I'm looking for solution how to use nsupdate from BIND utils with Kerberos in Windows environment. In Linux I have same utils compiled with GSSAPI support, but in Windows I unfortunately don't know how to recompile it. Can you please help me or give some alternative solution to update DNS records from Windows environment using Kerberos. Big Thanks.
Asked
Active
Viewed 1,719 times
0
-
Are you looking for something like dnscmd.exe? – Andy Oct 06 '15 at 01:06
-
yes, dnscmd was first way to try, but I cant use dnscmd because it doesn't supports any secure protocols and AD&DNS admins dont accepts any compromices - Kerberos or nothing. – Pavel Mityushin Oct 07 '15 at 12:17
-
If you're using Linux, i think this might help you: https://serverfault.com/questions/1131671 – user3629081 May 22 '23 at 15:54
1 Answers
1
Your question is a bit confusing so I may miss something in my answer. I'm guessing you want to update AD-integrated DNS.
Nsupdate Regarding recompiling nsupdate - where did you get stuck? "I don't know how" is a bit vague.
dnscmd.exe I guarantee that dnscmd authenticates using AD kerberos. You can verify this by running "klist" before and after running a successful dnscmd command (you will see a new service ticket against the relevant DC)
Network settings In the advanced settings on your windows hosts, you can select "Register this connection's addresses in DNS", along with some other relevant options. This can allow you to have hosts update their own dns entry, secured by kerberos. This obviously depends on your setup and won't help with non A/PTR records.
Powershell Haven't verified how kerberos fits, but here's an example command
Add-DnsServerResourceRecordA -Name "host23" -ZoneName "contoso.com" -IPv4Address "172.18.99.23" -TimeToLive 01:00:00
Andy
- 1,111
- 1
- 7
- 10