information should be performed through the Management Console, and then deployed back to the server. show madsettingsdisplays information about the MAD server settings for the appliance. Any changes to this information should be performed through the Management Console, and then deployed back to the server. isrunning webserverreports whether or not the web server is running. For more information, see Administration Console on page 15.
DHCP/TFTP Service Control

The following commands control the services that provide DHCP and TFTP on Adonis.
DHCP Service Control

Adonis uses the ISC DHCP server to provide its DHCP service. The executable file for ISC DHCP is called the DHCP daemon or DHCPD. To manage the IPv6 DHCP service on Adonis, use dhcpv6 instead of dhcp as a token. The DHCP service is managed using the normal mode of the Administration Console. To start DHCP, type start dhcp, and then press Enter. To stop DHCP, type stop dhcp, and then press Enter. To restart DHCP, type restart dhcp, and then press Enter. To check whether DHCP is running, type isrunning dhcp, and then press Enter.
Version 5.5
195
TFTP Service Control

Adonis provides a TFTP service to store extra files for configuration and firmware management for certain client devices. This service is set up using the Management Console, but the TFTP service itself can be managed from the normal mode of the Administration Console. To start the TFTP service, type start tftp, and then press Enter. To stop the TFTP service, type stop tftp, and then press Enter. To restart the TFTP service, type restart tftp, and then press Enter. To check whether the TFTP service is running, type isrunning tftp, and then press Enter.
OMAPI
Open Mobile Application Programming Interface (OMAPI) is a communications mechanism that lets a user make changes to an ISC DHCP server without needing to stop and restart the server. To control the server using OMAPI, the server must be configured to accept OMAPI connections. Adonis is configured to accept OMAPI connections by default and is secured with a secret key similar to a TSIG key. Only a client that shares the key can make changes to the server using OMAPI. By default, the OMAPI port is 7911. However, the secret key and port number can be changed from the Administration Console. The settings for the port and the key are on the General tab for the DHCP service on each appliance. The port and key are both set here. After you deploy the project you can modify the firewall and connect to the OMAPI shell using a terminal.
DHCP Lease Viewer

The Adonis Lease Viewer is an essential tool for the management of DHCP. It allows you to examine lease data in real time and release any leases as required.
The Lease Viewer displays leases for specific (/16 and smaller) blocks of IP addresses, as well as lease details in both graphical and tabular formats.
You can use the icon on the Lease Viewer to refresh the data.
Releasing a lease for an IP address means that the address becomes available for re-use. However, the users workstation may attempt to renew the lease before the lease period actually ends. In this case, the previous end date for the lease period is no longer valid and the lease is renewed. Another possibility in freeing a lease is that the address could be over-allocated by being reassigned while it is still assigned to the original user. Freeing an IP address from the server does not immediately affect the IP address used by the client.
To launch the Lease Viewer:

1 Select a subnet in the tree-view pane of the Management Console. 2 Select the Lease Viewer tab.
196
Version 5.5
DHCP Failover 3 To refresh the Lease Viewer with the latest data from the server, click Refresh. 4 Right-click an active lease to display a context menu with commands that let you release it or view its properties.
Releasing an IP address lease here does not immediately affect a users network configuration. The user may still renew the lease before it runs out, or another user could be assigned this address, and a conflict could occur.
Circuit ID and Agent ID

The last two fields in the lease viewer, Circuit ID and Agent ID, correspond to a DHCP relay agent. If no relay agent was used to assign a lease, these fields remain blank.
DHCP option 82 allows you to see the DHCP relay agent information at the DHCP server.
DHCP Failover
Traditional DHCP high availability has been handled by a practice called scope splitting. Scope splitting splits the pool of IP addresses between two DHCP servers. If one server fails, clients cannot renew their lease and are required to obtain a new IP address from the secondary peer server. Adonis DHCP failover uses ad hoc updates through proprietary send and receive channels. This ensures high availability of DHCP services. DHCP failover does not require any additional IP resources, and existing leases continue to exist, even in the event of a total hardware failure on one server. For detailed information on Adonis DHCP failover, see Adonis DHCP Failover on page 210.
DHCPv6
Although an inexperienced user can easily create and configure a DHCPv6 service, understanding the mechanisms of DHCPv6 and stateless auto configuration requires advanced knowledge of networking concepts. If you simply want to create a DHCPv6 service and configure it, skip directly to Creating a DHCPv6 Service on page 198 and Configuring a DHCPv6 Service on page 199.
Overview of DHCPv6
The Adonis DHCPv6 service supports only stateless IPv6 auto configuration. This means that it can configure hosts that already have an address with lists of DNS servers, but it cannot assign addresses. In DHCPv6, the server responds to Information Request messages containing an Option Request option. It sends back a Reply message with the appropriate information.
IPv6 Prefixes
IPv6 prefixes define networks and subnets in IPv6, and are used for matching clients in DHCPv6. Their notation is very similar to CIDR notation. That is, an address followed by the number of significant bits, separated by a slash. For example: 2001:DB8:0:56::/64
Version 5.5
197
Chapter 9: Adonis Advanced DHCP The first portion of the prefix is a valid IPv6 address with the long string of trailing zeros replaced by a double colon (for more information on IPv6 notation, see AAAA Records on page 151). Just as in CIDR notation, this prefix matches all clients whose addresses begin with 2001:DB8:0000:0056.
Neighbor Discovery for Address Assignment

Because the DHCP server no longer assigns addresses, in an IPv6 environment a host must either use a fixed address or assign itself one in some way. To do this, it uses the Neighbor Discovery protocol. A new host undergoes the following steps to assign itself an address: 1 The host generates a tentative address by using the link-local prefix of FE80 and appending the network interface identifier. 2 The host joins the following multicast groups: the all-nodes multicast group (FF02::1) and the solicited-node multicast group for its tentative address. This means that the host receives all multicast messages sent in this group. 3 The host sends a Neighbor Solicitation message to the tentative address. If the address is already in use, the host must be manually configured to use a different address. If the address is not in use, the tentative address becomes a preferred address. This mechanism is called Duplicate Address Detection (DAD). 4 The host sends out a Router Solicitation message to the all-routers multicast group (FF02::2). 5 All routers on the link reply with a Router Advertisement message. The message contains a prefix, which the host uses to generate an address. The new address combines the prefix with the network interface identifier. If more than one router replies, the host generates more than one IPv6 address. The host now has an address and a prefix (more important for DHCP), so it can be configured by DHCPv6.
Creating a DHCPv6 Service

A DHCPv6 service can have three scopes: Service scope: these options apply to all clients being served by this server. Interface scope: these options apply to all clients connected to the server through that network interface. Network scope: these options apply to all clients with a particular IPv6 prefix.
To create a DHCPv6 service:

1 Right-click a server in the tree-view pane of the Management Console. 2 Select New Service > DHCPv6. The DHCP6 service appears in the tree-view. 3 Expand the new service to reveal the network interface (eth0).
198
Version 5.5
DHCPv6 4 Right-click the network interface, and then click New > Network. The New DHCPv6 Network dialog box appears.
5 Type a name and a valid IPv6 prefix for the new network, and then click OK.
Configuring a DHCPv6 Service

Stateless auto configuration uses only two options to configure clients: dns-recursive-name-serverThis option specifies a list of IPv6 addresses of name servers to which a client may send queries. domain-search-listThis option specifies a list of domain names to append to a given hostname in a dns-lookup-hostname request. If a DNS query does not return an address, a host configured with this options may try the host name combined with any of these domain names.
To configure a DHCPv6 service:

1 Click on the scope you want to configure (the service itself, a network interface, or a network). 2 Select the Client Options tab in the right pane of the Management Console. 3 Edit the options as required by double-clicking their values and specifying new ones in the dialog boxes provided.
Version 5.5
199
200
Version 5.5
Chapter 10
High Availability
Adonis features two types of redundancy, Crossover High Availability (XHA) and DHCP failover. These systems are independent, but they can be used together to provide different benefits: XHA uses server clustering to link two Adonis appliances together and provide highly available DNS service. Users see a single server running a single copy of each service. DHCP failover links two DHCP services together on two separate servers to ensure that a secondary DHCP service (on another server) manages existing leases and responds to new requests if the primary service fails. This chapter includes the following topics: Crossover High Availability (XHA) on page 201 describes DNS high availability and Adonis. Adonis DHCP Failover on page 210 describes how Adonis DHCP failover uses ad-hoc updates through proprietary send and receive channels.
Crossover High Availability (XHA)

XHA gives Adonis the protection of disaster recovery through the use of redundant appliances. XHA makes two Adonis appliances appear to users as a single appliance. If one of the appliances fails for any reason, the other takes its place and continues to provide services without users even being aware of the change. The pair appears as a single server for DNS queries because they share an IP address for answering queries, but are controlled through separate IP addresses at the Management Console. XHA uses an enslaved master as the passive node, meaning that it always has up-to-date data, making failover between the two seamless and almost instantaneous. The passive node monitors a heartbeat signal from the active node, and becomes the active master if it does not receive the current active masters heartbeat signal. When updates are sent to the active node, DNS updates are automatically propagated to the passive node as standard incremental zone transfers. Also, use of XHA allows DHCP services to operate in a high availability configuration without scope-splitting because active leases are always up-to-date on both servers. Adonis has a High Availability Wizard to help you create and control an XHA cluster. The wizard includes four options: Create a High Availability cluster Diagnose a High Availability cluster Repair a High Availability cluster Break a High Availability cluster If you select High Availability when a cluster does not exist the wizard guides you through the set up procedure. The Diagnose, Repair, and Break options appear when you select High Availability after you have created the cluster.
Version 5.5
201
Prerequisites
Before creating your XHA cluster, ensure that the following conditions are met: Two Adonis appliances are powered up, each configured with an IP address on the same subnet, and are connected to the network. The latest Management Console is installed and available. Deployment passwords are available for both nodes that are to be part of the XHA cluster. Three IP addresses (on the same subnet) are allocated per XHA cluster: one physical address for each Adonis node, and one for the virtual IP address used for responding to DNS queries. The eth0 adapter on both Adonis servers should be explicitly set to 100Mbps Full Duplex as described in Configuring Network Settings on page 43. Auto negotiation to 100Mbps Full Duplex is not adequate for this requirement and may cause inadvertent failover incidents between the two nodes. These appliances must be on the same subnet, because routing the heartbeat is not supported. The switch ports to which the Adonis appliances are connected must also be explicitly set to 100Mbps, full-duplex. The Spanning Tree option on the switch containing these ports must also be set to PORTFAST.
The speed and duplex settings on the appliances and the switch are extremely important. Do not forget to set them. Do not try to configure half-duplex communication. If you try to configure half-duplex, Adonis prevents you from saving the setting and an error message appears. For more information about duplex settings contact BlueCat Networks at: http://www.bluecatnetworks.com/clientsupport/ self-service/.
Both Adonis appliances must be able to ping their Ping Node (usually set to the address of the default gateway or a server) at all times. The appliance performs this test to ensure that it is live on the subnet and is not experiencing a local network failure. Remove old certificates and set the time on the appliances so it does not vary by more than 40 seconds. Use NTP to control the time on both appliances for this reason.
Creating a High Availability Cluster

