Enabling WinRM
Run the following command below:
Modifying Ideal Timeout and Connection Parameters
Run the following command below:
Enabling Authentication
1. Basic Authentication:
Description: Sends the username and password in plain text (Base64 encoded). Requires a secure channel (e.g., HTTPS) to protect the credentials during transmission.
Setup:
2. CredSSP (Credential Security Support Provider):
Description: Enables delegation of user credentials from the client to the target server, allowing the server to access network resources on behalf of the user.
Setup:
3. Negotiate:
Description: Uses either Kerberos or NTLM for authentication, automatically selecting the most secure protocol supported by both the client and server.
Setup:
Setting up the Windows Remote Machine:
1. Enable unencrypted Communication:
2. Configure Trusted Hosts:
3. Restarting the WinRM Service
Inspecting WinRM listener configuration for remote management readiness
By reviewing the listener details, administrators can ensure that the correct addresses and ports are being used and check for any misconfigurations that may block remote access or cause connectivity issues.
Execute the command as shown below to ensure that the WinRM service is properly configured and enabled, which is necessary for remote management, especially while using PowerShell remoting.
Modifying Ideal Timeout and Connection Parameters
Run the following command below:
Enabling Authentication
1. Basic Authentication:
Description: Sends the username and password in plain text (Base64 encoded). Requires a secure channel (e.g., HTTPS) to protect the credentials during transmission.
Setup:
2. CredSSP (Credential Security Support Provider):
Description: Enables delegation of user credentials from the client to the target server, allowing the server to access network resources on behalf of the user.
Setup:
3. Negotiate:
Description: Uses either Kerberos or NTLM for authentication, automatically selecting the most secure protocol supported by both the client and server.
Setup:
Setting up the Windows Remote Machine:
1. Enable encrypted Communication:
2. Configure Trusted Hosts:
3. Restarting the WinRM Service:
Verifying the valid server certificate
Ensure that the Windows DNS/DHCP server has a valid server certificate installed. If you already have a valid certificate, follow the steps below.
If not, generate a valid certificate and get it installed. To verify the installation of a valid certificate, refer to the screenshot below:
Execute the command below, as demonstrated in the screenshot below.
Execute the following commands to enable HTTPS
Enabling WinRM
Run the following command below:
Inspecting WinRM listener configuration for remote management readiness
By reviewing the listener details, administrators can ensure that the correct addresses and ports are being used and check for any misconfigurations that may block remote access or cause connectivity issues.
Execute the command as shown below to ensure that the WinRM service is properly configured and enabled, which is necessary for remote management, especially while using PowerShell remoting.
Upon successful signup, the first glimpse within the DDI console reveals an empty dashboard. To get started, create clusters and add your DNS and DHCP servers to your clusters for effective management of your network infrastructure.
To create new clusters
The Add Cluster window appears prompting you to enter the name and type of the cluster: DNS, DHCP or Both. Selecting either DNS or DHCP will create a cluster dedicated only for DNS servers or DHCP servers, respectively. Selecting both enables you to add both DNS and DHCP servers into the cluster.
Now select the OS (Operating System). This dropdown allows you to select the operating system of the servers that will be part of the cluster.
Options include:
Enter the server details like,
SERVER NAME: Assign a unique name to the server for identification purposes. This helps administrators easily identify and manage the server within the management console.
Both: The server will provide both DNS and DHCP services.
DNS: The server will provide only DNS services.
DHCP only: The server will provide only DHCP services.
USERNAME: Username is used to authenticate with the server. This way DDI Central ensures that only authorized users can manage and configure the server.
Special Instructions for entering usernames when adding microsoft DNS and DHCP servers in DDI Central (installed via .exe installer)
For successful authentication using CredSSP, Negotiate, or NTLM, follow these cases:
Case 1:
If the Domain Controller is running on the Windows DNS/DHCP machine, enter the username in the format:
username@domainname
Case 2:
If the Domain Controller is not running on the Windows DNS/DHCP machine, enter the username as:
hostname\\username
hostname: The Windows machine’s hostname
username: The Windows machine’s username
PASSWORD: Enter the password in conjunction with the username to authenticate with the server. Provides secure access to the server for management and configuration.
WINDOWS HTTP PORT: Specify the port number to be used by the DDI Central Console for non-secure HTTP connections directly to the Microsoft server. The default port is typically 5985.
WINDOWS HTTPS PORT: Specify the port number to be used by the DDI Central Console used for secure HTTPS connections directly to the Microsoft server. The default port is typically 5986.
Specify whether SSL (Secure Sockets Layer) is to be used for secure communication. This way, it enhances the security by encrypting data transmitted between the server and clients. Options include:
Choosing Yes: SSL is enabled, ensuring encrypted communication.
Choosing No: SSL is disabled, meaning communication is not encrypted.
Select the authentication method that is to be used to verify the identity of users. This defines the security level and method of the authentication process, ensuring secure access to the server.Options include:
Basic: Basic authentication, where the username and password are encoded with Base64. This method is simple but less secure.
CredSSP (Credential Security Support Provider): Provides a secure delegation of user credentials from the client to the target server, allowing the server to access network resources on behalf of the user.
