[Samba] Reverse zones fail with secure updates

L.P.H. van Belle belle at bazuin.nl
Wed Nov 23 12:36:34 UTC 2016

Hai James, 

> I'm aware of the .local use. Unfortunately when I initially setup the
> domain it was suggested as appropriate. I'm unable to pass option 81
> from our routers. I'm OK with using GPO's for this. My understanding is
> TLS is enabled by default but I went ahead and created a self signed
> certificate anyhow. I'll point out that this behavior is exhibited
> through my test environment as well as production environment.

Perfect, now read : 
and public the root CA of you DC to the clients. 
Now key here is where do you go put the GPO for the CA. 

If you have more certificates to publish i suggest, create a new policy. 
Now link it to the top or you AD. (domain.local) Or use Default Domain Policy.
( you need authenticated user as security setting ) ( and reboot 2x ) 
After the second reboot check if the ptr record is updated.

> I'm still unable to get secure PTR records in the zone. Only A records
> will update when using secure. I'm also skeptical the Win 7 workstations
> are even requesting that PTR records be added or updated. The Wireshark
> trace doesn't appear to show any request for PTR updates(I could be
> wrong). 
I forgot to ask, did you create the reverse zone in the DNS. 

>Are you able to confirm secure PTR updates work when using the
> internal DNS server? 
Ah.. theres the difference, im using bind_dlz. 
I cant tell anything about the internal DNS, i never used it. 

>This is for clients requesting the update and not
> via. the DHCP server? Thanks.
Both should work, static of dhcp ip. 

> --
> - James



More information about the samba mailing list