Where do I start with replacing the whole MS AD stack
-
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@DustinB3403 said in Where do I start with replacing the whole MS AD stack:
Why would you have no internal dns?
If you don't have AD and don't have internal servers - why do you need internal DNS?
He has AD. THis is not news. There have been many posts about his network over the last month+
You know that he does NOW - I was answering Dustin's post about why he didn't have internal back then... at a time when he didn't have AD.
-
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@DustinB3403 said in Where do I start with replacing the whole MS AD stack:
Why would you have no internal dns?
If you don't have AD and don't have internal servers - why do you need internal DNS?
He has AD. THis is not news. There have been many posts about his network over the last month+
You know that he does NOW - I was answering Dustin's post about why he didn't have internal back then... at a time when he didn't have AD.
He has had AD for some time now though. I came into this topic knowing that 1) based on the topic! 2) from previous conversations.
The no internal DNS portion is still "weird" when he had the other pieces.
-
@Donahue said in Where do I start with replacing the whole MS AD stack:
@DustinB3403 and @JaredBusch agreed on both points.
I'm sorry, there's nothing quoted - so I'm not sure what points you're talking about?
-
@DustinB3403 said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@DustinB3403 said in Where do I start with replacing the whole MS AD stack:
Why would you have no internal dns?
If you don't have AD and don't have internal servers - why do you need internal DNS?
He has AD. THis is not news. There have been many posts about his network over the last month+
You know that he does NOW - I was answering Dustin's post about why he didn't have internal back then... at a time when he didn't have AD.
He has had AD for some time now though. I came into this topic knowing that 1) based on the topic! 2) from previous conversations.
The no internal DNS portion is still "weird" when he had the other pieces.
that's because he mentioned it about the past - and perhaps you read or though he might have been talking about the present.
-
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@DustinB3403 and @JaredBusch agreed on both points.
I'm sorry, there's nothing quoted - so I'm not sure what points you're talking about?
the two posts immediately above that one.
-
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
You need to have your DNS use your AD server as it's forwarder, but everything else can look at your DNS.
How will this affect licensing? Do you only need one CAL for that DNS server, since it's the only thing actually talking to the server? Interesting work-around to MS licensing.
I believe that MS believes that ANY device that gets info that is passed along using DNS requires a CAL. It doesn't matter who hosts the DHCP, if it is still point to MS DNS.
Right - JB's got a kinda work around though.
PC asks router for DNS
Router asks Windows for DNSIn this setup that JB suggests only this one box - the router ever talks to windows DNS, so.... you only need one CAL for that router.
I dont believe this is compliant still. I believe that MS would argue that any device that make a DNS request through that DNS server requires a CAL. It's a grey area at best.
-
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
You need to have your DNS use your AD server as it's forwarder, but everything else can look at your DNS.
How will this affect licensing? Do you only need one CAL for that DNS server, since it's the only thing actually talking to the server? Interesting work-around to MS licensing.
I believe that MS believes that ANY device that gets info that is passed along using DNS requires a CAL. It doesn't matter who hosts the DHCP, if it is still point to MS DNS.
Right - JB's got a kinda work around though.
PC asks router for DNS
Router asks Windows for DNSIn this setup that JB suggests only this one box - the router ever talks to windows DNS, so.... you only need one CAL for that router.
I dont believe this is compliant still. I believe that MS would argue that any device that make a DNS request through that DNS server requires a CAL. It's a grey area at best.
I agree, if Windows exists and is used as a source, it's clear that you need a CAL for every user or device on the network.
Having a proxy after it has no effect on that. This is clear cut in all of their documentation. Actually talking to the server is never a factor.
-
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
You need to have your DNS use your AD server as it's forwarder, but everything else can look at your DNS.
How will this affect licensing? Do you only need one CAL for that DNS server, since it's the only thing actually talking to the server? Interesting work-around to MS licensing.
I believe that MS believes that ANY device that gets info that is passed along using DNS requires a CAL. It doesn't matter who hosts the DHCP, if it is still point to MS DNS.
Right - JB's got a kinda work around though.
PC asks router for DNS
Router asks Windows for DNSIn this setup that JB suggests only this one box - the router ever talks to windows DNS, so.... you only need one CAL for that router.
I dont believe this is compliant still. I believe that MS would argue that any device that make a DNS request through that DNS server requires a CAL. It's a grey area at best.
It is a single device CAL for the DNS server. Many users (not devices) are requesting DNS from the DNS server (a device).
-
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
You need to have your DNS use your AD server as it's forwarder, but everything else can look at your DNS.
How will this affect licensing? Do you only need one CAL for that DNS server, since it's the only thing actually talking to the server? Interesting work-around to MS licensing.
I believe that MS believes that ANY device that gets info that is passed along using DNS requires a CAL. It doesn't matter who hosts the DHCP, if it is still point to MS DNS.