Creating an XHA cluster is the process of taking a single server object from an Adonis that is running DNS, DHCP, or both and adding a second appliance to act as the passive backup master for the appliance. Only the first appliance should be configured in the Management Console: you can add the other one later using the High Availability Wizard. The following example creates a master DNS server, and then adds a redundant backup to it through the High Availability Wizard.
To create a High Availability cluster:

1 Set up both Adonis appliances using the two physical node IP addresses on the same subnet as specified in the Adonis Installation Guide. 2 Launch the Management Console. From the Welcome dialog box select New Project, and then select Single Name Server as your DNS architecture. 3 Create the project file and use the IP address of one of the nodes as the IP address for the server. Do not deploy the project to the server. Deployment to both appliances is managed by the High Availability Wizard. 4 From the Server menu select High Availability. The High Availability Wizard opens.
202
Version 5.5
Crossover High Availability (XHA) 5 In the High Availability Wizard, select the server that you just created, and then click Next. The Get Node Information page opens.
The Node 1 and Node 2 IP addresses must correspond to the physical IP addresses assigned to the appliances in Step 1 above. These addresses must be different from the virtual IP address of the XHA cluster.
6 Type the IP addresses and passwords for each of the individual appliance nodes. 7 Type the virtual IP address for the cluster. Click Next. The Set HA Common Data page opens.
8 Set the Common HA configuration password used to manage the new XHA cluster.
Version 5.5
203
Chapter 10: High Availability 9 In the Ping Address field, type a ping address on the same subnet. Both appliances need to be able to ping this address and receive a response or the cluster cannot function properly. 10 In the Failure Detection Time field, type the number of seconds a node in the cluster should wait without receiving a heartbeat before assuming that its peer node has failed. 11 Click Next. The XHA cluster is created and the Wizard indicates when the process is complete.
It can be useful during this process to monitor the contents of the /var/log/ha-log file to observe the status of the XHA services on both appliances. The main service and system status for the appliance is still found in /var/log/syslog.
12 Click Next, and then click Finish. When the XHA cluster configuration is complete, the server icon in the Management Console changes to show the new XHA cluster. Wait three to four minutes for the Adonis servers to finish the configuration. After this time, you should be able to query the cluster for information.
At this point, you are managing the XHA cluster as a single entity, although the XHA cluster has two physical nodes. Running the High Availability Wizard again lets you either repair the XHA cluster or break it to return to a single server configuration.
Diagnosing a High Availability Cluster

If you encounter problems with the HA cluster may be necessary to run the Diagnose option to determine the cause. The Diagnose option checks both nodes and then provides the results in a table. To diagnose a High Availability cluster: 1 From the Server menu select High Availability. The High Availability Wizard opens. 2 On the High Availability Options page select the Diagnose High Availability option, and then click Next. 3 Select the High Availability cluster you want to diagnose, and then click Next. 4 Type and confirm the passwords for the two nodes, and then click Next.
204
Version 5.5
Crossover High Availability (XHA) 5 The wizard diagnoses both nodes of the cluster; after it has finished, click Next.
6 The Diagnostic Results page appears showing you any problems that exist in your HA cluster.
7 Click Next, and then click Finish.
Repairing a High Availability Cluster

It may be necessary to repair an HA cluster because a hardware failure occurred at one of its nodes. The Management Console provides an easy way to swap the failed hardware, replace it with a new node, and repair the HA cluster.
Version 5.5
205
To repair an XHA server:

1 Launch the Management Console, and then open the project file containing the XHA cluster you want to repair. 2 From the Server menu select High Availability. The High Availability Wizard opens. Select Repair High Availability, and then click Next.
3 Select Repair High Availability, and then click Next. The Get Node Information page appears.
206
Version 5.5
Crossover High Availability (XHA) 4 Type and confirm the passwords for the two nodes, and then click Next. The Get HA Common Data page appears.
5 Type and confirm the XHA cluster password, ping address and dead time, and then click Next. The Repair HA Cluster page appears showing the wizards progress in connecting and repairing the cluster.
6 Click Next, and then click Finish.
Version 5.5
207
Breaking a High Availability Cluster

It may be necessary to break an XHA cluster, for example, to troubleshoot issues on each node separately. Whenever you break an XHA cluster, you should verify that all services provided by the new standalone server are operational before the server re-enters full production.
To break an XHA cluster:

1 Launch the Management Console, and then open the project file containing the XHA cluster you want to break. 2 From the Server menu select High Availability. The High Availability Wizard opens. Select Break High Availability, and then click Next. 3 Select the XHA cluster you want to break, and then click Next. 4 Type and confirm the common HA password, and then click Next. 5 Select the checkbox to disable HA on the client configuration, and then click Next. The wizard shows its progress as it disables the HA cluster.
6 When this process finishes, click Next and then click Finish. Your configuration now shows a single server, using the virtual IP address of the XHA cluster as its physical address. This is not the physical IP address for either appliance in the former cluster. The second appliance does not appear as a server in the project because it was providing the same services as the new single server.
Manual Failover
You can perform a Manual XHA Failover from the Server Control dialog box described in Management
Console Server Controls on page 54.

It is essential that you select the active node of the XHA cluster in the Server drop-down list and select its physical IP address in the Node IP drop-down list.
208
Version 5.5
Crossover High Availability (XHA)
To perform a manual failover:

1 From the Server menu select Server Control. The Server Control dialog box opens.
2 Select the Perform HA Failover option, and then click Execute. 3 Click OK. 4 To verify that the nodes have reversed select Server Control, and then select High Availability Status Query. The Action Results dialog box appears.
5 When you are satisfied that the nodes have reversed, perform another manual failover to reset them to their original status.
To perform a manual failover, you must select the active node.
Updating an XHA Cluster

In previous versions of Adonis, if you wanted to update an XHA cluster you needed to break the cluster and upgrade each node separately. This is no longer the case. You can now upgrade XHA clusters as a unit, without breaking the cluster. The standard upgrade procedure is described in Modifying Data Check Issue Settings on page 91.
Version 5.5
209
BIND Views in XHA

In previous version of Adonis, you could not use BIND views in an XHA cluster. Adonis now uses a deployment engine that allows BIND views to behave exactly as they do in a standard DNS project. For more information, see Working with Zones on page 111.
Adonis DHCP Failover

Adonis DHCP failover uses ad hoc updates through proprietary send and receive channels. This ensures high availability of DHCP services. DHCP failover does not require any additional IP resources, and existing leases continue to be valid, even in the event of a total hardware failure on one node. Traditional DHCP high availability has been handled by a practice called scope splitting. Scope splitting divides the pool of IP addresses between two DHCP servers. If one server fails, clients cannot renew their leases and are required to obtain a new IP address from the secondary peer server.
One Client per Address

