Updating records in Windows DNS Server from Linux/Windows based TSO/BAO server

Version 7
    Share This:

    This write-up will guide through updating the DNS entries from Windows/Linux BAO server to Windows DNS Server both in secure and non-secure mode.

     

    1. Non-Secure DNS entries:

     

         1.1 Linux BAO Server to Windows DNS Server: No special configuration required, once the bind libraries are installed on the Linux server (if not available by default) DNS Actor Adapter can be used to run DNS updates.

     

         1.2 Windows BAO Server to Windows DNS Server: If the Windows DNS Server is not marked to accept secure entries only, with the use of nsupdate.exe (part of bind libraries which needs manual installation on Windows BAO server) the DNS update will work through command line using below steps without any issue:

     

    nsupdate

    > server 10.x.x.x

    > update add newhost.testing.com 86400 A 192.x.x.x

    > send

    > quit

     

    where 10.x.x.x is DNS server

    newhost.testing.com is the Host we are trying to add

    192.x.x.x is the IP address of the Host

     

    The OOTB DNS Actor Adapter won't work on Windows BAO server as it uses "nsupdate -g" flag internally to update DNS and the bind library does not support "nsupdate -g" on Windows machine.

    The updates can be performed through command line adapter. The above commands can also be encapsulated in a file and nsupdate can be used to run the file through command line.

     

    2. Secure DNS entries:

     

         2.1 Linux BAO Server to DNS Server: https://confluence.bmc.com/pages/viewpage.action?pageId=231858821

     

         2.2 Windows BAO Server to Windows DNS Server:

     

              2.2.1 Through nsupdate: If the DNS is marked to accept secure entries only, the above command will fail. To make this work nsupdate has to run with "-g" flag which uses keytab file in combination with kinit. This mean that the DNS updates should happen through Kerberos authentication.

     

    The bind library available on 'https://www.isc.org/bind/' does not support the GSSAPI on windows based BAO servers and thus "nsupdate -g" fails to run. Here is the confluence link of the document which was provided by BMC support, this link contains the recompiled Bind library with GSSAPI support for Windows machines and steps to generate keytab file to make the DNS updates work end to end from Windows BAO server to Secure Windows DNS Server.

     

    https://confluence.bmc.com/download/attachments/231858821/Secure%20DNS%20update%20from%20AO%20%28Windows%29%20to%20DNS%2…

     

    Once the "nsupdate -g" starts working (after following the steps provided in above link), the automation can use the DNS Actor adapter too.

     

              2.2.2 Through Powershell: As an alternative to the above mentioned approach, when there are restrictions to download Bind libraries in any environment on Windows BAO server, the DNS updates can be achieved through Powershell script but there are few prerequisites to be followed to enable running the Powershell based DNS updates. Attaching the prerequisite document and Powershell script. I developed these while working on Windows 2012  based BAO server and Windows 2012 DNS Servers. The DNS cmdlts and the methods available under DNS cmdlts might vary from different server versions.