Before proceeding to configure the Service Principal Name field,
ensure that you have configured the following on your Active Directory server:
- Configure the server principal name for the host or service in the Active
Directory Domain Services (AD DS).
- On the Windows server, start the Server Manager.
- Create an AD user account.
- Configure the Service Principal Name (SPN) for the domain account by
running the
ktpass
command. For more information, refer to https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass.Example usage
To configure the SPN for the domain account of the DDNS service, run the following command:ktpass -out ddns.keytab -princ DNS/ddns-service.otherzone.net@OTHERZONE.NET -mapuser ddns-service@OTHERZONE.NET -pass P@ssword456 -crypto RC4-HMAC-NT -kvno 1 -ptype KRB5_NT_PRINCIPAL
Example usage
To configure the SPN for the domain account of the client host, run the following command:ktpass -out ddns-client.keytab -princ host/ddns-client.otherzone.net@OTHERZONE.NET -mapuser ddns-client@OTHERZONE.NET -pass P@ssword123456 -crypto RC4-HMAC-NT -kvno 1 -ptype KRB5_NT_PRINCIPAL
In this cast, a client host will need the ddns-client.keytab file to be able to send GSS-TSIG updates using the
nsupdate
command.
- Configure the Active Directory server to send DDNS for its own resource
records.
- Ensure that "Active Directory Domain Controller Updates" permissions are added and allowed on the Distributed DDNS workflow for the domain managed by Active Directory.
- Ensure that the Active Directory domain name appears in the allowed list of Manage Domain Controllers.
- Ensure that "Security Client Updates" permissions are added and allowed on the Distributed DDNS workflow for the domain managed by Active Directory and the network (reverse zone) of Active Directory.
- Ensure that the IP address of the Primary DNS server is configured to the network adapter of the Active Directory server.
- To test if the Active Directory server sends updates for its DNS
records, run the following commands:
- To verify that Active Directory sends host record and PTR record
updates:
ipconfig /registerdns
- To verify that Active Directory sends other DNS
updates:
net stop netlogon net start netlogon
- To verify that Active Directory sends host record and PTR record
updates:
To successfully send DDNS updates to a Distributed DDNS Service Node with Active
Directory, ensure that you have configured the following:
- The Distributed DDNS Service Node must be added to the Service Node tab.
- Ensure that DDNS service is running.
- If you are using Anycast, ensure that Anycast service is configured and running.
- Use
nsupdate
to send DDNS updates. For more information, refer to https://linux.die.net/man/8/nsupdate.
To successfully send GSS-TSIG updates to a Distributed DDNS Service Node, ensure that you
have configured the following:
- Ensure that the
krb5-user
package is installed on the BDDS. If it is not installed, you can install it using the following command:apt-get install krb5-user
- Configure KDC for every domain that clients will send updates to.
- Manually add the Kerberos Realm configuration to the
/etc/krb5.conf file on the BDDS. The following section
must be
updated:
"[realms] <REALM_NAME> = { kdc = <kdc_address> admin_server = <kdc_address> default_domain = <domain_name> } [domain_realm] .<domain_name> = <REALM_NAME> <domain_name> = <REALM_NAME>"
The section should look as follows:"[realms] EXAMPLE.COM = { kdc = 192.168.56.101 admin_server = 192.168.56.101 default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM"
- Ensure that the domain account for the client has been created on the Active Directory server and that the SPN is configured for that account.
- Transfer the client keytab file to the client machine.
- Run the following command to get the Kerberos ticket from the KDC before sending
updates:
kinit -kt client.keytab <client_spn>
For example:kinit -kt ddns-client.keytab host/ddns-client.otherzone.net@OTHERZONE.NET
Use
nsupdate -g
to send DDNS updates.