One issue with DHCP high availability is dealt with using DHCP failover protocol. On an IP-based network, if two clients have the same IP address, neither one is allowed to communicate across the network. If this communication were allowed, it is unclear where the response should be directed. Yet, a client can have more than one IP address. When DHCP is being made highly available, the possibility of two clients receiving the same address must be eliminated. With XHA, this issue does not arise because the DHCP service believes that it is running on a single server instead of two different appliances. Synchronization is handled within the operating system rather than at the DHCP service level. However, this solution works only if the two appliances exist on the same subnet. Clients who wish to provide DHCP services with appliances on more than one subnet can also use the DHCP failover protocol. Use of one of these solutions mitigates situations where one of the appliances fails, network connectivity has failed between the appliances or planned outages are required.
A Companion to XHA
One member of a failover pair may lose contact with its partner for reasons such as a network failure, a failure of one of the servers, or a planned outage. DHCP failover is configurable on a per-pool level. This allows you to have very complex configurations, such as a single secondary DHCP server acting as the backup for multiple primary DHCP servers, or several DHCP pools backed up to different DHCP servers. Adonis supports failover in an active-active or active-passive configuration. In an active-active configuration, both the primary and secondary servers answer requests for the specified IP addresses. The DHCP requests must reach both servers for failover to work during normal operation.
Terms vs Times
Most people think about time and DHCP as periods of time rather than points in time. DHCP failover requires that administrators be mindful of both terms and absolute times in order to manage two servers that are synchronized closely. DHCP failover servers are synchronized using Network Time Protocol (NTP). This allows both servers to use an absolute time reference that is external to each of them. DHCP failover servers communicate using several types of messages, but from the initial CONNECT message between them, absolute time is constantly referenced. The only way to try to anticipate what the other server might be doing with a lease is to reference the lease periods against absolute time. By knowing the exact start time of a state, one server can anticipate when the other
210
Version 5.5
Adonis DHCP Failover performs certain actions. To synchronize leases, Adonis DHCP servers configured for failover communicate through a persistent TCP connection on ports 647 and 847. Start Time of State (STOS)This is the absolute time stamp that indicates when a server or address entered a particular state. Desired Lease Time (DLT)The Desired Lease Time is the period of time for which a client typically requests a lease on this network. This is the standard DHCP lease time that is always given out if this server was operating in a standalone configuration rather than in failover mode. Maximum Client Lead Time (MCLT)The MCLT is the maximum amount of time for which a server in communication-interrupted or partner-down state issues a lease. This is also the amount of time that it takes a server in the communication-interrupted state to recover its leases before entering the partner-down state. This short lease time aids in re-synchronizing the servers, both during initialization and after a failover incident. However, very short lease times may create a great deal of traffic when the server is operating without its peer.
Because the DHCP failover mechanism depends on the MCLT to be safer to use than DLT, the MCLT value must always be lower than the DLT value for any given failover pool
Potential Lease Expiry TimeThis is an absolute point in time when a DHCP server believes that a particular lease on its partner server expires. This value helps servers in partner-down state to calculate when it is safe to use the other server's leases. Max Response DelayThis value is set in the Adonis interface, and indicates the amount of time a client must attempt contact with its primary DHCP server before the secondary offers a lease. The secs field in the DHCP request provides the value (in seconds) that is checked against the Max Response Delay. A non-zero value in this field indicates that this is not a first attempt, and if the value passes the delay threshold indicated with Max Response Delay, then the other server responds to the client anyway.
Three Rules
The only way a pair of DHCP failover servers can anticipate each other's behavior during communication outages is by referencing absolute time against a known set of behaviors. To implement this strategy all DHCP failover servers follow three important rules: 1 All of the available addresses are divided between the two servers as free and backup addresses. In the ISC implementation these are always balanced so that 50% of the addresses are generally allocated to each server at any given time. 2 A DHCP failover server can generally only extend an address lease for a limited time beyond the expiry time known to its peer. This is the MCLT, and is usually not longer than an hour. 3 Addresses cannot be re-issued to clients unless both servers agree that the previous client is no longer using the address. The exception to this rule is the partner-down state.
DHCP failover servers must be synchronized using NTP.
Address Binding States

Address bindings on a DHCP failover server indicate the status of an address within DHCP. An address may be assigned to a client, available for allocation from one of the servers, or not available for
Version 5.5
211
Chapter 10: High Availability allocation. Seven different address binding states are used to indicate these properties for an address binding.
State ACTIVE FREE BACKUP EXPIRED RELEASED RESET ABANDONED Description These addresses are in use by clients. These addresses can be leased by the primary server. These addresses can be leased by the secondary server. This address lease has expired and is not yet available for allocation. This address lease has been released by a client, but is not yet available for allocation. This address lease has been reset by an administrator, but is not yet available for allocation. This address has created a conflict and it is no longer being used by either server.
Server States
DHCP failover servers operate within server states that tell the DHCP failover server how to interact or not interact with its peer server. These states are used to manage normal server operations, and to manage operations when the two servers cannot communicate. Based on its state a server can anticipate the actions or lack of actions that its peer may have for any operation and operate in a way that respects these constraints.
Normal State
This is the standard operational state for DHCP failover servers. In this state, both servers can communicate with each other. They use POOLREQ messages to ensure that as all leases are returned to the primary server, half of the addresses are sent to the secondary server as backup addresses and half become free addresses on the primary server.
Load Balance Split

If the Load Balance Split setting is set to 128 (activeactive), both servers answer client requests. Both servers receive all client requests and a load balancing algorithm decides which server should respond to each client. If the Load Balance Split is set to 255 (activepassive), then only the primary server responds to client requests. Despite the load balance split setting, the primary server still holds only 50% of the available addresses for any failover pool and the secondary server holds the others, although the secondary server does not typically respond to requests.
Communication-Interrupted State
In this state, the servers can no longer communicate with each other. However, in this state neither server is aware of the state of its peer. Therefore, all operations must assume that the other DHCP server could also be live and issuing address leases. Once a server has entered the communication-interrupted state, it changes the way that it assigns address leases. Clients initially attempting to renew existing leases receive a new lease for the remainder of their regular lease time with the MCLT value added. Subsequent leases are only handed out for MCLT and clients are never given a lease renewal, instead, they always receive a lease for a new address. If a client releases an address lease manually, then that address is abandoned until Normal state is again achieved.
212
Version 5.5
Adonis DHCP Failover The disadvantage of the communication-interrupted state is immediately apparent. If clients are given short lease times and their leases are not renewed, then the address pool might quickly become depleted, not to mention the increase level of network traffic. However, if one of the servers knew that its partner was down, it might operate in a much more efficient manner and more gracefully supply service in the absence of its partner.
Partner-Down State
When a DHCP failover server is informed that its peer is down it can allocate IP addresses in a much different way than when it was in the communication-interrupted state. This server becomes the primary server, whether or not it was the primary before its peer went offline. It continues to hand out leases for MCLT, but renews the leases. This server also reclaims all of the expired, reset, and released leases and is able to use the entire free address pool for allocations. When its partner comes back online, this server reverts to leases for the normal DLT and remains the primary server. Transition to the partner-down state is controlled by the Adonis Failover Monitor. The Failover Monitor monitors both of the DHCP failover servers, and when an outage occurs, puts the server into partner-down state.
Recovery State
If a server has come online for the first time and has no address database, or is recovering and has a peer in the partner-down state, recovery state is used to synchronize the databases on the two servers. The recovery state is used when a failover peer believes itself to be out of synch with its partner. The partner server could be in a state of either communications-interrupted or partner-down. The server in recovery mode stops issuing addresses (if it was) and then requests either a partial or full update of the DHCP lease database from its peer. When it has completely synchronized the database with its peer, it moves into recovery-wait state. Alternatively, if no new leases have been granted, both servers immediately return to the normal state, bypassing the recovery-wait period.
Recovery-Wait State
The recovery-wait state is used as a safe period to ensure that all leases granted by the server in partner-down state are in a known state before the newly recovered server also begins issuing addresses. The recovering server waits for the MCLT period to expire after it has recovered and before it returns to normal state and begins issuing addresses.
Potential-Conflict State
If the recovering server discovers that its peer went into partner-down state while it was still handing out leases, the server goes into potential-conflict state and tells its peer to also enter this state. The primary server sends an update request to the secondary server for all unacknowledged updates. The secondary server responds with these updates and indicates when this operation is completed. The secondary server then sends an update request to the primary server for all unacknowledged updates. The primary server responds with these updates and indicates when this operation is completed. Both servers then move back into the normal state. The potential-conflict state can occur because of a communication break longer than the MCLT, when a server recovers but cannot communicate with its peer, or if one of the servers is placed in partnerdown state through the OMAPI shell while its peer is in communication-interrupted state. DHCP failover servers do not issue client leases in this server state. However, this state does not generally persist for a long period of time.
Version 5.5
213
Failover Monitor
To manage the interactions between Adonis DHCP failover servers, BlueCat Networks developed a Failover Monitor (FOMON) that monitors the failover server states and places a server into partnerdown state if required. The Failover Monitor is implemented as a daemon that resides on Adonis and runs whenever DHCP failover is active on Adonis. The shell script that controls the Failover Monitor is located in /usr/local/bluecat/ and is called fomon.sh. This script accepts the command-line arguments restart and status. The SafePeriodTimeout value controls the time interval between polling attempts. If you change these values you must restart the fomon.sh script from the command line with the command:
/usr/local/bluecat/fomon.sh restart
Typical State Transition

A typical state transition within DHCP failover involves one server going offline and its partner going into communication-interrupted state. After the Maximum Response Delay has passed, the server that is still online starts to operate in communication-interrupted state. When the SafePeriodTimeout has passed, the FOMON monitor places the server into the partner-down state. When the other server is restored and finds its peer in the partner-down state, it enters recovery state and update its leases database. When the recovered server has a completely restored leases database, it then enters the
214
Version 5.5
Adonis DHCP Failover recovery-wait state for the MCLT period. After MCLT is passed, both servers return to the normal operational state.
Recommended Topologies
The example below shows the use of the DHCP Helper on a router to pass DHCP requests to a DHCP server on another segment. DHCP Helpers are used on the router to forward broadcast DHCP messages to the server on the other side of the router. However, activating the DHCP Helper for the clients that
Version 5.5
215
Chapter 10: High Availability are on the same subnet as the secondary server can cause errors by creating a loop in the router. Consult your router documentation before activating this feature on any ports.
DHCP failover is recommended for one-to-one, many-to-many or one-to-many configurations. In any case, the DHCP failover servers do not support crossover configurations. This means that two servers cannot be each other's secondary failover server. A failover server cannot be a primary and a backup server for the same set of pools. This creates a non-functional configuration. With three or more servers, there are two standard approaches to setting up DHCP failover without creating a crossover configuration. The first example uses a round-robin style topology to avoid
216
Version 5.5
Adonis DHCP Failover crossovers. Because none of the servers acts as both a primary and secondary peer for any other server, this does not create a crossover.
A one-to-many topology involves using a single secondary server to service several primary servers. The primary servers in this example have a load balance split of 255 so that they hand out all leases in the normal state, despite having only half of the addresses available. The secondary server maintains the other half of the addresses for each primary server and uses these addresses in the case of an outage on one of the primary servers. Because of the inefficient use of available addresses with this configuration, this is not recommended. The round robin topology listed above is generally be a better option. However, the one-to-many topology may be a better choice for some networks.
Version 5.5
217
Setting Up DHCP Failover

To define a failover peer:
1 In the tree-view pane, select the DHCP service for the primary server.
218
Version 5.5
Configuring DHCP Failover on a Pool 2 On the General tab, right-click in the empty list area below Failover Peers, and then click New. The New Failover Peer dialog box opens.
3 Type a unique descriptive name for the peer.

