It’s a common question: “We just want to gain visibility and control over our existing Microsoft DNS infrastructure, but aren’t quite ready to move to a full enterprise DNS solution. Does BlueCat offer an ‘overlay’ which would allow us to separately manage our core Microsoft DNS?”
The answer is not as simple as it might seem. Having been down this road many times during our twenty years in the business, BlueCat has a hard-won perspective on this which deserves a more detailed explanation.
The overlay temptation
There is a clear pattern when it comes to decentralized models for DNS management. It goes something like this:
- Server teams or Active Directory admins start with a Microsoft DNS as a default solution that meets basic needs.
- The network scales and grows more complex. Mergers, acquisitions, cloud migration, automation initiatives, IPv6 transition, new security and compliance initiatives increase the pressure on back-end DNS management. Patches and custom fixes proliferate.
- The network reaches a breaking point. The torrent of network outages, DNS help desk tickets, complex routing rules, and security challenges becomes untenable.
- IT executives and managers start looking for ways to rationalize and future-proof their DNS infrastructure.
Many network administrators who have been through this cycle believe they can solve the underlying problem of compounding complexity in their DNS by continuing to adjust around the margins. This is what an overlay represents - an attempt to keep the tangle of Microsoft DNS patches and fixes underneath a new UI.
So why isn’t this the ideal solution?
Delaying the inevitable
Overlay solutions fail to address the underlying issue of how the network is architected and managed. They are essentially a Band-Aid which pushes out the necessary decision to abandon a decentralized approach to core DNS services.
How do we know this? First-hand experience.
BlueCat used to offer an overlay system which allowed customers to manage parts of their Microsoft infrastructure as completely independent operating units. Our thought was that network administrators needed a half step toward the ultimate goal of a true enterprise DNS solution. If they could prove out the concept with a limited deployment, the full solution would be an inevitable next step.
We quickly discovered that only a true enterprise approach to DNS can offer the consolidated DNS architecture which large networks need over the long term. As long as there are separately managed fiefdoms of DNS, DHCP, or IPAM, the enterprise won’t benefit from a single source of truth.
Any network which has outgrown Microsoft DNS will soon outgrow an overlay solution as well. Overlay solutions may provide slightly better functionality and convenience than standard Microsoft, but they are not a substitute for true enterprise DNS. Only a system which offers a true single source of truth for DDI resources will support automation and other higher level functionality which most large, complex networks require.
To be clear, the problem isn’t Microsoft DNS in and of itself. Microsoft DNS can perform well in the proper context of small, simple networks. The problems is when administrators try to scale that decentralized approach across a large, complex enterprise - a use case which Microsoft DNS was never designed to support.
It’s also necessary to distinguish between interoperability and overlays. Interoperability - orchestrating DNS across platforms and environments - is a necessary component of any DNS architecture. Interoperability creates visibility and resilience across the enterprise, and allows administrators to control the DNS resource implications of disparate applications. This is why BlueCat supports interoperability with Microsoft DNS, Active Directory, BIND, Route 53, and other third party services.
Overlays, on the other hand, attempt to straddle separate DNS management systems. In this situation, the roles and responsibilities for DNS management overlap, creating confusion about which system is truly “in charge”. Overlays defy orchestration - there’s a fundamental conflict over which system operates as the source of truth.
Enterprise DNS is the solution
Given the time, investment, and inherent risk involved in any core services migration, it makes more sense for networks to make a single leap from decentralized DNS to enterprise DNS. Incremental approaches simply drag out the pain of trying to manage disparate resources at scale.
For this reason, BlueCat made the strategic decision to move away from overlay solutions. We are fully committed to the vision of enterprise DNS.
Migrating to an enterprise solution opens up a whole new world - one that simply isn’t available for users of overlay solutions. Rationalizing DNS infrastructure dramatically simplifies network operations, reduces the amount of time and effort devoted to DNS maintenance, and paves the way for higher level functionality.
We know that some network administrators still aren’t ready to make that leap to full enterprise DNS. They think they can continue to patch around a rotting network foundation. Some industry analysts still believe that overlay solutions work, and point to “deployment flexibility” as a reason to prefer vendors who offer this option.
We respectfully disagree. There’s no such thing as partial centralization. Either your DNS is fully centralized, or it isn’t. You either have one source of truth for DDI, or you have multiple sources. Overlay solutions aren’t a long-term fix. In the end, they create more problems than they solve.