Reference: Active Directory service configuration - Adaptive Applications - BlueCat Gateway - 21.2

BlueCat Distributed DDNS Administration Guide

Locale
English (United States)
Product name
BlueCat Gateway
Version
21.2
Before proceeding to configure the Service Principal Name field, ensure that you have configured the following on your Active Directory server:
  • Configure the server principal name for the host or service in the Active Directory Domain Services (AD DS).
    1. On the Windows server, start the Server Manager.
    2. Create an AD user account.
    3. Configure the Service Principal Name (SPN) for the domain account by running the ktpass command. For more information, refer to https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass.

      Example usage

      To configure the SPN for the domain account of the DDNS service, run the following command:
      ktpass -out ddns.keytab -princ DNS/ddns-service.otherzone.net@OTHERZONE.NET -mapuser ddns-service@OTHERZONE.NET -pass P@ssword456 -crypto RC4-HMAC-NT -kvno 1 -ptype KRB5_NT_PRINCIPAL

      Example usage

      To configure the SPN for the domain account of the client host, run the following command:
      ktpass -out ddns-client.keytab -princ host/ddns-client.otherzone.net@OTHERZONE.NET -mapuser ddns-client@OTHERZONE.NET -pass P@ssword123456 -crypto RC4-HMAC-NT -kvno 1 -ptype KRB5_NT_PRINCIPAL

      In this cast, a client host will need the ddns-client.keytab file to be able to send GSS-TSIG updates using the nsupdate command.

  • Configure the Active Directory server to send DDNS for its own resource records.
    1. Ensure that "Active Directory Domain Controller Updates" permissions are added and allowed on the Distributed DDNS workflow for the domain managed by Active Directory.
    2. Ensure that the Active Directory domain name appears in the allowed list of Manage Domain Controllers.
    3. Ensure that "Security Client Updates" permissions are added and allowed on the Distributed DDNS workflow for the domain managed by Active Directory and the network (reverse zone) of Active Directory.
    4. Ensure that the IP address of the Primary DNS server is configured to the network adapter of the Active Directory server.
    5. To test if the Active Directory server sends updates for its DNS records, run the following commands:
      • To verify that Active Directory sends host record and PTR record updates:
        ipconfig /registerdns
      • To verify that Active Directory sends other DNS updates:
        net stop netlogon
        net start netlogon
To successfully send DDNS updates to a Distributed DDNS Service Node with Active Directory, ensure that you have configured the following:
  • The Distributed DDNS Service Node must be added to the Service Node tab.
  • Ensure that DDNS service is running.
  • If you are using Anycast, ensure that Anycast service is configured and running.
  • Use nsupdate to send DDNS updates. For more information, refer to https://linux.die.net/man/8/nsupdate.
To successfully send GSS-TSIG updates to a Distributed DDNS Service Node, ensure that you have configured the following:
  • Ensure that the krb5-user package is installed on the BDDS. If it is not installed, you can install it using the following command:
    apt-get install krb5-user
  • Configure KDC for every domain that clients will send updates to.
  • Manually add the Kerberos Realm configuration to the /etc/krb5.conf file on the BDDS. The following section must be updated:
    "[realms]
        <REALM_NAME> = {
            kdc = <kdc_address>
            admin_server = <kdc_address>
            default_domain = <domain_name>
        }
    [domain_realm]
        .<domain_name> = <REALM_NAME>
        <domain_name> = <REALM_NAME>"
    The section should look as follows:
    "[realms]
        EXAMPLE.COM = {
            kdc = 192.168.56.101
            admin_server = 192.168.56.101
            default_domain = example.com
        }
    [domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM"
  • Ensure that the domain account for the client has been created on the Active Directory server and that the SPN is configured for that account.
  • Transfer the client keytab file to the client machine.
  • Run the following command to get the Kerberos ticket from the KDC before sending updates:
    kinit -kt client.keytab <client_spn>
    For example:
    kinit -kt ddns-client.keytab host/ddns-client.otherzone.net @OTHERZONE.NET

    Use nsupdate -g to send DDNS updates.