Anyone figured out how to ZeroTier with AD?
-
I'm curious to see how you solve the DNS issues in this setup. Pertino with AD client wrote code to handle the DNS issues...
-
Haven't even made it to the DNS side of it ;(
-
are the remote clients all at the same site?
-
@wirestyle22 Yes, we are in different cities. They are a new office, my office is where the AD is setup at. Potentially, if I can get this to work I would be moving another ROBO to this method for authentication.
-
what is ROBO? remote office ? ?
-
Remote Office / Branch Office (ROBO)
-
@krisleslie said in Anyone figured out how to ZeroTier with AD?:
@wirestyle22 Yes, we are in different cities. They are a new office, my office is where the AD is setup at. Potentially, if I can get this to work I would be moving another ROBO to this method for authentication.
Why not setup static VPNs between the sites on the edge devices?
-
@krisleslie said in Anyone figured out how to ZeroTier with AD?:
@wirestyle22 Yes, we are in different cities. They are a new office, my office is where the AD is setup at. Potentially, if I can get this to work I would be moving another ROBO to this method for authentication.
wouldn't it be better to put a domain controller at their site and sync between them?
-
Your AD server needs ZT and the ZT adapter needs to be marked as listened on in DNS server setup. The problem with this is that non ZT devices might get the ZT address of the server when they do a DNS look up and that will break things.
This is complicated.
-
@wirestyle22 said in Anyone figured out how to ZeroTier with AD?:
@krisleslie said in Anyone figured out how to ZeroTier with AD?:
@wirestyle22 Yes, we are in different cities. They are a new office, my office is where the AD is setup at. Potentially, if I can get this to work I would be moving another ROBO to this method for authentication.
wouldn't it be better to put a domain controller at their site and sync between them?
While this is an idea - do they really need a server there? just for AD authentication?
I have two remote sites - no servers at them. All authentication is over the site to site VPN between my firewalls.
-
@Dashrender because one person I'm dealing with attempted to do that before (without my approval or knowledge) and messed up that Site to Site already at one of our other offices. While setting up a static vpn site to site can work, I have people that will eventually take those laptops home (read staff only about a handful) and will want most of the same access remotely.
-
@Dashrender to avoid confusion I'm labeling SIte A (my HQ my main AD), Site B (a site that has a "sister" AD and was goofed up with a Site to Site link) and Site C (my new site no server in place). I'm trying to not have to put a server in place at all if able.
-
I have two remote sites - no servers at them. All authentication is over the site to site VPN between my firewalls.
So what are you using for authentication? So each site just "talks" to each other over vpn, I gotcha there, but authentication is handled by what? -
What about azure AD?
-
@JaredBusch said in Anyone figured out how to ZeroTier with AD?:
Your AD server needs ZT and the ZT adapter needs to be marked as listened on in DNS server setup. The problem with this is that non ZT devices might get the ZT address of the server when they do a DNS look up and that will break things.
This is complicated.
I installed the latest ZT client on my AD server and a few laptops. So, for the most part, they "talk" and can ping etc. I attempted to "sign on" with a new user (not cached) and it won't see it just yet.
-
@IRJ Azure AD shouldn't even be in the conversation lol. Thanks though. Azure AD doesn't work like "AD" entirely. We are a Windows office but we are also vested in Linux and Google Chrome OS. I'm leaning very hard to Chrome OS in the future as most of our needs and staff are about 90-95% fully functional with Chrome OS. At some point the only "Windows" devices will be held by IT and where absolutely necessary.
-
@krisleslie said in Anyone figured out how to ZeroTier with AD?:
@Dashrender because one person I'm dealing with attempted to do that before (without my approval or knowledge) and messed up that Site to Site already at one of our other offices. While setting up a static vpn site to site can work, I have people that will eventually take those laptops home (read staff only about a handful) and will want most of the same access remotely.
At that point, you have two options - resolve all the ZT AD issues only for those users - or give those users a standard mobile VPN solution.
I'm glad that JB chimed in here - The last time I tried to get ZT to work with AD it was painful to say the list - and completely unreliable to say the most.
As he mentioned, you have to install ZT on the AD servers (and every other server you want the users to have access to) All of those ZT addresses have to be in the AD DNS, which means that non ZT clients would query DNS and get a ZT address and have no route to get to that network, etc.
If you move the entire company to ZT, things better a little better, because the client won't care which IP they get from a DNS query - because they will all be able to use local IPs or ZT IPs...
What I haven't tried is what happens when you're on the road - say at starbucks.. your machine gets an IP from Starbucks along with DNS entries... Now when you query AD - where is the DNS query going? to the SB DNS or to your private network DNS? - JB might know the answer to this...
-
@Dashrender that becomes a shit storm is what it becomes.
-
@krisleslie said in Anyone figured out how to ZeroTier with AD?:
I have two remote sites - no servers at them. All authentication is over the site to site VPN between my firewalls.
So what are you using for authentication? So each site just "talks" to each other over vpn, I gotcha there, but authentication is handled by what?when a PC at the remote site wants to authenticate - it makes a DNS query asking the IP address of the AD controller - that DNS query is sent over the VPN to the main site, the DNS/AD box responds.. then the PC sends the auth request to the AD box's IP address - done.
-
@krisleslie said in Anyone figured out how to ZeroTier with AD?:
@JaredBusch said in Anyone figured out how to ZeroTier with AD?:
Your AD server needs ZT and the ZT adapter needs to be marked as listened on in DNS server setup. The problem with this is that non ZT devices might get the ZT address of the server when they do a DNS look up and that will break things.
This is complicated.
I installed the latest ZT client on my AD server and a few laptops. So, for the most part, they "talk" and can ping etc. I attempted to "sign on" with a new user (not cached) and it won't see it just yet.
Exactly - because the PC doesn't get the proper DNS info back.