Creating an AD user account for the dynamic update role on the Domain Controller - BlueCat Integrity - 9.4.0

Address Manager Administration Guide

Product name
BlueCat Integrity

Create a user account for a managed DNS Server in the AD domain controller and edit the user account properties as required.

To create an AD user account:

  1. In Windows Server 2008 R2, start the Server Manager and add a user account with the following information:
    • User name—DNS Server name (for example, dns1)
    • Hostname of the DNS master—<dns server name>
    • Password—password for the account
    • Kerberos realm—EXAMPLE.COM. You will need to use this realm name when adding the Kerberos Realm in Address Manager.
      Attention: The Kerberos realm name must be in all capital letters.
    • User logon name—the service principal name. You will need to use the same name when configuring the Kerberos Service Principal in Address Manager.
  2. When setting a user password, select the following two options:
    • User can't change password
    • Password never expires
  3. Run the following command with administrator privilege:
    ktpass -princ DNS/<dns_server_name> -mapuser
    <dns_server_name>@EXAMPLE.COM -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -
    kvno 3 -pass <password> -mapOp set -out adonis.keytab
  4. Verify the value specified in the -kvno option:
    1. Go to Start > Run and run adsiedit.msc.
    2. Navigate to CN=Users/CN=<user name> in the left panel.
    3. Right click and select Properties. The list of properties for the user object opens.
    4. Find msDS-KeyVersionNumber. The value is the KVNO and will be incremented every time user changes password or ktpass utility is executed.
  5. Make note of the KVNO value. You will need the value when defining a service principal.