Author Topic: DNS Updates stopped working after Upgrade from 4.2 to 5.0  (Read 6201 times)

jgould

  • Zen Apprentice
  • *
  • Posts: 48
  • Karma: +6/-0
    • View Profile
Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
« Reply #15 on: June 14, 2017, 04:02:40 pm »
I'm going to post something I had put in a different thread.

I've gone through many Zentyal version upgrades on this server and am having the DNS issue.

My initial error message was
Code: [Select]
2017/06/13 12:10:25 INFO> Service.pm:958 EBox::Module::Service::restartService - Restarting service for module: dns
2017/06/13 12:10:27 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2017/06/13 12:10:32 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
2017/06/13 12:10:32 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
Error output: Password has expired
 dns-vdc01@INTERNAL.DOMAIN.COM's Password:

Command output: .
Exit value: 1
2017/06/13 12:10:32 ERROR> Service.pm:964 EBox::Module::Service::restartService - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
2017/06/13 12:10:32 ERROR> RestartService.pm:61 EBox::SysInfo::CGI::RestartService::_process - Restart of DNS from dashboard failed: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
Error output: Password has expired
 dns-vdc01@INTERNAL.DOMAIN.COM's Password:

Command output: .

What I found was that the user account (dns-[servername]) in AD Users and Computers didn't show as being locked or anything. HOWEVER, by going into the Attribute Editor (make sure everything is selected in Filter) I found two attributes.
Code: [Select]
msDS-User-Account-Control-Computed
msDS-UserPasswordExpiryTimeComputer
These two attributes had values set that made it sure seem like the password HAD expired. This user account (that is automatically generated during install) also doesn't have the "Password never expires" set under Account -> Account options. So to test out a theory I checked the "Password never expires" and "Unlock account" options. I knew from experience that this enable the account using the original password so it didn't need to be changed.

This seemed to remove the Error output: Password has expired error, but now started to show the problem that other members here are having.

Code: [Select]
2017/06/14 00:15:38 INFO> Service.pm:958 EBox::Module::Service::restartService - Restarting service for module: dns
2017/06/14 00:15:39 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2017/06/14 00:15:41 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/tfjTLFN6aF failed.
2017/06/14 00:15:41 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command nsupdate -g -t 10 /var/lib/zentyal/tmp/tfjTLFN6aF failed.
Error output: update failed: REFUSED

Command output: .
Exit value: 2
2017/06/14 00:15:41 ERROR> Service.pm:964 EBox::Module::Service::restartService - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/tfjTLFN6aF failed.
2017/06/14 00:15:41 ERROR> RestartService.pm:61 EBox::SysInfo::CGI::RestartService::_process - Restart of DNS from dashboard failed: root command nsupdate -g -t 10 /var/lib/zentyal/tmp/tfjTLFN6aF failed.
Error output: update failed: REFUSED

Command output: .
Exit value: 2

I've tried multiple ways to resolve this error using recommendations here and the Samba wiki, but nothing has really worked and I STILL end up with the REFUSED error or the other error mentioned.

Code: [Select]
2017/06/14 01:55:23 INFO> Service.pm:958 EBox::Module::Service::restartService - Restarting service for module: dns
2017/06/14 01:55:24 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2017/06/14 01:55:25 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8 failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable

Command output: .
Exit value: 1 at root command nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8 failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable

Command output: .
Exit value: 1 at /usr/share/perl5/EBox/Sudo.pm line 240
EBox::Sudo::_rootError('/usr/bin/sudo -p sudo: /var/lib/zentyal/tmp/Ym0eh3Z4y8.cmd 2> /var/lib/zentyal/tmp/stderr', 'nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8', 256, 'ARRAY(0x8ae78a0)', 'ARRAY(0x435f558)') called at /usr/share/perl5/EBox/Sudo.pm line 210
EBox::Sudo::_root(1, 'nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8') called at /usr/share/perl5/EBox/Sudo.pm line 153
EBox::Sudo::root('nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8') called at /usr/share/perl5/EBox/DNS.pm line 923
EBox::DNS::_postServiceHook('EBox::DNS=HASH(0x8997970)', 1) called at /usr/share/perl5/EBox/Module/Service.pm line 941
EBox::Module::Service::_regenConfig('EBox::DNS=HASH(0x8997970)', 'restart', 1, 'restartModules', 1) called at /usr/share/perl5/EBox/Module/Service.pm line 960
eval {...} at /usr/share/perl5/EBox/Module/Service.pm line 959
EBox::Module::Service::restartService('EBox::DNS=HASH(0x8997970)', 'restartModules', 1) called at /usr/share/perl5/EBox/Util/Init.pm line 121
eval {...} at /usr/share/perl5/EBox/Util/Init.pm line 119
EBox::Util::Init::moduleAction('dns', 'restartService', 'start') called at /usr/share/perl5/EBox/Util/Init.pm line 87
EBox::Util::Init::start at /usr/bin/zs line 35
main::main at /usr/bin/zs line 82
2017/06/14 01:55:25 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8 failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable

Command output: .
Exit value: 1
2017/06/14 01:55:25 ERROR> Service.pm:964 EBox::Module::Service::restartService - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8 failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable

Command output: .
Exit value: 1 at root command nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8 failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable

I even followed THESE INSTRUCTIONS on the Samba Wiki where you completely delete the dns.keytab file, delete the dns-[servername] user, switch the DNS backend to Samba and then back to Bind (due to a glitch in samba not recreating the dns-[servername] user), and finally run samba_upgradedns --dns-backend=BIND9_DLZ to reprovision the user account and dns.keytab file from scratch. It still failed.

This results in the DNS module not being able to reload itself and the local machine (127.0.0.1) failing DNS updates (or at least it seems that way when the DNS module reload occurs where nsupdate fails to run). The logs seems to show that all my Windows PC's are still able to securely update DNS records though.


I will say that a fresh install of Zentyal isn't giving me this issue NOW, but who knows if it will after a certain amount of time. I'd also say that removing and reinstalling the DNS module also appeared to solve the issue for me. However that is REALLY NOT IDEAL. If you have to remove the DNS module you also have to remove the Domain Controller and File Sharing module. That means you'd remove all your domain joined computers, users, GPO, and so on. So the only other option I can think of right now would be a transfer of FSMO roles to a new Samba4 server.

jgould

  • Zen Apprentice
  • *
  • Posts: 48
  • Karma: +6/-0
    • View Profile
Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
« Reply #16 on: June 14, 2017, 04:11:34 pm »
Good Morning!,
I've found this link searching for the same error, and I've solved doing these few steps:

Code: [Select]
sudo cp /var/lib/samba/private/dns.keytab /var/lib/samba/private/dns.keytab.old
sudo rm /var/lib/samba/private/dns.keytab
sudo samba-tool domain exportkeytab --principal=DNS/server.domain.local /var/lib/samba/private/dns.keytab
sudo samba-tool domain exportkeytab --principal=dns-ZENTYAL@DOMAIN.LOCAL /var/lib/samba/private/dns.keytab
sudo ktutil -v -k /var/lib/samba/private/dns.keytab list
sudo kinit -k -t /var/lib/samba/private/dns.keytab dns-ZENTYAL

If you still get errors with the last command, review the Zentyal DNS user name

Cheers!

This seemed promising but didn't work for me, and I know I had the right user and the right information in the keytab file.

One thing to note is that this approach does not generate a dns.keytab file exactly like the original. It doesn't include the aes128-cts-hmac-sha1-96 or aes256-cts-hmac-sha1-96 enctypes. See HERE. There is discussion on this in the samba mailing list I was reading. I couldn't get the solutions to add them to work for me but I didn't spend a ton of time on it as you can regenerate the dns.keytab and user by deleting everything and running samba_upgradedns --dns-backend=BIND9_DLZ as mentioned in my above post.

