- Configure the server principal name for the host or service in the Active
Directory Domain Services (AD DS).
- On the Windows server, start the Server Manager.
- Create an AD user account.
- Configure the Service Principal Name (SPN) for the domain account by
running the ktpass command. For more information, refer
Example usageTo configure the SPN for the domain account of the DDNS service, run the following command:
ktpass -out ddns.keytab -princ DNS/ddns-service.otherzone.net@OTHERZONE.NET -mapuser ddns-service@OTHERZONE.NET -pass P@ssword456 -crypto RC4-HMAC-NT -kvno 1 -ptype KRB5_NT_PRINCIPAL
Example usageTo configure the SPN for the domain account of the client host, run the following command:
ktpass -out ddns-client.keytab -princ host/ddns-client.otherzone.net@OTHERZONE.NET -mapuser ddns-client@OTHERZONE.NET -pass P@ssword123456 -crypto RC4-HMAC-NT -kvno 1 -ptype KRB5_NT_PRINCIPAL
In this cast, a client host will need the ddns-client.keytab file to be able to send GSS-TSIG updates using the nsupdate command.
- Configure the Active Directory server to send DDNS for its own resource
- Ensure that "Active Directory Domain Controller Updates" permissions are added and allowed on the Distributed DDNS workflow for the domain managed by Active Directory.
- Ensure that the Active Directory domain name appears in the allowed list of Manage Domain Controllers.
- Ensure that "Security Client Updates" permissions are added and allowed on the Distributed DDNS workflow for the domain managed by Active Directory and the network (reverse zone) of Active Directory.
- Ensure that the IP address of the Primary DNS server is configured to the network adapter of the Active Directory server.
- To test if the Active Directory server sends updates for its DNS
records, run the following commands:
- To verify that Active Directory sends host record and PTR record
- To verify that Active Directory sends other DNS
net stop netlogon net start netlogon
- To verify that Active Directory sends host record and PTR record updates:
- The Distributed DDNS Service Node must be added to the Service Node tab.
- Ensure that DDNS service is running.
- If you are using Anycast, ensure that Anycast service is configured and running.
- Use nsupdate to send DDNS updates. For more information, refer to https://linux.die.net/man/8/nsupdate.
- Ensure that the krb5-user package is installed on the host
machine. If it is not installed, you can install it using the following
apt-get install krb5-user
- Configure KDC for every domain that clients will send updates to.
- Ensure that the domain account for the client has been created on the Active Directory server and that the SPN is configured for that account.
- Transfer the client keytab file to the client machine.
- Run the following command to get the Kerberos ticket from the KDC before sending
kinit -kt client.keytab <client_spn>For example:
kinit -kt ddns-client.keytab host/ddns-client.otherzone.net @OTHERZONE.NET
Use nsupdate -g to send DDNS updates.