djbrightman1 Absent Member.
Absent Member.
884 views

Additional DNS Names...

I just want to check the functionality of the 'Additional DNS Name' Infrastructure setting on a Primary server...

This is an offshoot from https://forums.novell.com/novell-product-discussions/endpoint-management/zenworks/configuration-management/zcm-11/zcm11-server-install/468715-reestablish-trust-retr-minimum-rights-auto-accept-post2275965.html#poststop but is probably worth it's own thread (I will return to other with more findings once full testing completed!)

So, it would seem that this is something the device needs to have been told about in advance to work... From the doc
>>
The Additional DNS Names panel lets you specify additional names that can be used to access the
ZENworks Server when the server’s DNS name cannot be found by a device.
The DNS names added in this panel are distributed to all managed devices for them to use in
connecting to the server.

<<

This makes logical sense as you can't really have a server saying "yeah, go on trust me even though there is a certificate/fqdn mismatch"

However, the issue I am trying to address is that of devices who haven't recently been connected (refreshed) i.e. can't know about the server fqdn and/or server certificate change...

It seems these end up in the mismatch scenario and a 'zac retr' is required to re-establish trust.

Is this correct?

Thanks
David
Labels (2)
0 Likes
4 Replies
Micro Focus Expert
Micro Focus Expert

Re: Additional DNS Names...

Yes, it needs to be done in advance.
What would want to do is the following.

Let's say you have 4 primary servers.
Place all 4 in a Server Group so the load is balanced.
Then change 1 server every couple days until 3 are done.

Then you will want to leave the 3rd server unchanged for a period of
time until nearly all of your devices have checked in.

Then you can change the 4th, but will need to then just take steps to
manually fix a couple of devices.

On 8/8/2013 5:16 AM, djbrightman wrote:
>
> I just want to check the functionality of the 'Additional DNS Name'
> Infrastructure setting on a Primary server...
>
> This is an offshoot from
> https://forums.novell.com/novell-product-discussions/endpoint-management/zenworks/configuration-management/zcm-11/zcm11-server-install/468715-reestablish-trust-retr-minimum-rights-auto-accept-post2275965.html#poststop
> but is probably worth it's own thread (I will return to other with more
> findings once full testing completed!)
>
> So, it would seem that this is something the device needs to have been
> told about in advance to work... From the doc
>>>

> -The Additional DNS Names panel lets you specify additional names that
> can be used to access the
> ZENworks Server when the server�s DNS name cannot be found by a
> device.
> The DNS names added in this panel are distributed to all managed
> devices for them to use in
> connecting to the server.-
> <<
>
> This makes logical sense as you can't really have a server saying
> "yeah, go on trust me even though there is a certificate/fqdn mismatch"
>
>
> However, the issue I am trying to address is that of devices who
> haven't recently been connected (refreshed) i.e. can't know about the
> server fqdn and/or server certificate change...
>
> It seems these end up in the mismatch scenario and a 'zac retr' is
> required to re-establish trust.
>
> Is this correct?
>
> Thanks
> David
>
>



--
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
0 Likes
djbrightman1 Absent Member.
Absent Member.

Re: Additional DNS Names...

Hi Craig

Is there anything from the client we can use to see these additional names?
I mean something like a zac command or perhaps (though probably encoded) a cached config file?

I can see reference in the zmd-messages under
[DEBUG] [07/10/2013 16:59:39.453] [1140] [ZenworksWindowsService] [5] [] [LocationConfigBasedService] [] [GetCertsForServersBehindL4: No L4 switches present.] [] []
[DEBUG] [07/10/2013 16:59:39.640] [1140] [ZenworksWindowsService] [5] [] [CasaConfigurator] [] [ConfigureCASAForL4 called with L4 server cert map L4 SERVERS CERT MAP


As per other thread I am interested to know what we need to do with the "Additional DNS Names" entry on Primary once the server has joined the Domain and the actual FQDN of the server matches what we previously entered?

Presumably we can remove that entry?
However, do we need to add the 'old' fqdn into that list?

Cheers
David
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Additional DNS Names...

It's in the logs, but not the L4 section.
Make sure you have debugging enabled.

Can't recall what to look for off the top of my head, but it really
jumps out. Just search your log for the DNS names in question.

On 8/9/2013 9:06 AM, djbrightman wrote:
>
> Hi Craig
>
> Is there anything from the client we can use to see these additional
> names?
> I mean something like a zac command or perhaps (though probably
> encoded) a cached config file?
>
> I can see reference in the zmd-messages under
> [DEBUG] [07/10/2013 16:59:39.453] [1140] [ZenworksWindowsService] [5]
> [] [LocationConfigBasedService] [] [GetCertsForServersBehindL4: No L4
> switches present.] [] []
> [DEBUG] [07/10/2013 16:59:39.640] [1140] [ZenworksWindowsService] [5]
> [] [CasaConfigurator] [] [ConfigureCASAForL4 called with L4 server cert
> map L4 SERVERS CERT MAP
>
> As per other thread I am interested to know what we need to do with the
> "Additional DNS Names" entry on Primary once the server has joined the
> Domain and the actual FQDN of the server matches what we previously
> entered?
>
> Presumably we can remove that entry?
> However, do we need to add the 'old' fqdn into that list?
>
> Cheers
> David
>
>



--
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
0 Likes
djbrightman1 Absent Member.
Absent Member.

Re: Additional DNS Names...

Ah ha....
Actually, once the DNS entries actually resolve to the IP address the settings are very visible.... See them in agent->status->servers and other places in the log.
The L4 stuff seems relevant because this is where the certificate map pings get listed ( L4 SERVERS CERT MAP)

My issue was that I couldn't pre-create the DNS records (I don't have permissions! 😉 and the ZCM agent marks them as bad if the name doesn't resolve. I rushed through a special change request and all looks good now. One more round of testing, then we're off into production...!

Cheers

David
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.