Posted on 09-28-2018 06:28 AM
Just wonder if anyone has had issues with registering a mac on a windows DNS server. currently when i put one online it gets its DHCP address but i get no DNS entry and cannot lookup or ping the system.
Heres a little rundown of how its setup.
Mac are bound to our domain
We use a user cert to authenticate to the network, Wired or wireless
i have used nsupdate -g to manually register a record but i wont be able to hard script that due to alot of users switching between wired/wireless or vpn connections
Our DNS server are windows based and use secure updates
Any ideas?
Posted on 05-15-2020 05:21 PM
It's been a good few years since your post, but as I'm looking at a similar-ish issue and had a partial answer to your question I thought it might be worth sharing the fruits of my evening re-acquainting myself with DNS OSX and Kerberos.
Macs with windows DNS should start registering dynamic DNS updates once they are bound. You can, and likely should use something like dsconfigad --restrictDDNS to specific which interface/s you wish to register their IPs against the machines hostname, but under "normal" circumstances it should just work.
My current issue is that I have some Macs which are sometimes seemingly stopping updating their A records, which leads to scavenging deleting them, which is very annoying. Although this is not quite as dramatically terrible as your issue where things are not working at all.
One thing that its likely worth checking in a scenation you have described is the ACLs on the AD DNS zone/s.
AD DNS defaults (IIRC) to only allowing authenticated updates, which should be fine for an AD bound Mac, and it sounds like authenticated DNS updates are working when you use the -g flag on nsupdate. I presume when you do this you are using whatever principal you have authenticated into your credential cache when you run the command.
In my testing this only worked to update an existing record when this was an administrative user, specifically one with the permission allowing it to make a DNS update, my standard user account didn't have this permission and as expected the update failed. creating a new record will likely work for any authenticated user, but it will need to be that suer or an admin who updates that record afterwards.
Under normal operation when a computer updates it's record it is authentication as its own hostname$ AD computer account, this is as a result of the zone having a ACL on it allowing authenticated users to create child items (not having delete permission should be preventing anyone overwriting or deleting anything that they didn't create).
If your DNS admin has changed the ACLs on the zone, you may well find that an admin user can make records but computer accounts can't, or computers in a certain group can or any number of possible approaches.
If you can get access ot the AD DNS snap in it likely worth investigating and using the effective permission tool to verify that the computer account for your AD bound Macs do indeed have the ability to create A records in the zone.
In any case, if you want to try forcing a DNS update in a manner that is not dependent on having hardwired passwords I came up with a hack that you can trigger of cron or suchlike, and also run at the cli to test if the registration work when you are driving them rather than waiting for MacOS.
I've borrowed heavily form a couple of other scripts on JAMFnation which I'll link after the script.
#!/bin/sh
# hacky ddns update script
# uses the computers own kerberos credentials from the keytab to authenticate a DNS update
# for this reason it will need to run as _root_ to be able to read /etc/krb5.keytab
# V 1.0 May 15th 2020 Stephen Buckley.
# get some information (we're assuming the interface we want to register is en0)
# the record TTL is set in seconds 3600 is 1 hour, 1800 half and hour etc...
interface="en0"
recordTTL="1800"
computernm=`scutil --get ComputerName`
ipaddr=`/sbin/ifconfig $interface | awk '/inet / {print$2}'`
adcomputernm="$computernm$"
# make double sure that temp file isn't there
rm -rfv $TMPDIR/nsupdate
# compose nsupdate command
# uncomment the first line to specify a DNS server otherwise the machines default will be used.
#echo server specificDNSserver.ourdomain.net >> $TMPDIR/nsupdate
echo "update delete $computernm.ourdomain.net A" >> $TMPDIR/nsupdate
echo "update add $computernm.ourdomain.net $recordTTL A $ipaddr" >> $TMPDIR/nsupdate
echo send >> $TMPDIR/nsupdate
echo quit >> $TMPDIR/nsupdate
# Authenticate kerberos and run nsupdate using kerberos authentication and our command file.
# By running the command via kinit the credentials cache created by kinit is destroyed after
# the command has run cleaning things up. This leaves any existing Kerbcredentials untouched.
#
kinit -k -t /etc/krb5.keytab $adcomputernm nsupdate -g $TMPDIR/nsupdate
# cleanup
#
rm -rfv $TMPDIR/nsupdate
I haven't included any logic to figure out which interface you want to pull the IP from, but you can put any logic you like in to generate $interface.
The first of the two scripts I used as reference had some nice logic to check if it was on a domain or not, and that might help if you are trying to avoid registrations when you are off network.
This script is heavily based on the two I found here:
https://www.jamf.com/jamf-nation/discussions/4067/dns-registration-parallel-to-windows-registration
and here:
https://www.jamf.com/jamf-nation/discussions/34532/jamf-remote-global-protect-dns-registry
In any case, I hope this may be of help to someone in the future trying to figure out OSX dynamic DNS and/or how to use kinit or authenticate commands against the Macs AD computer$ account.
Posted on 10-14-2020 07:30 AM
Thanks for the script. I'm trying to test out using nsupdate, but the server is refusing the update:
; TSIG error with server: tsig verify failure
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 36480
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
I'm able to acquire the kerberos ticket fine. Any idea what might be up?
Posted on 10-14-2020 08:43 PM
I remember dealing with this around 2012. I think there is a checkbox to allow non Windows OS clients to update their DNS record. It was either that or you had to lower the security of some setting on Windows Server to get it to work.
Posted on 03-16-2021 08:32 AM
Today I found out that Mac OS 11.x (until 11.2.3 - the actual one) is not updating the Forward DNS registry and de Reverse DNS registry in internal DNS Servers.
The problem is that if you have a Scavenge Age defined to scavenge old dns entries, it will delete the Big Sur workstations DNS entries for the workstations and they will not appear anymore, because they don't automaticaly register again...
Until Mac OS 10.15.7 this was working fine and in Windows machines also.
I have a script that can force this update using the nsupdate terminal command but this registration should happen automatically.
This behaviour is the same when you use DHCP Server IP distribution or Fixed IP assignment for the differets workstations.
Does anyone knows what can be done to solve this? I was waiting for the different Big Sur updates released until now to see if it was patched, but it is not...
Any help would be highly appreciated!
Thanks.
Ricardo
Posted on 04-08-2021 01:19 PM
@user-kEEivOurTr I am seeing this exact same thing on a 11.2.3 Mac mini M1 on my work network . I am going to try to enroll a test system I have on Big Sur into the beta profile and see if maybe a newer beta address this
Posted on 05-24-2021 07:40 AM
I came across this post while troubleshooting macOS DNS registration with a Windows DNS server. I was setting up IPv6 and need to get this working. IPv6 without DNS is a nightmare.
I have a mix of 10.11 - 11.3 machines. The lack of documentation on how dynamic registration works in macOS is frustrating to say the least. In any event, after a few days most of the machines have registered with the DNS server. I have at least one 10.15.7 machine however that refuses to register after several restarts, host name changes, DHCP renewals, etc. From what I can gather mDNSResponder is responsible for triggering nsupdate. Searching the log with the following command is somewhat helpful.
log show --predicate 'process=="mDNSResponder" && eventMessage contains "nsupdate"' --last 1d
This reveals that no nsupdate commands have been issued for quite some time.
Just wanted to add to the discussion. I'd love to hear if anyone has made any progress on getting this working.