The name of the failover peer must be a single word without spaces or special characters. The name must be unique for the entire Adonis configuration, not just the one server.
4 Select a backup (secondary) server from the Peer Server drop-down list.
Only servers configured in the Management Console are available as DHCP failover peer servers.
5 Type the Max Response Delay, usually recommended to be between 30 and 180 seconds. This is the amount of time that a server waits without communication before it assumes that its peer is down. This setting should be set high enough to avoid failover incidents due to common network lag or very short outages. 6 Type a value for MCLT, for example, 3600 seconds. 7 Type a value for the Load Balance Split. 8 Type the Load Balance Override. This is the amount of time during which a server allows a client request go unanswered by its peer before responding despite the client being assigned to service from the peer. 9 Click OK.
Configuring DHCP Failover on a Pool

Failover is configurable only on a per-pool basis. Each pool must be individually assigned a secondary server. This lets you use different secondary servers for each pool. The secondary server is automatically configured with the backup pools.
Version 5.5
219
To configure DHCP failover on a pool:

1 In the tree-view pane of the Management Console, click a pool that acts initially as the primary on a DHCP failover-enabled server. 2 On the General tab, click Failover Peer. The Select Failover Peer dialog box opens.
3 From the drop-down menu, select a DHCP failover peer as the secondary for this pool. 4 Click OK. Adonis creates the DHCP failover pool on the secondary server automatically (see the red ellipse in the following figure).
5 Repeat the above steps for each pool that requires the redundancy of DHCP failover.
Modifying Settings for a Failover Pool

Modifications to a DHCP address pool with failover enabled do not automatically propagate to the failover peer's pool. If you modify the primary pool, such as changing the address range, you must repeat the change manually in the failover pool. To accomplish this, set the Failover Peer setting on the primary failover server to none, and then change it back to its proper failover peer. Re-instating this selection allows the server to re-synchronize the settings for the failover pool.
To modify failover peer settings:

1 In the tree-view pane select the DHCP service.
220
Version 5.5
Configuring DHCP Failover on a Pool 2 On the General tab under Failover Peers double-click the primary failover server. The Edit Failover Peer dialog box opens.
3 Edit the Failover Peer setting on the primary failover server to none. 4 Change the Failover Peer setting back to show the correct failover peer. Re-instating this selection allows the server to re-synchronize the settings for its failover pool.
Version 5.5
221
222
Version 5.5
Chapter 11
Migration Tools
This chapter describes the tools provided to help you migrate from external data sources to your Adonis DNS/DHCP Appliance appliance. This chapter contains the following topics: Importing External Configurations on page 223 explains the process. Using a Live Zone Transfer on page 225 explains how to import data through a zone transfer. Importing an Existing DNS Configuration on page 227 explains how to import a DNS configuration. Importing an Existing DHCP Configuration on page 229 explains how to import a DHCP configuration.
Importing External Configurations

The Import Wizard helps you import your existing external configuration into your Adonis appliance. You can import a BIND (8/9) configuration, a BIND 4 boot file, an ISC DHCP 3.x configuration file, or a Windows 2000 DHCP dump file.
To import the file, you must have a copy of it on your local computer.
Version 5.5
223
To import an external configuration:

1 From the File menu, select Import. The Import Wizard opens.
2 Click Next, the Select Location page appears. From the drop-down list select the type of file you want to import, and then use the (...) button to navigate to the file.
224
Version 5.5
Importing External Configurations 3 Click Next, the Select Destination page appears.
4 To import the file to a new name server, select the New Server option, and then type the server name, IP address, and contact e-mail information. 5 To import the file to an existing server or view, select the Existing Server option, and then select the server or view from the drop-down list. 6 Click Next, and then click Finish.
Using a Live Zone Transfer

You can also import data using a live zone transfer. In this procedure an existing DNS server uses the zone transfer mechanism to transfer a zone to Adonis, thus populating the DNS information on the Adonis appliance. You can also perform a bulk zone import by transferring configuration and data from .txt files.
To import from a single zone:

1 Open the Management Console.
Version 5.5
225
Chapter 11: Migration Tools 2 From the Tools menu, select Live Zone Import. The Live Zone Import Wizard opens. Click Next.
3 Type the settings for the DNS server that contains the desired zone, the port on the DNS server, and the name of the zone. Click Next.
226
Version 5.5
Importing an Existing DNS Configuration 4 Select the server and the zone to which you want to transfer the live zone data.
5 Click Next. The Perform Live Zone Import page appears showing status information as the live zone import takes place. A message appears showing whether or not the transfer was succesful.
6 When the transfer is complete, click Next, and then click Finish.
Importing an Existing DNS Configuration

Adonis can import external DNS configurations from BIND 4 Boot Files and BIND 8/9 config files.
Version 5.5
227
Named.conf
You must prepare named.conf files before you import them. Using a text editor, try to eliminate the following potential errors before you attempt to import a named.conf file. Syntax errorsspecifically end braces and semi-colons Option Definitionsremove all option declarations (especially global ones), except matchclients for views. These are not imported, so you do not lose anything. Other BIND syntaxtry to interpret the errors that are thrown to the import log and clean the file accordingly
ACLs
You must define ACLs in a view before you import them. This is because the import tool loads only the ACLs that are implemented in the BIND configuration. The import tool loads zones and views in different ways and it does not load any zone options, so even if an ACL is implemented within a zone option, the import tool does not consider it to be implemented. The following example creates three different ACLs:
# The client was implementing these three acls in zone options in their named.conf.
acl firstacl { 198.168.3.46; 198.168.3.56; }; acl secondacl { 10.10.200.0/22; }; acl thirdacl { 69.2.124.11; 64.52.36.0/25; };
To load a named.conf file that consists of ACLs and zones, you must create an empty view that implements all of the ACLs that need to be imported in a match-clients option statement. The following example is a BIND 9 configuration which initially contained only ACLs and zones. The default view has been added to ensure that the ACLs are imported.
# This view doesnt contain the zones, it just implements the acls so that they can be imported. view "default" { match-clients {firstacl;secondacl;thirdacl;};
228
Version 5.5
Importing an Existing DHCP Configuration
}; # These zones implement the ACLs, but the import engine does not pick it up. zone "example1.com" { type master; file "example1.zone"; allow-query { firstacl; }; }; zone "example2.com" { type master; file "example2.zone"; allow-query { secondacl; }; }; zone "example3.com" { type master; file "example3.zone"; allow-query { thirdacl; }; };
The view that implements the ACLs does not need to contain the zones. You may use any name, but if you choose default the zones appear in the default view in Adonis, whether or not they are contained in that view and the ACLs are applied to the default view. The companys previous functionality for the ACLs using zone options can be re-created after the import. To do this, use a different view name to implement the imported ACLs, and then apply the ACLs to the zones in the default view. The zones can be automatically imported into default if they are not contained within a view.
Importing an Existing DHCP Configuration

You can import an existing DHCP configuration from an ISC-based DHCP server or from a Microsoft DHCP server. You can also import the text file containing the DHCP information into the Management Console using the Import Wizard described on page 224.
ISC DHCP 3.x Config File

The Management Console allows you to import directly from an ISC DHCP server. If multiple DHCP servers are involved, you must import the individual dhcpd.conf files from each DHCP server.
Version 5.5
229
Windows 2000 DHCP Dump File

If you want to import data from a Microsoft DHCP server, you must run the netsh command on the Microsoft server to extract the information into a simple text file. On a Windows 2000 DHCP server, run the following command:
Netsh dhcp dump > filename.txt
On a Windows 2003 server, run the following command:

Netsh dhcp server IP address dump filename.txt
230
Version 5.5
Chapter 12
Active Directory Integration
Microsoft Active Directory (AD) is based on well-known network services such as Lightweight Directory Access Protocol (LDAP) and Kerberos. AD was first available in Windows 2000 Server and uses DNS for its location mechanism. DNS has grown to become not only the cornerstone of the Internet, but crucial for connecting Windows clients to their domain controllers. This section explains how AD uses DNS and how Adonis appliances integrate into this environment. Adonis appliances are easy to integrate and they provide a robust, secure, and highly maintainable DNS management platform.
Active Directory and DNS

AD provides a centrally managed directory service for distributed computing environments. This directory service is a central authority for network security, resources, users, and services. AD is based upon LDAP and uses security based on MIT's Kerberos project. Microsoft changed its Windows domain discovery process to use DNS instead of its legacy discovery protocol. This acts like a bootstrapping mechanism for client systems to find the closest or most appropriate Domain Controller (DC). This information is stored in a series of DNS records specifying the following information: LDAP servers Kerberos domain controllers Address of the domain controllers Global Catalog servers Kerberos password change servers Before a client can connect to the Windows Domain, it needs to find a suitable DC. The Windows client contains a service called NetLogon that uses a DC-locating algorithm to find the appropriate server. This is how the DC-locating algorithm works: It obtains a list of DCs through a DNS query using the domain name, domain Globally Unique Identifier (GUID), and/or site name. The locator pings each controller in random order and uses the weighting factor discovered while getting the list of DCs. It waits up to one tenth of a second for a reply from the DC and continues pinging until it has tried all controllers or until it receives a successful response. After a DC responds successfully to a ping, the results from the response are compared to the parameters required by the client. If there is a match, then the DC is used. Otherwise, it resumes pinging of other DCs.
Version 5.5
231
Dynamic Domain Controller Registration

