Seems like this is pretty widespread.
https://forum.zentyal.org/index.php?topic=30747.0https://forum.zentyal.org/index.php/topic,30864.0.htmlI did some testing and figured out a few things.
For my initial error, "
Error output: Password has expired", I found that the user account (dns-
[servername]) in AD Users and Computers didn't show as being locked or anything. HOWEVER, by going into the Attribute Editor (make sure everything is selected in Filter) I found two attributes.
msDS-User-Account-Control-Computed
msDS-UserPasswordExpiryTimeComputer
These two attributes had values set that made it sure seem like the password HAD expired. This user account (that is automatically generated during install) also doesn't have the "Password never expires" set under Account -> Account options. So to test out a theory I checked the "Password never expires" and "Unlock account" options. I knew from experience that this enable the account using the original password so it didn't need to be changed.
This seemed to remove the
Error output: Password has expired error, but now started to show the problem that other members are having. That being;
Exit value: 2 at root command nsupdate -g -t 10 /var/lib/zentyal/tmp/[randomfile] failed.
Error output: update failed: REFUSED
And any attempt I make to resolve this error using recommendations here in the linked threads or following the Samba wiki results in either STILL getting the REFUSED error or;
Error output: dns_tkey_negotiategss: TKEY is unacceptable
I even went as far as to follow
THESE INSTRUCTIONS on the Samba Wiki where you completely delete the dns.keytab file, delete the dns-[servername] user, switch the DNS backend to Samba and then back to Bind (due to a glitch in samba not recreating the dns-[servername] user), and finally run
samba_upgradedns --dns-backend=BIND9_DLZ. It still failed.
This results in the DNS module not being able to reload itself and the local machine (127.0.0.1) failing DNS updates (or at least it seems that way when the DNS module reload occurs where nsupdate fails to run). The logs seems to show that all my Windows PC's are still able to securely update DNS records though.