Microsoft Active Directory is the most pervasive directory service used by organizations since its introduction with Windows 2000 server. Many organizations also use Microsoft DNS as there’s a belief that Active Directory is tightly integrated with the DNS server. In reality, there is no default integration between Active Directory and Microsoft DNS server - just like every other enterprise application such as SAP or Oracle Hyperion Planning (Business Intelligence tool), Active Directory uses whatever DNS servers are configured. Using Microsoft DNS causes a lot of stress for DNS and network administrators. Why? What are the challenges with Microsoft DNS?
Plenty of room for human error
Microsoft does not provide any APIs to configure and manage DNS. A repeatable, consistent configuration that can easily be reused and replicated cannot be achieved with Microsoft DNS. Changes to DNS need to be executed manually. When changes are made, it takes effect on the local server immediately. These are propagated to all other servers hosting that DNS zone which could affect every DNS server in the domain or the entire forest. This also means that any misconfigurations or worse accidental deletions will replicate across the domain or forests. But there’s no way to undo changes with Microsoft DNS. Microsoft does not provide data validation to prevent human errors introducing serious operational risk. Furthermore, with no auditing capabilities, you would not be able to quickly detect what changes were made or the administrator that made these changes. Troubleshooting becomes very complicated resulting in longer resolution times.
Lack of automation also limits the progress of DevOps and application development teams as they have to rely on NetOps/Windows administrators to configure DNS for their needs such as test, development, and sandbox environments. Recently, Microsoft has introduced PowerShell which is a scripting tool. But even PowerShell does not lend easily to DevOps workflows.
Slowness with AD replication
Replication of DNS configurations across Windows DNS servers is erratic - it could take anywhere from minutes to hours. This could cause inconsistencies in data across the enterprise during replication, potentially leading to outages. It could take a really long time for DNS to be replicated to servers deployed across the globe.
Poor DNS Maintenance or “Scavenging”
Microsoft uses a “scavenging” mechanism to purge out of date DNS records. This is based on the last update time of the DNS record. But the scavenging process is notoriously inefficient and unreliable in determining the validity of the record. It’s a case of damned if you do and damned if you don’t - using this function could remove valid DNS records causing outages, but not using it leads to an unwieldy DNS system with lots of duplicate and stale DNS records.
Growth through acquisition results in dozens or even hundreds of AD domains, each with a number of Domain Controllers also running DNS. Maintaining numerous Microsoft DNS servers introduces significant operational complexity and overhead - you end up with a DNS architecture based on complex conditional forwarding and DNS delegation scenarios. Decoupling DNS from AD reduces the number of DNS servers needed and simplifies DNS administration.
Weak Traffic Routing
Intelligent traffic steering plays a vital role in enhancing performance and maintaining high levels of availability of applications. It is also needed to support modern use cases such as Blue/Green deployment and Canary testing. Microsoft provides only rudimentary capabilities to manage traffic.
No Integration with DevOps toolkits
The adoption of DevOps has been on the rise over the last few years. DevOps employs Continuous Integration/Continuous Delivery (CI/CD) processes to accelerate the delivery of new features and capabilities. DevOps also uses a variety of load balancing solutions as well as monitoring and collaboration tools. Microsoft DNS does not integrate with any DevOps toolkits.
Vulnerable to attack
To synchronize DNS changes across all Microsoft DNS servers, hole-punching through the firewall is required which usually violates corporate security policies. Microsoft does not monitor DNS traffic flows making it difficult to root cause and isolate infected devices. These deficiencies render Microsoft unfit for fulfilling enterprise security requirements.
Modernize DNS/DHCP/IP Address Management with NS1
NS1 has disrupted the familiar and universal foundations of all network and internet services: DNS, DHCP, and IP Address Management. NS1’s solution, Enterprise DDI, is a flexible and powerful platform that enables enterprises to overcome all the challenges that enterprises face when operating Microsoft DNS.
Minimizing human error with automation
NS1’s robust and comprehensive APIs enable network operations teams to automate and streamline network service workflows. Automation helps you gain efficiency and speed. You can standardize your DNS configurations and reduce manual errors by putting an end to ‘worked in my environment’ or ‘it worked on my machine’. Any issues due to misconfigurations can be easily reproduced. You can version control the configuration which serves as a form of documentation - it’s easy to find out what changes were made as well as the user that made the changes. If there are any misconfigurations, you can easily roll back to a known ‘golden’ state. APIs support automating the following routine tasks
- Creation of networks by configuring IP ranges and managing IP allocations.
- Creation and management of DNS zones and records, including large zone imports
- Automatically assign IPs to new devices by managing DHCP scopes, scope groups, leases, and IP reservations for new devices (e.g. printers, VoIP phones, etc.)
NS1 integrates with Infrastructure-as-code tool Terraform and Ansible. Not only can you automate the configuration and management of DNS/DHCP/IP Address Management but the integration with ServiceNow also allows you to automate the change management and approval process as well.
