Windows DNS Secure Dynamic Updates with Linux – How?

There are already some good write-ups on the internet explaining how to join Linux machines to your Active Directory domain using realmd, sssd and kerberos. But how do you make the Linux machines dynamically registering in Windows DNS with Secure Updates enabled?

In a modern AD domain you would want DNS Secure Dynamic Updates enabled. When enabled, you will be able to successfully authenticate a Linux server or client to AD, but no dynamic DNS updates are likely to happen.

Why? The reason for this is that the Linux machine’s hostname must be set to a fully qualified domain name (FQDN). The easiest way to correct this if you’ve already authenticated the Linux machine to AD, is to:

  1. Remove the old sssd.conf file and restart sssd service:
rm sssd.conf
sudo service sssd restart

2. Set your hostname to the FQDN and verify your new hostname:

sudo hostnamectl set-hostname
My hostname is ‘ubox’ joining ‘’ domain.

3. Fetch a new kerberos ticket using kinit. Note that you don’t type the FQDN here when specifying user-principal, just the hostname. Also note upper-cases:

sudo kinit administrator@YOURDOMAIN.COM
Password for administrator@YOURDOMAIN.COM: ****

sudo realm --verbose join --user-principal=HOSTNAME/administrator@YOURDOMAIN.COM

4. Your Linux box should now be performing it’s own DNS updates with Secure Dynamic Updates enabled:

‘ubox’ is dynamically updating its DNS record with secure updates.

Information is taken from this Microsoft Technet article. It’s a good write-up to read if you want to dig deeper into this topic.
Also, I found this blog post to be very good and straight-forward on how to join Ubuntu/Debian systems to Windows AD.

Leave a Reply

Your email address will not be published. Required fields are marked *