Create a user account for a managed DNS Server in the AD domain controller and edit the user account properties as required.
To create an AD user account:
-
In Windows Server 2008 R2, start the Server Manager and add a user
account with the following information:
- User name—DNS Server name (for example, dns1)
- Hostname of the DNS master—<dns server name>.example.com
- Password—password for the account
- Kerberos realm—EXAMPLE.COM. You will need to use this realm name
when adding the Kerberos Realm in Address Manager.Attention: The Kerberos realm name must be in all capital letters.
- User logon name—the service principal name. You will need to use the same name when configuring the Kerberos Service Principal in Address Manager.
-
When setting a user password, select the following two options:
- User can't change password
- Password never expires
-
Run the following command with administrator privilege:
ktpass -princ DNS/<dns_server_name>.example.com@EXAMPLE.COM -mapuser <dns_server_name>@EXAMPLE.COM -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 - kvno 3 -pass <password> -mapOp set -out adonis.keytab -
Verify the value specified in the -kvno option:
- Go to Start > Run and run adsiedit.msc.
- Navigate to CN=Users/CN=<user name> in the left panel.
- Right click and select Properties. The list of properties for the user object opens.
- Find msDS-KeyVersionNumber. The value is the KVNO and will be incremented every time user changes password or ktpass utility is executed.
- Make note of the KVNO value. You will need the value when defining a service principal.