Without the proper DNS information, a client cannot discover which server to contact for authentication. Each DC registers and maintains its own AD DNS integration records consisting of several A (Address), CNAME (Canonical Name), and SRV (Service) records. These records are initially registered by the DC's NetLogon service. This is performed through a standard DNS zone transfer (AXFR) and updated DDNS by the DC (RFC 2136).
When examining these records in the Microsoft DNS server, you may think that this data must reside in sub zones of the parent domain. This is not necessarily the case, because DDNS updates have no way of creating additional zones. The records are simply added as resource records with label separators (".") into the parent domains zone file. Notice that some record names contain underscore ("_") characters. This is common practice in Microsoft development tools and was borrowed for the DNS naming technique for AD. The following table lists the naming conventions used in the records: DNS Label
_ldap _tcp udp _kerberos _msdcs _kpasswd _gc _sites dc gc LDAP service Service uses TCP connections Service uses UDP connections Record contains information about a Kerberos Key Distribution Center (KDC) Service is running on a Domain Controller Kerberos Password Change service Global Catalog service Record contains information a specific site Domain Controller (DC) Global Catalog (GC)
Description
A registered DNS record can contain one or more of the above names to describe a service that can be queried. For example, the following record locates an LDAP service on server1.bluecatnetworks.com in the bluecatnetworks.com:
_ldap._tcp.bluecatnetworks.com SRV 0 0 389 server1.bluecatnetworks.com
232
Version 5.5
Integrating Adonis into Active Directory An alternative form of this record that indicates that the LDAP service is on a DC has the following syntax:
_ldap._tcp.dc._msdcs.bluecatnetworks.com SRV 0 0 389 server1.bluecatnetworks.com
For a detailed list of these records, see Active Directory DNS Records on page 235.
Integrating Adonis into Active Directory

Adonis integrates easily into the AD environment. The simplest way to integrate the appliance is to use the Active Directory Wizard for each zone that needs AD integration. The wizard asks for the IP addresses of each DC that registers its records. When the project file is complete it is deployed, and the AD servers are informed that their primary DNS server is now an Adonis appliance. After this step, the DCs register their records and client machines use the information to gain access to the AD domain. You can also integrate Adonis manually.
To integrate Adonis manually:

1 Create an ACL that contains the addresses of all the DCs. 2 Add this ACL to each DNS server. 3 For the master server, allow zone transfers. 4 For each master zone, allow dynamic updates using the ACL. 5 For each slave zone, allow update forwarding using the ACL. This forwards dynamic updates to the master zone. After you deploy the project file, it takes time for the DCs to register their records. The amount of time taken depends on the DCs registration settings and can be changed to suit your organization's needs. DCs usually inspect their records after the interval has expired. After the DCs have registered their records, a refresh of the master server's configuration shows the Active Directory records.
Version 5.5
233
Windows 2000 networks also allow clients to register their own Address (A) and Pointer (PTR) records with their DNS server. In most cases, organizations use DHCP servers that can perform the registration directly with the DNS server (this is a more secure method). However, if desired, clients can still register themselves directly with the DNS server by allowing those specific clients to make dynamic updates.
DNS Replication
There are two approaches to DNS record replication: Master-Slave and Master-Master. Master-SlaveThis is the recommended method for managing DNS. The current industry standard (outlined in RFC 1034 and 1035) states that a secondary zone (slave) replicates its contents from a primary (master) zone on a given internal network. The Master-Slave architecture works on Windows, UNIX, and other operating systems. The following table lists the pros and cons of a Master-Slave replication system: MasterSlave Replication System Pros
An industry standard method for maintaining zone data. The master always contains most up-todate information. A central repository for zone data. It does not require other services to replicate data.
Cons
Master server updates are required to make changes on other servers. If a slave is updated, a small delay exists before the update is propagated. It requires latest version of BIND software to take advantage of update-forwarding.
234
Version 5.5
Active Directory DNS Records Master-MasterThe recommended Microsoft architecture for AD specifies that the DNS servers should reside on the DC, eliminating the need to perform zone transfers. The following table lists the pros and cons of the Master-Master method of replication: MasterMaster Replication System Pros
A central repository for all zone data. Editing the DNS in one zone replicates to all others. Saves bandwidth and processing power. by using existing LDAP replication to replicate DNS data.
Cons
Microsoft-only implementations. Zone serial numbers can be inconsistent in SOA data. Non-standard architecture. Not favored in heterogeneous environments. Relies on LDAP for replication. LDAP replication may not be acceptable for external zone data.
Because Adonis uses the BIND 9.x name server software, its architectures are Master-Slave based.
Active Directory DNS Records

The following section contains a list of Active Directory specific records that are registered by the NetLogon service. Each record is followed by an example of its usage.
Version 5.5
235
SRV Records
_ldap._tcp.<DomainName>SRV record that identifies an LDAP server in the domain named by <DomainName>. The LDAP server is not necessarily a Domain Controller (DC). This record is registered by all DCs. For example:
_ldap._tcp.bluecatnetworks.com
_ldap._tcp.<SiteName>._sites.<DomainName>Enables a client to find an LDAP server in the domain named by <DomainName>. This record is registered by all DCs. For example:
_ldap._tcp.richmondhill.bluecatnetworks.com
_ldap._tcp.dc._msdcs.<DomainName>Used by clients to locate a Domain Controller (DC) in the domain named by <DomainName>. This record is registered by all DCs. For example:
_ldap._tcp.dc._msdcs.bluecatnetworks.com
_ldap._tcp.<SiteName>._sites.dc._msdcs.<DomainName>Enables a client to locate a DC for the given site and domain named by <SiteName> and <DomainName> respectively. For example:
_ldap.tcp.richmondhill._sites.dc._msdcs.bluecatnetworks.com
_ldap._tcp.pdc._msdcs.<DomainName>Enables a client to locate the Primary Domain Controller (PDC) for a domain named by <DomainName>. This record is registered only by the PDC of the domain. For example:
_ldap._tcp.pdc._mscdcs.bluecatnetworks.com
_ldap._tcp.gc._msdcs.<DomainName>Enables a client to find the Global Catalog (GC) for the forest. Only the DC for the GC registers this record. For example:
_ldap._tcp.gc._msdcs.bluecatnetworks.com
_ldap._tcp.<SiteName>._sites.gc._msdcs.<ForestName>Enables a client to find a GC for the forest named by <ForestName>. Only an LDAP server responsible for the GC registers this record. For example:
_ldap._tcp.richmondhill._sites.gc._msdcs.bluecatnetworks.com
_gc._tcp.<ForestName>Enables a client to locate a GC for the forest named by <ForestName>. Only an LDAP server responsible for the GC registers this record. The LDAP server is not necessarily a DC. For example:
_gc._tcp.bluecatnetworks.com
_gc._tcp.<SiteName>._sites.<ForestName>Enables a client to find a GC for the site and forest named by <SiteName> and <ForestName> respectively. Only an LDAP server responsible for the GC registers this record. For example:
_gc._tcp.richmondhill._sites.bluecatnetworks.com
_ldap._tcp.<DomainGuid>.domains._msdcs.< ForestName>Used by clients to find a DC given the domain GUID of <DomainGuid> in the forest named by <ForestName>. This lookup can used to resolve the DC if the domain name has changed. This record is used infrequently and does not work if the <ForestName> has been changed. For example:
_ldap._tcp.01693484-b5c4-4b31-8608-80e 77ccc78b8.domains._msdcs.bluecatnetworks.com
_kerberos._tcp.<DomainName>Enables a client to find a Kerberos Key Distribution Center (KDC) for the domain named by <DomainName>. This record is registered by all DCs providing the Kerberos service. This service is RFC-1510 compliant with Kerberos 5 KDC. The server is not necessarily a DC. For example:
_kerberos._tcp.bluecatnetworks.com
236
Version 5.5
Active Directory DNS Records _kerberos._udp.<DomainName>Enables a client to find a Kerberos Key Distribution Center (KDC) for the domain named by <DomainName>. This record is registered by all DCs providing the Kerberos service. This service is RFC 1510 compliant with Kerberos 5 KDC. The server is not necessarily a DC. This service supports UDP. For example:
_kerberos._tcp.bluecatnetworks.com
_kerberos._tcp.<SiteName>._sites.<DomainName>Enables a client to locate a server running the Kerberos KDC for a site and domain named by <SiteName> and <DomainName> respectively. The server is not necessarily a DC. For example:
_kerberos._tcp.richmondhill._sites.bluecatnetworks.com
_kerberos._tcp.<SiteName>._sites.dc._msdcs.<DomainName>Used by clients to locate the DC running a Kerberos KDC for the site and domain named by <SiteName> and <DomainName> respectively. For example:
_kerberos._tcp.richmondhill._sites.dc._msdcs.bluecatnetworks.com
_kpasswd._tcp.<DomainName>Enables a client to find a Kerberos Password Change Server for the domain named by <DomainName>. The server is not necessarily a DC. All DCs running the Kerberos KDC register this record. For example:
_kpasswd._tcp.bluecatnetworks.com
_kpasswd._udp.<DomainName>Enables a client to find a Kerberos Password Change Server for the domain named by <DomainName>. The server is not necessarily a DC. All DCs running the Kerberos KDC register this record. For example:
_kpasswd._udp.bluecatnetworks.com
A Records
<ServerName>.<DomainName>The server name named by <ServerName> is registered in the domain named by <DomainName>. This record is used by referral lookups to SRV and CNAME records. For example:
dc1.bluecatnetworks.com
gc._msdcs.<ForestName>Enables a client to find a GC for a given forest named by <ForestName>. This record is used by referral from SRV records. For example:
gc._msdcs.bluecatnetworks.com
CNAME Records
<DSAGuid>._msdcs.<ForestName>Enables a client to locate any DC in the forest named by <ForestName> by the GUID of the MSFT-DSA (Directory Services) object. For example:
01693484-b5c4-4b31-8608-80e77ccc78b8._msdcs.bluecatnetworks.com
Version 5.5
237
238
Version 5.5
Appendix A
Integrating with Mirage PostAdmission NAC Appliance

Adonis can integrate with a Mirage post-admission NAC device through the Adonis Mirage Adapter (AMA). The AMA is a Linux daemon that listens for notifications from Mirage, and then takes the appropriate action. This chapter explains how to set up and control the Adonis Mirage Adapter that integrates Adonis with the Mirage post-admission NAC appliance. About the AMA on page 239 explains how AMA works and the steps you must complete to configure it. Setting up the AMA on page 240 explains how to configure AMA. However, you must still follow the instructions in the following section to complete the integration. Configuring Mirage on page 242 explains how to configure Mirage to send the appropriate notifications to Adonis and AMA. Controlling the AMA on page 243 lists the Linux commands you need to control AMA.
About the AMA

