[Samba] AD DC DynDns update problem

L.P.H. van Belle belle at bazuin.nl
Fri Jun 25 07:56:33 UTC 2021


 

> -----Oorspronkelijk bericht-----
> Van: me at tdiehl.org [mailto:me at tdiehl.org] 
> Verzonden: donderdag 24 juni 2021 18:42
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] AD DC DynDns update problem
> 
> Hi Louis,
> 
> On Thu, 24 Jun 2021, L.P.H. van Belle via samba wrote:
> 
> > Lookup how owns the DNS A record in the DNS.
> 
> OK, how do I do that?

Windows DNS Manager, goto the A record, (properties => Security Tab), 
There you can see/lookup the permission (ACL) on the A record. 

> 
> > And, did you add dhcp-user into the windows groups 
> DnsAdmins and DnsUpdateProxy for the servers running DHCP.
> 
> The dhcpduser is part of the DnsAdmins group but was not a 
> member of the DnsUpdateProxy.
> I added it to the DnsUpdateProxy group but no change.

> 
> >
> > This > >>>>>> exception - (5, 'WERR_ACCESS_DENIED')
> > Is just the message that, the user your using, doesnt have 
> rights on that A record.
> 
> I did not know there was an actual owner of a DNS record. Am 
> I not understanding something? 

I think your understand most parts as you should. 
But yes, even on DNS records there are ACL's. 
A powershell example. 
https://www.shellandco.net/update-acl-microsoft-dns-active-directory-record/

> 
> >
> >>>  Pre-authentication failed: Permission denied while getting
> > Did you enable "Delegate to all service (only kerberos)" on 
> the computer object running the DHCP
> 
> "Delegate to all service (only kerberos)" was enabled on the 
> DC which is where dhcpd is running. I think that is the default.
Hmm, i cant recall if thats default but on the AD-DC's it should be imo. 

Greetz,

Louis




More information about the samba mailing list