Negotiate: Uses either Kerberos or NTLM protocol for authentication. The protocol used depends on the client's environment and configuration.
NTLM (NT LAN Manager): A suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users.
ENCRYPTION: Ensures that data transmitted to and from the server is encrypted, providing security against data interception. Options include:
Encryption is never used, meaning all data is transmitted in plain text. This option is the least secure and should only be used in trusted, secure environments.
Encryption is used based on the capabilities of the client and server. If both support encryption, it will be enabled. This option provides a balance between security and compatibility.
Always: Encryption is always used, ensuring that all data transmitted to and from the server is encrypted. This option provides the highest level of security
DISCOVER EXISTING CONFIGURATIONS? : Specify whether to discover existing DNS and DHCP configurations on the server. This helps in discovering and importing all the existing DNS-DHCP-IP configurations into the DDI Central management console for easier management. Options include:
No: Do not discover existing configurations. Specify No if you just want to add and setup a new server from the scratch. You can setup the required DNS, DHCP or combined configurations to your server to get it configured through the user-friendly DDI Central user interface later.
DNS only: Discovers only DNS configurations.
DHCP only: Discovers only DHCP configurations.
Both: Discovers both DNS and DHCP configurations.
DDI Central sweeps in the following DNS configurations from your remotely managed Windows DNS server into its unified UI
DDI Central sweeps in the following DHCP configurations from your remotely managed Windows DHCP server into its unified UI:
With the discovered configurations consolidated and catalogued in DDI Central, you can begin making updates targeting specific DNS or DHCP objects, or set up configurations and policies for individual servers or groups of servers in a particular cluster. You can also add new configurations directly through the DDI Central interface and the same will be updated onto your DHCP and DNS to modify the existing configurations as needed.
Note:
AD zones can be discovered from your existing Microsoft DNS servers, and their records can be seamlessly managed within DDI Central. However, you cannot create an AD zone or perform advanced configurations for AD Zones using DDI Central, as it does not have full-fledged integration with Active Directory and its services.
When discovering dynamic AD zones updated via Group Policy, DDI Central retains and preserves their active, ongoing live timestamps without disrupting the automatic scavenging procedures of Windows AD. Any update operations carried out using DDI Central do not interfere with Windows AD's ability to continue scavenging records based on the stipulated aging policies. This ensures accurate record lifecycle management and enhances synchronization between DDI Central and Windows DNS servers for dynamic updates.
Any record added or updated in the discovered AD domains through DDI Central will be subject to Windows scavenging procedures as per Group Policy. However, for any new subdomain created using the DDI Central UI, all records added or updated under it will remain static, and Windows Group Policy or scavenging procedures will not apply to them.
Specify No if you just want to add and setup a new server from the scratch. You can setup the required DNS, DHCP configurations to your server through the user-friendly DDI Central user interface later.
This way you can add new servers to DDI Central's Management UI console and enable DDI Central to implement, configure, and manage DNS, DHCP and IPAM services of your network infrastructure from scratch.
If you have chosen the discovery option as outlined in Step 14, ManageEngine DDI Central will begin to discover configurations from the designated Microsoft server for each service.
Note: The discovery process takes a considerable amount of time depending on the volume of configurations in the servers. Wait until the whole process completes.
Once you add your server into the DDI Central console you can further proceed modifying the discovered DNS-DHCP-IPAM configurations or quickly start setting up the DNS-DHCP-IPAM configurations for the new server through the user-friendly DDI Central user interface.
You can access the added servers with all the configurations in place, listed under the Setting->Servers Page. Here you can perform general actions like editing the server configurations, deleting the server, monitoring the server(s) health stats.
Other than the general actions, you can also perform the following actions:
A dialog box appears prompting you to specify the scope of the cache flush. If you want to flush the cache of all the zones on the server, click Flush All, or if you just want to flush the cache of a specific zone on the server, click Flush Specific
Subsequently, specify the zone name and click Flush Cache.
The Server Reconfiguration action in DDI Central simplifies the recovery process for failed or ejected Windows DNS and DHCP servers. If a server goes down, administrators can seamlessly replace it with a new server using the same IP address. By selecting Server Reconfiguration from the Actions menu under Settings → Server, all DNS and DHCP configurations from the original server are automatically transferred to the new server, ensuring minimal downtime. This eliminates the need for manual data restoration and accelerates service recovery, allowing for quick and effortless server replacement while maintaining network stability.
The Rediscover option ensures that Windows-based DNS and DHCP configurations remain synchronized, even when changes are made outside DDI Central using Windows UI, PowerShell, or remote tools. By selecting Rediscover from the Actions menu under Settings → Server, administrators can automatically detect and apply the DNS or DHCP configuration changes, keeping the system updated without manual intervention. Additionally for DNS, just clicking on a zone name will trigger zone rediscovery, fetching the latest settings from the primary/master server. This feature provides real-time synchronization, centralized visibility, and consistent network management.
DDI Central now enables users to update their server status, including the status of the service, by clicking on Check status button after selecting the specific server you want to update. This reloads the current status of both the server and service hosted in it. You can single and multi select servers for updating the server status.