Mirage notifies Adonis of hosts entering or leaving a zone (a Mirage-defined network). Depending on the notification, AMA may authenticate a host and inform Mirage of the authentication results. AMA may also inform the MAC Authentication system to deny or allow a host that is entering or leaving a quarantine zone.
Version 5.5
239
Appendix A:
Setting up the AMA

The next two sections explain how to integrate Mirage with Adonis.
It is important to follow the instructions in the order in which they are presented.
The process includes 4 stages: enabling SSH communication between Adonis and Mirage configuring AMA configuring Mirage controlling the AMA daemon
Enabling SSH Between Adonis and Mirage

Adonis and Mirage communicate through Secure Socket Shell (SSH). To do this, they must share an SSH key.
Before you start, locate the password that was shipped with your appliance.
This procedure creates two new files in the working directory, identity.ppk and identity.ppk.pub.
To set up Adonis and Mirage to share an SSH key:

1 Login to Adonis as root. 2 Type ssh-keygen -t rsa, and then press Enter. 3 When prompted for a file name, type identity.ppk, and then press Enter. 4 When prompted for a passphrase, press Enter to leave the passphrase field empty. 5 Copy identity.ppk to /usr/local/bluecat. 6 Rename identity.ppk.pub as authorized_keys2. 7 Copy authorized_keys2 to /root/.ssh/ on the Mirage machine. The next stage is to configure the AMA.
Configuring the AMA

The Management Console allows you to configure and run AMA in a simple GUI environment. The following parameters are necessary for configuring AMA:
Parameter Default Zone Description The name of the zone to which all IPs are first sent by Mirage, before they are approved for wider access to the network. It is also referred to as the Parking Lot. For more information, see the Mirage documentation. The name Mirage uses to identify this particular Adonis appliance. You should use the name DHCPServer_Adapter.
External Authority
240
Version 5.5
Appendix A:
Parameter SSH Cmd User SSH Cmd Password Quarantine Zones
Description AMA uses Secure Socket Shell (SSH) to communicate with Mirage. This is the user name for SSH. This is the password for SSH. The name that defines a quarantine zone when you configure Mirage. You can create multiple zones.
To configure the AMA daemon:

1 From the Server drop-down menu select Server Control. The Server Control dialog box appears.
2 Scroll through the Action list, select the Start Adonis Mirage Adapter option, and then click Execute. The Mirage Adapter Data dialog box appears.
Version 5.5
241
Appendix A: 3 Type the Default Zone name. 4 Type DHCPServer_Adapter for the External Authority. 5 Type the SSH Cmd User name and SSH Cmd Password. 6 To create a quarantine zone, right-click in the white area, and then click New. The New Quarantine Zone dialog box appears. 7 Type the name of the zone, and then click OK. 8 Click OK. The next stage is to configure Mirage to send notifications.
Configuring Mirage
To configure Mirage you must use the Mirage Operations Console. This process involves creating an external authority, creating a profile group and profiles, and configuring three zones.
These instructions are provided for convenience only. For more information about configuring Mirage, consult the official Mirage documentation, or visit their official website at: http:// www.miragenetworks.com.
Creating an External Authority

Before it can communicate with Adonis, Mirage must know how to identify it. You must create an external authority that has the same name that you used when configuring AMA.
To create an external authority:

1 Right-click the Managed Server domain, and then select New External Authority. 2 Type DHCPServer_Adapter as the external authoritys name. 3 Click OK.
Creating a Profile Group and Profiles

In the next step you create a profile group that contains profiles for hosts that pass authentication and for hosts that fail authentication.
Creating a Profile Group

To create a profile group:
1 Right-click a Profiles folder in the Managed Resources navigation tree, and then select Add Profile Group. 2 Type DHCPServer_Adapter_Authentication as the profile groups name. 3 Click Finish.
Creating a Pass Profile

To create a profile for hosts that pass authentication:
1 Right-click the DHCPServer_Adapter_Authentication group, and then select Add Profile.
242
Version 5.5
Appendix A: 2 Type DHCPServer_Authentication_Passed as the profile name. 3 Type a description of the profile. 4 Click Finish. 5 Add the following Include Condition to the profile:
enable Device session Authenticated (dhcpserver_adapter) is TRUE.
Creating a Fail Profile

To create a profile for hosts that fail authentication:
1 Right-click the DHCPServer_Adapter_Authentication group, and then select Add Profile. 2 Type DHCPServer_Authentication_Failed as the profile name. 3 Type a description. 4 Click Finish. 5 Add the following Include Condition to the profile:
enable Device session Authenticated (dhcpserver_adapter) is FALSE.
Configuring Zones
The final stage is to configure the following zones that Mirage creates by default. The following table shows you how to configure them:
Name Unknown Devices Description Initial zone to which all IPs are sent on entering the network. Because both dynamic and static IPs are sent to this zone, it is recommended that this zone have all access to the network. If a static IP enters the network, it sits in this zone for a short time before it is sent to the Quarantined Zone. Zone to which all authenticated hosts are sent. Zone to which all non-authenticated hosts are sent. Profile Include: Unknown Devices Exclude: DHCPServer_Authentication_Passed
Full Access No Access
Include: DHCPServer_Authentication_Passed Include: DHCPServer_Authentication_Failed
For more information about configuring zones, refer to the Mirage documentation.
Controlling the AMA

You control the AMA through its executable. The AMA executable is stored in /usr/local/bluecat/ama. To use this executable effectively you should be comfortable with the concept of system logs, and you should know the difference between a daemon and a normal process.
To run AMA with a parameter:

