Active directory reverse dns not updating


02-Sep-2017 13:37

Note that to enable your Simple AD to respond to external DNS queries, the network access control list (ACL) for the VPC containing your Simple AD must be configured to allow traffic from outside the VPC.If you are not using Route 53 private hosted zones, your DNS requests will be forwarded to public DNS servers.I've been unsuccessful at finding a guide on how to integrate just ISC DHCP into an AD DNS environment.The configuration file is below, but what I've noted when using ISC DHCP is that non-domain joined clients will not have an A record registered for them in forward/reverse lookup zones.If you're using custom DNS servers that are outside of your VPC and you want to use private DNS, you must reconfigure to use custom DNS servers on EC2 instances within your VPC.For more information, see Working with Private Hosted Zones.The basic crux of the issue is that MS DNS uses Kerberos for authentication to update DNS records, while ISC DHCP, out of the box, supports TSIG [for BIND].

You should see log entries similar to: Mar 23 localhost dhcpd: execute_statement argv[0] = /etc/dhcp/ddnsupdate6Mar 23 localhost dhcpd: execute_statement argv[1] = add Mar 23 localhost dhcpd: execute_statement argv[2] = .56 Mar 23 localhost dhcpd: execute_statement argv[3] = -h Mar 23 localhost dhcpd: execute_statement argv[4] = Host Name Mar 23 localhost dhcpd: execute_statement argv[5] = -m Mar 23 localhost dhcpd: execute_statement argv[6] = This likely means the user specified in the keytab does not have rights to the DNS record, which can happen if that user did not create the record originally (e.g.you didn't use a proxy user to update DNS on behalf of DHCP).This should go away over time as DNS records expire, domain-joined Windows clients are automatically updating their own records.If you want your Simple AD to resolve names using both DNS servers within your VPC and private DNS servers outside of your VPC, you can do this using a DHCP options set. Note DNS dynamic updates are not supported in Simple AD domains.

You can instead make the changes directly by connecting to your directory using DNS Manager on an instance that is joined to your domain.This is for an Domain User who is a member of the "Dns Update Proxy" in Active Directory.You should be able to do this on Windows or Linux (but the keytab must be copied to the server running ISC DHCP).I'm attempting to replace Windows Server DHCP with ISC DHCP.



Aug 13, 2016. Set DHCP to update everything, whether the clients can or cannot. 3. Set the zone for Secure & Unsecure Updates. Do not leave it Unsecure Only. 4. Add the DHCP servers computer account to the Active Directory, Built-In DnsUpdateProxy security group. Make sure ALL other non-DHCP servers are NOT.… continue reading »


Read more