[Samba] AD DC DynDns update problem

me at tdiehl.org me at tdiehl.org
Sat Jun 26 00:04:11 UTC 2021 

Hi Louis,

On Fri, 25 Jun 2021, L.P.H. van Belle via samba wrote:

>> -----Oorspronkelijk bericht-----
>> Van: me at tdiehl.org [mailto:me at tdiehl.org]
>> Verzonden: donderdag 24 juni 2021 18:42
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] AD DC DynDns update problem
>>
>> Hi Louis,
>>
>> On Thu, 24 Jun 2021, L.P.H. van Belle via samba wrote:
>>
>>> Lookup how owns the DNS A record in the DNS.
>>
>> OK, how do I do that?
>
> Windows DNS Manager, goto the A record, (properties => Security Tab),
> There you can see/lookup the permission (ACL) on the A record.

You hit the nail on the head!! I started comparing the permissions on the
problem domain with one that works and I found several inherited permissions
missing.

I ended up using adsiedit to compare permissions from a working domain to the
broken domain in both the DC=ForestDNSZones and DC=DomainDNSZones. After adding
the missing permissions the dyndns update script started working. Whoooooooo!! :-)

I am not sure why the permissions were missing but I suspect it has something
to do with the fact that this was once a windows domain.
If I had it to do over again, I do not think I would ever convert a windows
domain to a samba Ad domain. It is just not worth the pain.

>
>>
>>> And, did you add dhcp-user into the windows groups
>> DnsAdmins and DnsUpdateProxy for the servers running DHCP.
>>
>> The dhcpduser is part of the DnsAdmins group but was not a
>> member of the DnsUpdateProxy.
>> I added it to the DnsUpdateProxy group but no change.
>
>>
>>>
>>> This > >>>>>> exception - (5, 'WERR_ACCESS_DENIED')
>>> Is just the message that, the user your using, doesnt have
>> rights on that A record.
>>
>> I did not know there was an actual owner of a DNS record. Am
>> I not understanding something?
>
> I think your understand most parts as you should.
> But yes, even on DNS records there are ACL's.
> A powershell example.
> https://www.shellandco.net/update-acl-microsoft-dns-active-directory-record/
>
>>
>>>
>>>>>  Pre-authentication failed: Permission denied while getting
>>> Did you enable "Delegate to all service (only kerberos)" on
>> the computer object running the DHCP
>>
>> "Delegate to all service (only kerberos)" was enabled on the
>> DC which is where dhcpd is running. I think that is the default.
> Hmm, i cant recall if thats default but on the AD-DC's it should be imo.

FWIW, I never knew about "Delegate to all service (only kerberos)" until
you asked about it. That is why I think it is the default. :-)

Thanks for getting me to think about this the correct way.

Regards,

-- 
Tom			me at tdiehl.org

More information about the samba mailing list