1 Log into the Administration Console.
Version 5.5
243
Appendix A: 2 Type !/usr/local/bluecat/ama parameter, where parameter is one of the following: Parameter
-f syslog facility
Description
AMA uses the system log. You can specify a syslog facility instead of the default (daemon). The valid facilities include local0, local1, local2, local3, local4, local5, local6, local7 You can specify a system log priority. The valid priorities, from highest to lowest, include emerg, alert, crit, err, warning, notice, info, and debug. AMA logs messages with a priority greater than or equal to the setting. The default priority is notice. Normally, AMA runs as a daemon. The trace switch makes it run as a normal process and output logs to the console. Show AMAs version Show AMAs usage
-p syslog priority
-t -v -h
244
Version 5.5
Index
A
A records ..........................................101 AAAA records................................101, 151 access control...................................... 25 configuring .................................... 23 Access Control Lists definitions for importing ...................228 managing .....................................146 Active Directory A records .....................................237 CNAME records...............................237 creating DNS architecture .................. 77 DNS overview ................................231 DNS Records ..................................235 DNS replication ..............................234 domain controllers ..................... 80, 231 Dynamic DNS (DDNS) ........................128 Dynamic Domain Controller registration.232 integration ............................. 231235 integration with Adonis.....................130 Primary Domain Controller ................110 record naming conventions ................232 SRV records...................................236 synchronization ..............................131 Wizard...................................130, 233 Administration Console........................... 15 command history ............................. 18 command server .............................. 51 configuration mode .......................... 16 configuring Anycast .......................... 50 DHCP service control .......................195 Help ............................................ 16 logs ........................................ 57, 58 MAC authentication .........................195
main mode .................................... 16 reboot.......................................... 42 restart BIND ................................... 98 server controls................................ 42 service control................................ 51 setting the time .............................. 44 shutdown ...................................... 42 start BIND ..................................... 98 stop BIND ...................................... 98 TFTP service control........................ 196 time zone...................................... 45 administration password ......................... 41 Adonis Administration Console...................... 15 authenticator management ................ 38 caching server ................................ 76 controlling from Proteus .................... 13 deployment overview ....................... 12 Detect Server Appliance Type ............. 55 Disable Query Logging ....................... 55 DNS implementation ......................... 97 Enable Query Logging ....................... 55 Extraction Tool ............................... 98 failover ....................................... 210 hostname ...................................... 44 IPv6 support................................... 12 LCD ............................................. 42 Management Console ........................ 19 manual updates .............................. 69 Mirage Adapter (AMA) ...................... 239 organization................................... 11 ping node ..................................... 202 ports .......................................... 210 project files, overview ...................... 12 proxy settings................................. 37
Version 5.5
245
Index reboot .......................................... 42 resetting from Proteus control ............. 41 setting the time .............................. 44 shutdown ...................................... 42 supported DNS RFCs.......................... 98 traps ............................................ 64 updating ....................................... 36 using external authenticators .............. 29 Agent ID............................................197 allow query........................................148 AMA configuring ...................................240 MAC authentication .........................239 Anycast ............................................. 50 authenticators ....................................192 external ........................................ 29 Kerberos ....................................... 30 LDAP ............................................ 32 management .................................. 38 Radius .......................................... 31 authoritative DNS delegation ....................................104 servers ........................................107 auto generate, BIND $GENERATE statement .................. 98 auto-generation resource records.............................118 automatic serial number generation ........... 98 auto-negotiated settings ......................... 44 cache zone ........................................ 108 cert.ks files ........................................ 40 certificate keystore............................... 40 certificates deleting........................................ 39 managing ...................................3841 CIDR ................................................ 195 Circuit ID .......................................... 197 Classless Inter-Domain Routing ................ 195 CNAME records ................................... 101 command history, viewing....................... 18 configuration mode Help ............................................ 17 configurations deploying ...................................... front-end master ............................. front-end slaves .............................. hidden master ................................ master-only ................................... migration ...................................... reviewing changes ........................... saving .......................................... settings ........................................ crossover high availability, see XHA 92 75 75 75 74 98 18 18 16
D
data checker................................ 132, 135 settings ........................................ 91 severity level ................................. 91 Data Navigator..................................... 22 DDI.................................................. 102 DDNS configuring ................................... 130 DHCP service options ....................... 129 DNS options .................................. 129 IP address .................................... 128 transaction signatures ...................... 140 default gateway .................................. 165 delegation......................................... 104 delegation-only zone ....................... 97, 110 deploy project file ................................ 92
B
BIND ................................................210 DNS service control .......................... 98 matching order ..............................144 restarting ...................................... 98 start ............................................ 53 stop ............................................. 53 views feature ........................... 97, 144 blackhole query ..................................148
C
cache size .........................................109
246
Version 5.5
Index deployment password ............................ 41 Deployment Wizard ............................... 92 DHCP adding MAC authentication ................190 address binding states ......................212 classes.........................................175 common objects .............................159 communication-interrupted state ........212 configuring .................................... 81 custom client configurations ..............175 custom options...............................181 DDNS service options .......................129 declarations ..................................158 DHCP lease viewer ..........................156 DHCPv6 interface scope ....................198 DHCPv6 network scope .....................198 DHCPv6 service, creating ..................198 Duplicate Address Detection (DAD).......198 failover..................................197, 210 failover on a pool............................219 failover pool settings .......................220 failover, setting up..........................218 files, dhcpd.conf ............................156 files, subnet.csv .............................156 files,dhcpd.leases ...........................156 groups .........................................159 hosts, declaring..............................162 interface scope, DHCPv6 ...................198 IP layer parameters .........................165 IPv6 multicast groups .......................198 IPv6 service control .........................195 IPv6, stateless autoconfiguration .........197 lease viewer..................................196 MAC authentication .........................188 master server, defining ..................... 78 multicast groups, IPv6 ......................198 Neighbour Solicitation message ...........198 network scope, DHCPv6 ....................198 Network Time Protocol .....................210 normal state .................................212 option codes .................................165 overview ................................. 11, 155 partner-down state .........................213 permit lists ...................................161 potential-conflict state.....................213 preferred address ...........................198 recovery state ............................... 213 recovery-wait state ......................... 213 relay agents .................................. 157 Router Advertisement message ........... 198 Router Solicitation message ............... 198 scope .......................................... 158 scope splitting ......................... 197, 210 server states ................................. 212 service scope, DHCPv6 ..................... 198 shared networks....................... 160, 161 start ............................................ 54 state, communication-interrupted ....... 212 state, normal ................................ 212 state, partner-down ........................ 213 state, potential-conflict ................... 213 state, recovery .............................. 213 state, recovery-wait ........................ 213 stateless IPv6 autoconfiguration.......... 197 stop............................................. 54 subclass ....................................... 177 subnet mask.................................. 165 subnets ....................................... 159 tentative address ........................... 198 transaction signatures ...................... 140 vendor profiles .............................. 178 zone ........................................... 183 DHCPv6 introduction.................................. 197 service scope ................................ 198 service, configuring......................... 199 disable zones ...................................... 97 disaster recovery................................. 201 DNAME records ................................... 102 DNS Active Directory records ................... 235 Adonis implementation...................... 97 authoritative servers ................. 104, 107 available options ............................ 100 BIND views .................................... 97 blackhole ..................................... 148 cache cleaning interval .................... 109 cache size .................................... 109 caching options.............................. 108 caching servers ............................... 76 DDNS options................................. 129
Version 5.5
247
Index DDNS overview ...............................128 delegation ....................................104 DNS service level ............................100 external .......................................104 initial service ................................. 73 internal .......................................104 IPv6 ............................................151 MAC authentication .........................194 migrating configurations .................... 98 network architecture, selecting ........... 73 overview ....................................... 11 queries ........................................148 record types..................................102 records, Active Directory ..................235 recursive ......................................108 redundant configuration .................... 75 replication under Active Directory .......234 reverse DNS ............................123, 183 service options...............................100 SOA, defining ................................113 sort list........................................109 supported RFCs ............................... 98 transaction signatures ......................140 transaction signatures for remote slave .140 TTL upper limit ..............................109 VoIP functionality ...........................124 zone ...........................................183 zone options..................................112 zone refresh..................................111 zone, deleting ...............................112 zone, disabling...............................112 zone, enabling ...............................112 zone, renaming ..............................111 DNS Fixup Wizard.................................132 domain controllers ...............................236 finding nearest...............................231 identifying ..................................... 80 registration ...................................232 domain name ...............................136, 236 duplex setting .......................... 43, 44, 202 Duplicate Address Detection ...................198 Dynamic DDNS, see DDNS
E
e.164 zones ....................................... 124 enable zones ....................................... 97 ENUM prefixes ....................................... 124 used for VoIP................................. 124 zones .......................................... 124 eth0 adapter ...................................... 202 external authenticators .......................... 29 external configurations, importing............ 223 external DNS ...................................... 104
F
failover ............................................ 197 manual ........................................ 208 monitoring ................................... 213 pool settings ................................. 220 setting up..................................... 218 states ......................................... 212 Failover Monitor............................ 213, 214 file locations, modifying ......................... 88 files cert.ks ......................................... 40 dhcpd ......................................... 195 dhcpd.conf ................................... 229 fomon.sh ..................................... 214 named.conf .................................. 228 firewall disabling ....................................... enabling ....................................... ports and settings ............................ status .......................................... 51 51 51 51
flags NAPTR records ............................... 125 FOMON, see Failover Monitor forward master zone ............................ 105 forwarding zone .................................. 109 front panel LCD ................................... 42 full duplex......................................... 202
248
Version 5.5
Index
G
gateway..............................43, 48, 49, 165 address setting................................ 43 global catalog.....................................236 global options .....................................100 groups ..............................................159
prefixes ....................................... 197 reverse lookup ............................... 152 stateless autoconfiguration................ 197 IPv6 support........................................ 12 ISDN record ....................................... 102
K
Kerberos Key Distribution Centre ......... 30, 236, 237 password change server.................... 237 Kerberos authenticator .................... 30, 236 keystore ............................................ 40 default location .............................. 38
H
heartbeat ..................................... 51, 201 Help Administration Console ...................... 16 configuration mode .......................... 17 main mode .................................... 16 High Availability Wizard.........................201 HINFO records ....................................102 hostname ........................................... 44
L
LCD disable ......................................... 42 enable,......................................... 42 LDAP authenticator ................... 32, 130, 236 Lease Viewer ..................................... 196 level, setting DNS options ...................... 100 live data check ................................... 135 Live Zone Import Wizard........................ 225 load balance ...................................... 212 logging queries ................................... 149 logs redirecting .................................... 57 system ......................................... 56 viewing ........................................ 58 logs files check in/out .................................. 87
I
Import Wizard.....................................224 importing named.conf files .....................228 in-addr.arpa zones ...............................124 incremental resource records ..................119 Information Sheet unique password.............................. 15 inheritance, options .............................100 interface scope, DHCPv6 ........................198 internal DNS.......................................104 IP address DDNS...........................................128 setting.......................................... 43 IPAM appliance .................................... 13 IPv6 AAAA records.................................151 address,creating.............................151 creating reverse lookup address ..........152 DHCPv6 service, configuring...............199 DHCPv6 service, creating ..................198 DNS ............................................151 mixed IPv4/IPv6 environments ............153 Neighbour Discovery ........................198 NS records ....................................153
M
MAC Address Filtering ........................... 184 MAC authentication.................. 192, 193, 194 adding to DHCP .............................. 190 AMA............................................ 239 dynamic instead of static .................. 188 menu .......................................... 195 overview...................................... 156 pools .......................................... 193
Version 5.5
249
Index MAD Servers .......................................192 Mail Exchanger (MX) record.....................101 main mode Help ............................................ 16 Management Console ............................. 19 accessing....................................... 19 configurations................................. 98 creating transaction signatures ...........140 default options ............................... 35 detail pane .................................... 21 Detect Server Appliance Type.............. 55 DNS service options .........................100 migration ...................................... 98 navigating ..................................... 20 new groups, adding .......................... 26 new users, adding ............................ 25 resource records, disabling ................. 98 resource records, enabling ................. 98 root delegation only ......................... 98 search and replace ........................... 23 server controls ................................ 54 toolbar ......................................... 20 tree-view pane ............................... 21 user management ............................ 25 version ......................................... 65 Whois lookup tool ...........................136 zone template ...............................115 manual failover ...................................208 manual updates.................................... 69 master zone .......................................105 start of authority ............................114 master-only architecture ........................ 74 Mirage configuring ...................................242 Post-Admission NAC Appliance ............239 zones ..........................................243 multicast groups, DHCPv6 ......................198 naming conventions Active Directory ............................. 232 NAPTR records flags ........................................... 125 Network Access Control......................... 184 network interface settings ........................................ 43 network scope, DHCPv6......................... 198 Network Time Protocol ................44, 46, 210 New Project Wizard .............................. 71 New View Wizard ................................ 145 New Zone Wizard ................................ 104 NTP ............................................ 46, 210
O
objects replace......................................... 22 search .......................................... 22 OMAPI DHCP potential conflict state ............. 213 DHCP server configurations................ 155 overview...................................... 196 port............................................ 173 Open Mobile Application Processor Interface, see OMAPI option codes ...................................... 165 options inheritance ................................... 100 levels.......................................... 100 precedence of setting ...................... 100 OSPF................................................. 50
P
password administration ................................ 41 deployment ................................... 41 Information Sheet ............................ 15 Kerberos ...................................... 237 peer server........................................ 210 permit lists........................................ 161 ping node.......................................... 202
N
NAC, see Network Access Control Name Server (NS) records.......................101 Naming Authority (NAPTR) record .............102
250
Version 5.5
Index Pointer (PTR) record.............................102 pools................................................161 ports Adonis, encrypted control .................. 12 for MAC authentication.....................188 OMAPI ...................................173, 196 proxy settings ................................. 38 TCP ............................................. 33 Primary Domain Controller .....................110 product updates ................................... 36 profile group ......................................242 project files add server ..................................... 89 check in/check out........................... 85 correcting ..................................... 90 creating ........................................ 71 data check............................... 91, 132 deploying ...................................... 92 importing ...................................... 96 saving on the workstation................... 84 storing on the appliance .................... 84 Proteus control of Adonis ........................ 41 proxy settings ...................................... 37
R
Radius authenticator ............................. 31 reboot, start services ............................ 53 records A ............................................... 101 A6.............................................. 151 AAAA .................................... 101, 151 alias (CNAME) ................................ 101 DNAME ........................................ 102 DNS ............................................ 102 HINFO ......................................... 102 ISDN ........................................... 102 Mail Exchanger (MX) ........................ 101 Name Server (NS) ........................... 101 Naming Authority (NAPTR)................. 102 Pointer (PTR) ................................ 102 quad-A .................................. 101, 151 RP.............................................. 102 RT.............................................. 102 Service (SRV)........................... 101, 236 Text (TXT).................................... 102 TSIG ........................................... 140 recursive clients.................................. 148 recursive DNS ..................................... 108 recursive queries............................ 97, 108 regular expressions dynamic delegation discovery............. 125 resource records adding......................................... 118 auto-generation ............................. 118 deleting....................................... 121 disabling ................................. 98, 121 editing ........................................ 121 enabling ................................. 98, 121 fields .......................................... 103 generating incrementally .................. 119 managing ..................................... 117 serial number generation ................... 98 SOA ............................................. 98 reverse DNS ................................. 123, 183 reverse lookup.................................... 152 reverse master zone ............................. 105 reviewing configuration changes ............... 18
Q
quad-A records .............................101, 151 queries cache zone ...................................108 DNS service options .........................148 logging ......................................... 55 recursive ................................. 97, 108 query logging disable ......................................... 55 enable.......................................... 55 message category ...........................150 severity level.................................149 query logs adding a channel ............................149 configuring ...................................149 deleting a channel ..........................151 viewing........................................149
Version 5.5
251
Index RFCs, Adonis compliance................... 98, 165 root delegation only .............................. 98 Router Advertisement message ................198 Router Solicitation message ....................198 routing table adding routes ................................. 49 deleting routes ............................... 49 flags ............................................ 49 gateway ........................................ 49 genmask ....................................... 49 overview ....................................... 48 RP records .........................................102 RT records .........................................102 master zone.................................. 114 zone serial numbers ........................ 235 software updates..............................36, 69 speed setting ..................................43, 44 split setting ....................................... 212 ssh ............................................. 53, 240 disable ......................................... 53 enable.......................................... 53 Start of Authority, see SOA startup services ................................... 53 stateless IPv6 autoconfiguration............... 197 statistics configuration ................................. 98 stub zone .......................................... 110 Subnet Delegation Wizard ...................... 126 subnet mask ...................................... 165 subnet mask setting .............................. 43 subnets ............................................ 159 system logs......................................... 56
S
saving configuration settings .................... 18 scope splitting ..............................197, 210 search and replace................................ 23 search objects ..................................... 22 secure option appliance.......................... 15 server states ......................................212 server version ...................................... 99 servers managing .....................................104 master.................................... 75, 105 slave ................................. 75, 79, 105 zone transfer options ................. 116117 Service (SRV) record .......................101, 236 service scope, DHCPv6 ..........................198 services, start on reboot ......................... 53 setting DNS service options .....................100 setting IP address ................................. 43 shared secret .....................................140 single name server ................................ 74 slave zone .........................................106 SNMP configuring .................................... 59 polled objects................................. 62 SOA defining .......................................113 defining for a zone ..........................113
T
TCP ........................................... 148, 210 clients......................................... 148 port............................................. 33 templates, zone .................................. 115 Text (TXT) record ................................ 102 TFTP restart ........................................ 196 service ........................................ 182 service control............................... 196 start ...................................... 54, 196 stop....................................... 54, 196 time zone, setting ................................ 45 transaction signatures overriding default........................... 144 remote DDNS................................. 143 remote master DNS ......................... 143 remote slave DNS ........................... 140 shared secret ................................ 140 usage .......................................... 140
252
Version 5.5
Index transfer key, generating ........................141 trap server ......................................... 59 troubleshooting.................................... 56 TSIG resource record ............................140 TSIG, see transaction signatures Update ......................................... 65
X
XHA.................................................. 51 BIND views ................................... 210 cluster, breaking ............................ 208 cluster, creating ............................ 202 cluster, diagnosing.......................... 204 cluster, repairing............................ 205 cluster, updating ............................ 209 heartbeat..................................... 201 NTP synchronisation ......................... 46 overview...................................... 201 prerequisites ................................. 202 recommended topologies .................. 215 setup procedures.......................202204
U
Update Wizard ..................................... 65 updating software................................. 36 updating the product ............................. 69 user management ................................. 23
V
vendor profiles ...................................178 version client version ................................. 65 version 2 Secure Socket Shell ................... 53 viewing logs ................................... 56, 58 viewing the routing table ........................ 48 VoIP.................................................124 ENUM zones ..................................124 vendor profiles...............................178
Z
Zebra................................................ 50 zones adding......................................... 104 cache.......................................... 108 DDNS .......................................... 183 delegation-only......................... 97, 110 deleting....................................... 112 disabling ................................. 97, 112 e.164 .......................................... 124 enabling ................................. 97, 112 ENUM .......................................... 124 forward master .............................. 105 forwarding.................................... 109 in-addr.arpa ................................. 124 managing ..................................... 104 master ........................................ 105 Mirage......................................... 243 refresh ........................................ 111 renaming ..................................... 111 resource records ............................ 118 reverse master .............................. 105 setting options............................... 112 slave, adding................................. 106 slave, update forwarding .................. 129 start of authority............................ 114 Start of Authority (SOA).................... 113 stub............................................ 110
W
Whois lookup tool ................................136 Windows 2000 DHCP dump file.................230 Windows Active Directory, see Active Directory Windows Server...................................130 Wizard Active Directory .......................130, 233 Deployment ................................... 92 DNS Fixup .....................................132 High Availability .............................201 Import .........................................224 Live Zone Import ............................225 Management Console Install ................ 68 New Project ................................... 71 New View .....................................145 New Zone .....................................104 Subnet Delegation...........................126
Version 5.5
253
Index templates.....................................115
254
Version 5.5
For safe operating procedures, ensure compliance with the guidelines below.
CAUTION
Do not remove the cover from the appliance. The cover is to be removed only by qualified personnel. There are no serviceable parts provided inside.
CAUTION
Electrostatic Discharge (ESD) precautions are required before handling the appliance. Wear a wrist strap with an appropriate ground connection.
CAUTION
To prevent the unit from overheating, never install the appliance in an enclosed rack or room that is not properly ventilated or cooled. For proper air flow, keep the front and back sides of the appliance clear of obstructions and away from the exhaust of other equipment.
CAUTION
There is danger of an explosion if the battery is replaced incorrectly. Replace only with the same or equivalent type recommended by the appliance manufacturer. Contact technical support if you need to replace a battery.
CAUTION
Before servicing, power off the appliance by using the rear panel switch. If the appliance does not have an On/ Off switch, then unplug the power cord.
CAUTION
Failure to properly ground the appliance, either by circumventing the 3-wire grounding-type plug or by using a power outlet that is improperly grounded, can create a potentially hazardous electrical situation.
FCC Notice
This device complies with part 15 of the FCC Rules. Operation is subject to the following two conditions: 1 this device may not cause harmful interference, and 2 this device must accept any interference received, including interference that may cause undesired operation. No (Telecommunications Network Voltage) TNV-connected PCBs shall be installed.
Warning
This is a Class A product. In a domestic environment, the product may cause radio interference in which case the user may be required to take adequate measures.
2008. All rights reserved.
Adonis Administration Guide Version 5.5
BlueCat Networks (USA), Inc. www.bluecatnetworks.com Toll Free: 1.866.895.6931 Document #: AG_5.5 Published in Canada

