Technical info on managed domains (DNS)

Question

Hi,

We're looking at using Adaxes in an MSP environment with around 30 clients, each with their own domain. Some of these clients are hybrid on-prem/Azure, while others are Azure AD only. Some of the clients have on-prem domains with the .local TLD. Some have on-prem domains with .com and have a website hosted on the same domain on a different IP than their DC server. Et cetera.

I'm looking to get as much info as is practical about how Adaxes talks to managed domains that aren't on the same network as the server that the Adaxes service is installed on, so that I can apply it to as many different situations as possible.

First - I have a vague understanding from this question that I need to set up conditional forwarders on the MSP DNS server pointing to each of the client DNS servers, but I'd like to get some more info about that - where specifically does it need to point? What about .local on-prem domains?

Second - I figure that all the ports listed here need to be open to the internet on the client DC servers - are there security implications here?

Thanks, Max

Answer 1

Hello Max,

First - I have a vague understanding from this question that I need to set up conditional forwarders on the MSP DNS server pointing to each of the client DNS servers, but I'd like to get some more info about that - where specifically does it need to point?

In the post you referenced, it was a customer request to create conditional forwarders based on custom attributes. To be able to manage a domain in Adaxes you just need to make sure that the service can connect to the domain using the ports provided in the article you referenced and configure the DNS records accordingly. Adaxes does not have specific requirements as to DNS records. It uses standard approaches. The following Microsoft article might be helpful: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/integrating-ad-ds-into-an-existing-dns-infrastructure.

I figure that all the ports listed here need to be open to the internet on the client DC servers - are there security implications here?

The ports need to be open from the computer where Adaxes service is installed towards the domain controllers of the domains you want to manage. In your case, it seems to be required to open the ports over the Internet. There should be no security implications. However, it is a good idea to enable traffic encryption for operations you will be performing in Adaxes. The following article will be helpful: https://www.adaxes.com/help/EncryptTraffic.