Where do I start with replacing the whole MS AD stack
-
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
Correct, but that's not the basis for the licensing requirement. Anything that uses that DNS downstream is getting it from an "agregator" to the Windows service and therefore needs the CAL.
-
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
Correct, but that's not the basis for the licensing requirement. Anything that uses that DNS downstream is getting it from an "agregator" to the Windows service and therefore needs the CAL.
I tend to agree that MS will see it this way - and that Jared's workaround won't solve the CAL requirement.
-
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
I think we all get that - but that non windows DNS server is a proxy for the users behind it.
What @Donahue and @scottalanmiller are saying is that they don't believe the proxy actually protects them licensing wise - and that was my question way up top, though not worded as well.
Correct. And Microsoft has stated this outright, it's not our interpretation, it is Microsoft's explanation of the license.
Otherwise, you could claim any application talks to SQL Server and you don't need CALs because you don't talk to the database. or any number of abstractions.
None of our users talk to DNS directly, it's always some other piece of software. If we could avoid CALs through that abstraction, we'd create them everywhere. In fact, you could say any VPN would do it. The number of exceptions would become crazy.
-
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
Correct, but that's not the basis for the licensing requirement. Anything that uses that DNS downstream is getting it from an "agregator" to the Windows service and therefore needs the CAL.
If that is the actual term of theri license, then, yet another reason to move on to this with the target of getting to no AD agian.
-
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
Correct, but that's not the basis for the licensing requirement. Anything that uses that DNS downstream is getting it from an "agregator" to the Windows service and therefore needs the CAL.
I tend to agree that MS will see it this way - and that Jared's workaround won't solve the CAL requirement.
Most importantly, Microsoft and the courts have always seen it that way.
It is that you need licenses for every user that gets a benefit from the service, not every one that talks to it directly.
-
Now you're looking at replacing DNS completely in the network to get away from this requirement. Setup a DDNS server on Fedora, make all your servers use it - no longer have AD integrated zones, bob's your uncle.
-
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
Correct, but that's not the basis for the licensing requirement. Anything that uses that DNS downstream is getting it from an "agregator" to the Windows service and therefore needs the CAL.
If that is the actual term of theri license, then, yet another reason to move on to this with the target of getting to no AD agian.
agreed
-
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
Correct, but that's not the basis for the licensing requirement. Anything that uses that DNS downstream is getting it from an "agregator" to the Windows service and therefore needs the CAL.
If that is the actual term of theri license, then, yet another reason to move on to this with the target of getting to no AD agian.
Well yeah, that's why keeping Microsoft off of the network completely is so important. It's a taint. once you let it in the door, it is essentially impossible to not have to license every single user (or device.)
-
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
Correct, but that's not the basis for the licensing requirement. Anything that uses that DNS downstream is getting it from an "agregator" to the Windows service and therefore needs the CAL.
If that is the actual term of theri license, then, yet another reason to move on to this with the target of getting to no AD agian.
I don't think you need to be that dramatic.
You can manage two networks - one for Windows stuff - that's all licensed up, and another for everything else (or possibly two others - one corporate and one guest). the other networks of course would use non windows services to service devices/users.
-
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
Correct, but that's not the basis for the licensing requirement. Anything that uses that DNS downstream is getting it from an "agregator" to the Windows service and therefore needs the CAL.
If that is the actual term of theri license, then, yet another reason to move on to this with the target of getting to no AD agian.
I don't think you need to be that dramatic.
You can manage two networks - one for Windows stuff - that's all licensed up, and another for everything else (or possibly two others - one corporate and one guest). the other networks of course would use non windows services to service devices/users.
Why? When he could just manage the one, and not deal with the licensing at all? Or to only provide MS licensing for things that "must run on windows" but not any services like DHCP or DNS.
-
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
Correct, but that's not the basis for the licensing requirement. Anything that uses that DNS downstream is getting it from an "agregator" to the Windows service and therefore needs the CAL.
If that is the actual term of theri license, then, yet another reason to move on to this with the target of getting to no AD agian.
I don't think you need to be that dramatic.
You can manage two networks - one for Windows stuff - that's all licensed up, and another for everything else (or possibly two others - one corporate and one guest). the other networks of course would use non windows services to service devices/users.
Can, but it is very difficult to do and a huge pain.
-
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
Correct, but that's not the basis for the licensing requirement. Anything that uses that DNS downstream is getting it from an "agregator" to the Windows service and therefore needs the CAL.
If that is the actual term of theri license, then, yet another reason to move on to this with the target of getting to no AD agian.
I don't think you need to be that dramatic.