Adonis Admin 5.5

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Adonis Admin 5.5

Uploaded by

Copyright:

Available Formats

ADMINISTRATION GUIDE

Adonis Administration Guide Version 5.5

Canadian Regulatory Compliance

Chapter 2: Administration Console

Chapter 3: Management Console

Adonis Administration Guide

Contents RADIUS Authenticators ................................................................................. 31 LDAP Authenticators ................................................................................... 32

Chapter 4: Appliance Management

Chapter 5: Project Files

Adonis Administration Guide

Chapter 6: Adonis DNS

Chapter 7: Advanced DNS

Adonis Administration Guide

Chapter 8: Adonis DHCP

Adonis Administration Guide

Chapter 9: Adonis Advanced DHCP

Chapter 10: High Availability

Adonis Administration Guide

Chapter 11: Migration Tools

Chapter 12: Active Directory Integration

Appendix A: Integrating with Mirage Post-Admission NAC Appliance . . . . . . . . . . . . . . . 239

Adonis Administration Guide

Who should read this guide?

Bold blue italic

Adonis Administration Guide

How do I contact BlueCat Networks Client Care?

Adonis Administration Guide

DNS and DHCP

How is Adonis Organized?

Adonis Administration Guide

Two Consoles: Two Tasks

Adonis Administration Guide

Adonis and Proteus IPAM

Adonis Administration Guide

Adonis Administration Guide

Using the Adonis Administration Console

To access the Administration Console use one of the following methods:

To login to the Administration console:

Adonis Administration Guide

Chapter 2: Administration Console

Administration Console Modes

Main Mode Help

Adonis Administration Guide

Configuration Mode Help

To change from main mode to a configuration mode:

Adonis Administration Guide

Chapter 2: Administration Console

Saving or Discarding Changes

Reviewing Unsaved Changes

Saving or Discarding Changes and Returning to Main mode

Viewing the Command History

Adonis Administration Guide

To start the Adonis Management Console in Windows:

To start the Adonis Management Console in Linux, Solaris, or Mac OS:

Adonis Administration Guide

Chapter 3: Management Console

Navigating the Adonis Management Console

Adonis Administration Guide

The Tree-view Pane

The Detail Pane

Adonis Administration Guide

Chapter 3: Management Console

Search and Replace