Secure Dynamic DNS updates using machine account.

[Uri Simchoni]

On 06/08/2016 02:06 AM, Hemanth Thummala wrote:
> Hi Everyone,
> 
> We have a need to update the dns (register new IP or unregister an existing IP) using machine account. Currently net ads register command seems to be working only with Administrator credentials. -P option works only when we set the domain updates to secure and Non-secure. I.e Secure updates not working using machine account.
> 
> We have tried considering adding the machine account to DNS update proxy security group. But this is still not helping. Adding the machine account to “DNSAdmin” group works but we do not want to add the account to any administrator groups.
> 
> Has anyone tried using –P option for dns register command with minimum set of permissions?
> 
> Thanks,
> Hemanth.
> 
We've always (since samba 3.2.x) used secure dns update only with -P,
with the record having whatever permissions set by the join (haven't
checked whether the initial dns update during net ads join is using
machine account or admin account).

I just ran a quick check using samba-4-3-9-based firmware and it still
worked. One issue I seem to remember, particularly in test envs, is that
we don't delete the record when leaving, and therefore when we join
again, the record exists and modifying it with the (new) machine account
doesn't work.

There are also replication aspects - when running my quick check now I
noticed that it takes longer for DNS updates to replicate than the
account (or more precisely - after modifying the IP address and updating
DNS on one DC, it takes 2-3 minutes for the change to show in the GUI
DNS management of another DC, all on the same site)

HTH,
Uri.