You can manage two networks - one for Windows stuff - that's all licensed up, and another for everything else (or possibly two others - one corporate and one guest). the other networks of course would use non windows services to service devices/users.
Can, but it is very difficult to do and a huge pain.
It's not that difficult to setup two networks - but I'll agree it's a pain managing it, mainly because you have to manage it, not because it would be that difficult.
-
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
Correct, but that's not the basis for the licensing requirement. Anything that uses that DNS downstream is getting it from an "agregator" to the Windows service and therefore needs the CAL.
If that is the actual term of theri license, then, yet another reason to move on to this with the target of getting to no AD agian.
I don't think you need to be that dramatic.
You can manage two networks - one for Windows stuff - that's all licensed up, and another for everything else (or possibly two others - one corporate and one guest). the other networks of course would use non windows services to service devices/users.
Can, but it is very difficult to do and a huge pain.
It's not that difficult to setup two networks - but I'll agree it's a pain managing it.
Of course it's a huge pane to setup dual networks. . .
-
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
Correct, but that's not the basis for the licensing requirement. Anything that uses that DNS downstream is getting it from an "agregator" to the Windows service and therefore needs the CAL.
If that is the actual term of theri license, then, yet another reason to move on to this with the target of getting to no AD agian.
I don't think you need to be that dramatic.
You can manage two networks - one for Windows stuff - that's all licensed up, and another for everything else (or possibly two others - one corporate and one guest). the other networks of course would use non windows services to service devices/users.
Can, but it is very difficult to do and a huge pain.
It's not that difficult to setup two networks - but I'll agree it's a pain managing it, mainly because you have to manage it, not because it would be that difficult.
It is most of the effort of running two companies and maintaining two skill sets. It is nearly a doubling of the effort of just running one.
-
Ok, DHCP is switched over. It's currently just pointing the DNS to the existing DNS servers.
-
@Donahue said in Where do I start with replacing the whole MS AD stack:
Ok, DHCP is switched over. It's currently just pointing the DNS to the existing DNS servers.
Right. Now you can work on setting up your DHCP reservation, and migrating all the static IP junk to reservations.
Once that is done, you can work towards changing DNS.
-
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@scottalanmiller said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
its the device or user making the request to the DNS service.
The only device making a request to the Windows DNS service is the other DNS server.
Correct, but that's not the basis for the licensing requirement. Anything that uses that DNS downstream is getting it from an "agregator" to the Windows service and therefore needs the CAL.
If that is the actual term of theri license, then, yet another reason to move on to this with the target of getting to no AD agian.
I don't think you need to be that dramatic.
You can manage two networks - one for Windows stuff - that's all licensed up, and another for everything else (or possibly two others - one corporate and one guest). the other networks of course would use non windows services to service devices/users.
Can, but it is very difficult to do and a huge pain.
It's not that difficult to setup two networks - but I'll agree it's a pain managing it, mainly because you have to manage it, not because it would be that difficult.
It is most of the effort of running two companies and maintaining two skill sets. It is nearly a doubling of the effort of just running one.
I do this right now for my guest network... and so does just about anyone else out there who have completely separate networks for guests.
Is it crazy to do this for the corporate side - yeah I think so, but I also think percentage wise it's pretty low the amount of companies that have many times the number of employees compared to endpoint devices to the point where you wouldn't just CAL every user to even make this an issue.
-
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
Ok, DHCP is switched over. It's currently just pointing the DNS to the existing DNS servers.
Right. Now you can work on setting up your DHCP reservation, and migrating all the static IP junk to reservations.
Once that is done, you can work towards changing DNS.
yeah, that will take awhile.
-
@Donahue said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
Ok, DHCP is switched over. It's currently just pointing the DNS to the existing DNS servers.
Right. Now you can work on setting up your DHCP reservation, and migrating all the static IP junk to reservations.
Once that is done, you can work towards changing DNS.
yeah, that will take awhile.
really? Your DHCP server doesn't have an option to just add an existing lease to the reservation table?
-
@Dashrender said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
@JaredBusch said in Where do I start with replacing the whole MS AD stack:
@Donahue said in Where do I start with replacing the whole MS AD stack:
Ok, DHCP is switched over. It's currently just pointing the DNS to the existing DNS servers.
Right. Now you can work on setting up your DHCP reservation, and migrating all the static IP junk to reservations.
Once that is done, you can work towards changing DNS.
yeah, that will take awhile.
really? Your DHCP server doesn't have an option to just add an existing lease to the reservation table?
It's easy to create reservations. It's another thing entirely to migrate over devices from static to DHCP, while also changing their ip.