To enable communications between the DNS Provider and the DNS Provider client components, you must configure the DNS Web client on the DNS server to use Secure Sockets Layer (SSL) and basic authentication. You must also configure the default domain with a value of "\".
After you have enabled communications between the DNS Provider and the DNS Provider client, if you do not want to use the default settings, you can configure the protocol and error tracing settings.
Tasks
- Import the Certificate into Internet Information Services
(IIS)
- Configure the DNS Web Client
- (Optional) Configure Settings for DNS Provider
Components
Import the Certificate into IIS
First, import the DNS Web client certificate into Internet Information Services (IIS).
Procedure W03-DWSPV.54: To import the certificate into Internet Information Services for DNS01
-
Start Internet Information Services (IIS) Manager from Administrative Tools.
-
Expand the local server name, expand Web Sites, and then right-click Default Web Site.
-
Click Properties, and then select Directory Security. Select Server Certificates to open the Web Server Certificate Wizard.
-
Follow the wizard to select Assign an existing certificate and select from available certificates.
-
Accept the default port 443 as the SSL port.
-
Complete the wizard.
Configure the DNS Web Client
Next, configure the DNS Web client.
Procedure W03-DWSPV.55: To configure the DNS Web client
-
In the Internet Information Services (IIS) Manager, right-click DNSProvider, select Properties, and then select Directory Security.
-
Edit basic authentication by setting the default domain value to '\' (backslash).
-
Select Require Secure channel (SSL) for secure communications.
-
Save configuration changes and close Internet Information Services (IIS) Manager.
The following additional security configuration is recommended for all DNS servers that host the DNS Web client:
- IIS Listening Configuration - IIS should only listen to
the internal network. By default, IIS listens to all available
connections. By restricting the Web site that the DNS Web client
listens to, you can reduce the surface area against which an attack
can be placed.
- IIS Connection Configuration - IIS should only accept
connections from the range of IP addresses that belong to the
Provisioning Engine. This guarantees that only the assigned IP
addresses will be handled by IIS. This also reduces the number of
computers that can actually make a request to the target IIS
site/virtual directory.
(Optional) Configure Settings for DNS Provider Components
This section describes how you can configure the protocol and error tracing settings for the DNS Provider and the DNS Provider client. By default, the DNS Provider is configured to use HTTPS and Port 443. You do not need to make changes if you are using the default settings.
First, you should check the configuration of the Web.config file on the DNS01 server in the DNSProvider virtual directory, to ensure that it contains the following entries:
Copy Code | |
---|---|
<identity impersonate="true"/> <authentication mode="Windows"/> <wellknown mode="SingleCall" type="Microsoft.Provisioning.Providers.DnsManagement, DnsManagement" objectUri="Dns.rem"/> |
You can make changes to the protocol and error tracing settings in the following ways:
- Protocol Settings
You can change protocol settings for the DNS Provider components within the Dnsprovider.dll.config file. This file exists on the Microsoft Provisioning System (MPS) server in the installation folder of the Dnsprovider.dll and contains provider configuration key values that you can modify as follows:
- RemotingProtocol - This key determines the protocol
used. The default value is https, as shown. However, you should
change the value to http if you are not using Secure Sockets Layer
(SSL):
Copy Code <add key="remotingProtocol" value="https"/>
- RemotingPort - This key determines the port the DNS
Provider uses to connect to the DNS Provider client. The default
value is port 443. However, you might need to change it to port 80
if you are not using SSL:
Copy Code <add key="remotingPort" value="443"/>
- RemotingURI - This key defines a value that points to
the remote endpoint. The value should be DnsProvider/Dns.rem,
unless you change the default in code:
Copy Code <add key="remotingUri" value="DnsProvider/Dns.rem"/>
- RemotingProtocol - This key determines the protocol
used. The default value is https, as shown. However, you should
change the value to http if you are not using Secure Sockets Layer
(SSL):
- Error Tracing Settings
- EnableTrace - This key enables you to turn error tracing
on and off. The default value is false for disabling error tracing.
If you want to turn on error tracing, you must explicitly enable it
by specifying the value true, as follows:
Copy Code <add key="enabletrace" value="true"/>
- TraceFile - This key determines the file location where
errors are logged. You can specify the directory path and log file
name, as indicated:
Copy Code <add key="tracefile" value="C:\DnsProvider1.log"/>
Also, the account under which the provider is currently running must have permission to write to the indicated directory; by default this is the MPFServiceAcct. If your account does not have permissions to write to the log file directory, add MPFServiceAcct to the DNSAdmins group.
- EnableTrace - This key enables you to turn error tracing
on and off. The default value is false for disabling error tracing.
If you want to turn on error tracing, you must explicitly enable it
by specifying the value true, as follows:
Procedure W03-DWSPV.56: To add the MPFServiceAcct to the DNSAdmins group
-
Log on to AD01 as a member of Domain Administrators.
-
Open Active Directory Users and Computers and expand fabrikam.com.
-
Add MPFServiceAcct to the DNSAdmins group.
Note: Event logging will not occur if the user credentials used by a DNS Provider request do not have write permissions to the log file directory. When a request is executed without impersonation, the request is executed using the MPFServiceAcct credentials. Therefore, you must grant the MPFServiceAccts group write permissions to the log file directory. Or if impersonation is used, ensure that the impersonated user has write permissions to the log file directory.