Secure Dynamic DNS updates using machine account.

Andrew Bartlett abartlet at
Fri Jun 10 08:06:48 UTC 2016

On Tue, 2016-06-07 at 23:06 +0000, Hemanth Thummala wrote:
> Hi Everyone,
> We have a need to update the dns (register new IP or unregister an
> existing IP) using machine account. Currently net ads register
> command seems to be working only with Administrator credentials. -P
> option works only when we set the domain updates to secure and Non
> -secure. I.e Secure updates not working using machine account.
> We have tried considering adding the machine account to DNS update
> proxy security group. But this is still not helping. Adding the
> machine account to “DNSAdmin” group works but we do not want to add
> the account to any administrator groups.
> Has anyone tried using –P option for dns register command with
> minimum set of permissions?

Is the join DNS update happening as administrator?  That would then own
the record, and prevent the machine from updating it's own record.  The
DNS update should be done as the machine.  If that is the issue, we may
need to patch Samba in that regard.

Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list