DNS Dynamic Update against Windows 2000/2003 AD Integrated DNS with Secure Only config (719 Views)
Reply
Occasional Contributor
CentralM
Posts: 5
Registered: ‎11-29-2010
Message 1 of 3 (719 Views)

DNS Dynamic Update against Windows 2000/2003 AD Integrated DNS with Secure Only config

Hi all.

 

I have a request to make HP UX machines get registered in a Windows 2000 Active Directory integrated DNS configured to allow only Secure Conections. By my undestanding this means that only machines registered in the Active Directory Domain can register/update their IP addresses in the DNS. At this point I already installed Kerberos V5 and Samba in the HP UX V11.3 server and finally have the HP UX server machine account displayed in the Windows Active Directory. Finally I tried to update the DNS entry with nsupdate and got a REFUSED error. When I change the security mode in the Windows DNS Zone to Nonsecure the nsupdate works fine. Checking the documentation I found that ADS works in secure mode with a security protocol called GSS-TSIG while the default for nsupdate is TSIG. I have installed BIND 9.3 that is supposed to support GSS-TSIG but I don't know what to do in order to get nsupdate to work with GSS-TSIG.

Have somebidy do this configuration before? All I need to do to end this issue is  dinamically register and update my  HP UX server to a Windows 2000 DNS server integrated with the Active Directory and configured as Secure Only.

Thanks in advance

Exalted Contributor
Steven E. Protter
Posts: 33,806
Registered: ‎08-15-2002
Message 2 of 3 (687 Views)

Re: DNS Dynamic Update against Windows 2000/2003 AD Integrated DNS with Secure Only config

Shalom,

 

Full ADS intregration is probably required.

 

Do the systems have CIFS/9000 installed?

 

swlist -l product | grep -i cifs.

 

The software is available from http://software.hp.com

 

The client requires a reboot.

 

Once installed a net join is required to join the system into the domain.

 

net join prompts you for an administrative users password on the ADS domain, which will have to be provided by your Windows Systems Administrators.

 

Additional software/ingegration may be required.

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do%3FproductNumber%3DJ4269AA

 

http://h20000.www2.hp.com/bc/docs/support/SupportManual/c02549991/c02549991.pdf

http://h20000.www2.hp.com/bc/docs/support/SupportManual/c02249195/c02249195.pdf

 

These links are giving me trouble.

 

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Occasional Visitor
Christian Espinoza
Posts: 2
Registered: ‎01-06-2007
Message 3 of 3 (682 Views)

Re: DNS Dynamic Update against Windows 2000/2003 AD Integrated DNS with Secure Only config

Hi Steven

 

Thanks for your comments.

 

The server has CIFS installed and is already joined to Windows Domain as a member server in the ADS. At this point we need to move forward with the secure dns update using nsupdate, but this has to be done with the option nsupdate -g -o and is not available in this version of BIND (9.3.2). The fact is that DNS Secure updates support the security protocol GSS-TSIG and nsupdate works with TSIG. We are trying to compile an Open version of BIND (GSS is supported from 9.5 version) but no results at this time. the server is HP UX 11.31 and Itanium.

 

 

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.