Right - JB's got a kinda work around though.
PC asks router for DNS
Router asks Windows for DNSIn this setup that JB suggests only this one box - the router ever talks to windows DNS, so.... you only need one CAL for that router.
I dont believe this is compliant still. I believe that MS would argue that any device that make a DNS request through that DNS server requires a CAL. It's a grey area at best.
It is a single device CAL for the DNS server. Many users (not devices) are requesting DNS from the DNS server (a device).
the DNS server does not require a CAL, its the device or user making the request to the DNS service.
-
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
You need to have your DNS use your AD server as it's forwarder, but everything else can look at your DNS.
How will this affect licensing? Do you only need one CAL for that DNS server, since it's the only thing actually talking to the server? Interesting work-around to MS licensing.
I believe that MS believes that ANY device that gets info that is passed along using DNS requires a CAL. It doesn't matter who hosts the DHCP, if it is still point to MS DNS.
Right - JB's got a kinda work around though.
PC asks router for DNS
Router asks Windows for DNSIn this setup that JB suggests only this one box - the router ever talks to windows DNS, so.... you only need one CAL for that router.
I dont believe this is compliant still. I believe that MS would argue that any device that make a DNS request through that DNS server requires a CAL. It's a grey area at best.
It is a single device CAL for the DNS server. Many users (not devices) are requesting DNS from the DNS server (a device).
You don't need device CALs if you are covered by user CALs. That's only needed if you don't cover your users.
-
@Donahue said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
You need to have your DNS use your AD server as it's forwarder, but everything else can look at your DNS.
How will this affect licensing? Do you only need one CAL for that DNS server, since it's the only thing actually talking to the server? Interesting work-around to MS licensing.
I believe that MS believes that ANY device that gets info that is passed along using DNS requires a CAL. It doesn't matter who hosts the DHCP, if it is still point to MS DNS.
Right - JB's got a kinda work around though.
PC asks router for DNS
Router asks Windows for DNSIn this setup that JB suggests only this one box - the router ever talks to windows DNS, so.... you only need one CAL for that router.
I dont believe this is compliant still. I believe that MS would argue that any device that make a DNS request through that DNS server requires a CAL. It's a grey area at best.
It is a single device CAL for the DNS server. Many users (not devices) are requesting DNS from the DNS server (a device).
the DNS server does not require a CAL, its the device or user making the request to the DNS service.
It does if you don't have full user CAL coverage.
-
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
-
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
let me rephrase this to make sure I understand what you are saying. Setup the router to act as the DNS server, with a forwarder to the windows DNS, as opposed to simply putting the windows DNS ip into the settings handed out by DHCP?
-
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
I think we all get that - but that non windows DNS server is a proxy for the users behind it.
What @Donahue and @scottalanmiller are saying is that they don't believe the proxy actually protects them licensing wise - and that was my question way up top, though not worded as well.
-
@Donahue said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
let me rephrase this to make sure I understand what you are saying. Setup the router to act as the DNS server, with a forwarder to the windows DNS, as opposed to simply putting the windows DNS ip into the settings handed out by DHCP?
Correct.
-
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
Correct, but that's not the basis for the licensing requirement. Anything that uses that DNS downstream is getting it from an "agregator" to the Windows service and therefore needs the CAL.
-
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
Correct, but that's not the basis for the licensing requirement. Anything that uses that DNS downstream is getting it from an "agregator" to the Windows service and therefore needs the CAL.
I tend to agree that MS will see it this way - and that Jared's workaround won't solve the CAL requirement.
-
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
I think we all get that - but that non windows DNS server is a proxy for the users behind it.
What @Donahue and @scottalanmiller are saying is that they don't believe the proxy actually protects them licensing wise - and that was my question way up top, though not worded as well.
Correct. And Microsoft has stated this outright, it's not our interpretation, it is Microsoft's explanation of the license.
Otherwise, you could claim any application talks to SQL Server and you don't need CALs because you don't talk to the database. or any number of abstractions.
None of our users talk to DNS directly, it's always some other piece of software. If we could avoid CALs through that abstraction, we'd create them everywhere. In fact, you could say any VPN would do it. The number of exceptions would become crazy.
-
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
Correct, but that's not the basis for the licensing requirement. Anything that uses that DNS downstream is getting it from an "agregator" to the Windows service and therefore needs the CAL.
If that is the actual term of theri license, then, yet another reason to move on to this with the target of getting to no AD agian.
-
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
Correct, but that's not the basis for the licensing requirement. Anything that uses that DNS downstream is getting it from an "agregator" to the Windows service and therefore needs the CAL.
I tend to agree that MS will see it this way - and that Jared's workaround won't solve the CAL requirement.
Most importantly, Microsoft and the courts have always seen it that way.
It is that you need licenses for every user that gets a benefit from the service, not every one that talks to it directly.
