topic Replacing AD and DNS servers in Umbrella VA in Network Security

Replacing AD and DNS servers in Umbrella VA

BoomShakaLak — Fri, 11 Aug 2023 06:42:32 GMT

I have a couple other posts on this topic for ISE and FMC, but have decided to split them up so not to mix up answers for the different technologies.

The server team will be replacing the existing AD servers with new ones shortly. The new servers have been added to the network using new hostnames and IPs and will live side by side the old servers until everything else is confirmed OK at which point the old servers will be turned off. The new servers will then have their IPs updated to that of the old servers. These servers are also the DNS servers for the network.

Since the ADs are also the DNS servers in the network, and will be eventually inheriting the IP addresses of the old AD servers I would assume that DNS lookups via the Umbrella VA's would not be affected. let me know if my understanding is correct on this matter.

These Umbrella VA's are also integrated with AD to get user context in the logs, and this is where I get a little uncertain. Can the server team just change the IP of the new AD servers to that of the old servers and then run the Umbrella AD script on the server and everything will be OK? Or would we need to remove the old AD servers from Cisco Umbrella Deployments > Configuration > Sites and Active Directory and then add them back?

Any other Gotcha's?

Based on the information I found, to handle the transitio...

Cisco_Virtual_Engineer — Tue, 22 Aug 2023 09:09:11 GMT

Based on the information I found, to handle the transition of servers in your given situation, the process might involve these steps:

1. Remove old AD servers from Cisco Umbrella Deployments ) Configuration ) Sites and Active Directory. This makes sure that the old servers are no longer associated with the Umbrella deployment.

2. Change the IP of the new AD servers to match the IP of the old servers (if necessary). This step can be performed by the server team to ensure consistency in the network configuration.

3. Install the AD connector on the domain controller of the specific domain. The AD connector is responsible for syncing the Active Directory information with Cisco Umbrella.

By following these steps, the new AD servers should be correctly integrated into the Cisco Umbrella deployment, and any changes made to the IP addresses will be reflected in the configuration. This should not affect your DNS lookups via the Umbrella VA's.

However, since this process is complex and involves critical network elements, I strongly recommend reaching out to Cisco support or referring to the official Cisco documentation to ensure that every step is done correctly and your network security is not compromised.

Re: Replacing AD and DNS servers in Umbrella VA

Marvin Rhoads — Tue, 22 Aug 2023 13:06:12 GMT

The bot got it mostly right.

I would add that you might want to add the temporary server addresses in your VA configuration so that they see them as valid DNS servers for internal lookups.