Robust Auditing capabilities
Unlike Microsoft DNS, NS1 Enterprise DDI supports activity logging for auditing and compliance purposes. The ability to access activity logs helps you to root cause any DNS issues quickly by quickly detecting changes that were made.
Fast DNS propagation
NS1 is a next-generation DNS platform that provides near-instant propagation—any DNS changes are propagated worldwide in just a few seconds. It does this using a global network of super-fast DNS servers that can respond to DNS requests very quickly. NS1 allows you to set a low TTL, and permits DNS clients to “hit” its DNS servers as often as needed.
Stress-free DNS maintenance
When an IP address needs to be assigned to a device or an application, instead of the DHCP server updating DNS records, NS1 employs Filter Chain™ technology to generate responses based on lease information from the DHCP server. NS1 constructs DNS responses on the fly when the DHCP lease is allocated. No DNS records are created so there’s no need to scavenge! Unlike Microsoft, outdated records are removed automatically when the DHCP lease expires. No need to worry about accidental removal of valid DNS records.
Achieve effortless compliance with corporate security policies with the following capabilities:
- NS1’s Enterprise DDI bolsters zero-trust policy. Rather than the core control plane initiating outbound connections every DNS and DHCP server at the edges, these servers establish a connection with the control plane and ‘pull’ any updates. This eliminates the need to punch holes through the firewall to allow for bidirectional communication between the core and edge.
- You gain visibility and control over internal and external DNS traffic flows and reduce MTTR and MTTD for security incidents with Cisco Umbrella Integration.
- Prevent unauthorized access with robust controls including two-factor authentication, inheriting RBAC (Roles Based Access Control) set via AD, and allowing for granular, record-level permissions in a given zone.
Advanced traffic steering
Using NS1’s patented point & click Filter Chain™ capability, network operations as well as DevOps teams can intelligently route traffic based on a variety of factors including location, weights, resource availability, stickiness, and load. NS1 ingests health metrics from load balancers and monitoring solutions so that traffic shaping is informed by data. There’s no need to deploy and maintain proprietary appliances for GSLB - instead, NS1’s Enterprise DDI provides this functionality. NS1’s Filter Chain™ can be applied to achieve the following outcomes:
- High Availability: Traffic can be routed away from non-functioning servers to ones that are running and operational to ensure application and network availability.
- Improved Performance: Geolocation technique that steers traffic to servers closest to the requesting client can be used to drive the performance of internal multi-region apps that are accessed by thousands of employees.
- Cloud bursting: Peak demand can be met by forwarding 90% of the traffic to the private cloud and 10% to the public cloud.
- Canary Release: New release of a key internal application such as ERP software or critical custom database can be introduced in a phased manner by exposing only 10% of employees to the new version while the remaining 90% continue to use the older version. A new version can be released to a larger user base in a gradual manner as development teams gain more confidence.
All these powerful traffic shaping mechanisms can be configured with just a few clicks.
Seamless support for DevOps
Self-service DNS & DHCP for DevOps
NS1 empowers NetOps teams to safely provide self-service capabilities to developers and DevOps teams. Your DevOps teams don’t have to submit tickets and wait for DNS to be deployed for their needs - in test, dev, or sandbox environments. NetOps teams also don’t have to keep servicing frequent requests by DevOps teams. Self-service with robust role-based access controls significantly improves productivity and speeds up app deployments - and ultimately innovation.
Elastic DNS environments
NS1’s containerized software solution enables you to easily spin up DNS to meet your needs. Whether DNS is needed for test, dev, or sandbox environments or to account for increased demand in traffic, you can scale DNS in seconds. And these environments can be shut down as quickly once you have achieved your outcomes. With NS1, there is no need to deploy a DNS server for each environment resulting in considerable flexibility as well as savings in cost and effort.
Integration with CI/CD toolkits
NS1 integrates with a variety of Continuous Integration/Continuous Deployment (CI/CD) toolkits such as Ansible and Jenkins. DNS records are created on the fly accelerating deployment velocity of applications. One of NS1’s large, global gaming customers reduced their code deployment time by over 95% by integrating NS1 into their CI/CD pipeline. Deployment time for their apps went down from days to minutes.
Unify internal and external DNS with NS1
NS1 provides application and traffic control that is critical for business operations, automation, and best user experiences to the most highly trafficked internet and enterprise applications. Customers of NS1’s Managed DNS solution include LinkedIn, Dropbox, Pitney Bowes, and Salesforce. Internal DNS leverages the same technology stack as that of the Managed DNS solution - API-first architecture that is distributed, scalable, automated, and resilient. User Interface and APIs are the same for both internal and external DNS which significantly reduces the learning curve and simplifies DNS management.
How do I migrate?
Easy! With support for SRV & Underscore Records, plus GSS-TSIG, NS1 Enterprise DDI is interoperable with Active Directory. You can start with DHCP, then forward DNS from AD zones to NS1, and then switch over your IPAM. Stale records need to be purged before migration. We have a detailed migration guide to help you with the transition. Please let us know how we can help and we will promptly reach out to you.