Example of what I mean;

New keytab file generated with your steps;
Code: [Select]
root@zentyal:~$ sudo ktutil -v -k /var/lib/samba/private/dns.keytab list
/var/lib/samba/private/dns.keytab:

Vno  Type                     Principal                      Date        Aliases
  1  des-cbc-crc              DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  des-cbc-crc              dns-zentyal@TEST.LAN           2017-06-14
  1  des-cbc-md5              DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  des-cbc-md5              dns-zentyal@TEST.LAN           2017-06-14
  1  arcfour-hmac-md5         DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  arcfour-hmac-md5         dns-zentyal@TEST.LAN           2017-06-14

Old keytab that you are replacing;
Code: [Select]
root@zentyal:~$ sudo ktutil -v -k /var/lib/samba/private/dns.keytab.old list
/var/lib/samba/private/dns.keytab.old:

Vno  Type                     Principal                      Date        Aliases
  1  des-cbc-crc              DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  des-cbc-crc              dns-zentyal@TEST.LAN           2017-06-14
  1  des-cbc-md5              DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  des-cbc-md5              dns-zentyal@TEST.LAN           2017-06-14
  1  arcfour-hmac-md5         DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  arcfour-hmac-md5         dns-zentyal@TEST.LAN           2017-06-14
  1  aes128-cts-hmac-sha1-96  DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  aes128-cts-hmac-sha1-96  dns-zentyal@TEST.LAN           2017-06-14
  1  aes256-cts-hmac-sha1-96  DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  aes256-cts-hmac-sha1-96  dns-zentyal@TEST.LAN           2017-06-14

jgould

  • Zen Apprentice
  • *
  • Posts: 48
  • Karma: +6/-0
    • View Profile
Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
« Reply #17 on: June 14, 2017, 05:21:59 pm »
SOOOO, I managed to get mine working now!

All I had to do was solve the initial "Error output: Password has expired" error as I described earlier;
  • Using AD User and Computers, open properties for dns-[servername]
  • Go to "Account" tab
  • Check "Unlock account" & "Password never expires"
  • Apply and OK

Which got me to where most of you were with the Error output: update failed: REFUSED error.

Then, I had to add the dns-[servername] user to the DNSAdmins Group;
  • Using AD User and Computers, open properties for dns-[servername]
  • Go to "Member Of" tab
  • Click "Add..."
  • Type "DnsAdmins" & click "Check Names"
  • Click OK
  • Click Apply & Ok

Pretty standard steps for anyone familiar with AD.

Anyway, after adding the user account to the DnsAdmins group the DNS module restarts through the GUI without any errors and everything looks to be working as it should.

I found this issue by comparing to a freshly installed and untouched Zentyal 5 installation that was working. I did NOT remove the user from this group. The user WAS a member of Domain Users which obviously doesn't have enough permissions. DnsAdmins is what is granted permissions (through windows security tab) when I was looking in the RSAT DNS tool for the domain.

Also, I should note that even in Zentyal 5 the dns-[servername] user account password is not set to never expire, but as I seen in my initial error it sure looks like it did expire at some point.

I have a sneaking suspicion this is also why when I followed the Samba Wiki I linked above to completely delete the dns.keytab file, dns-[servername] user, and recreate everything using samba_upgradedns --dns-backend=BIND9_DLZ it STILL wasn't working. Because the user account wasn't added to the DnsAdmins group (I can't verify that at this point though, but highly likely).
« Last Edit: June 14, 2017, 05:32:04 pm by jgould »

ivan.m

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
« Reply #18 on: June 15, 2017, 05:22:21 am »
Im having similiar issues since the upgrade to 5.

Essentially, now, I can't even 'add a dns' record via DNS module in the web min without throwing an error.

It appears that I'm getting the 'password expired' error others are getting, but I see no way to correct it (im not an experienced LDAP/AD admin, especially from nix point of view)

it looks to me that the previous post solves the issue, but his fix mentions go here do that from 'Active Directory users and Groups'. But I have no Windows machine running active directory users and groups from which to make these changes.

Any help would be appreciated on how I can correctly replicate the steps to restore functionality to the dnc-pdc user, or fix the dns issue.

Cheers



Quote
2017/06/14 19:25:32 INFO> GlobalImpl.pm:625 EBox::GlobalImpl::saveAllModules - Saving config and restarting services: firewall dns dhcp
2017/06/14 19:25:32 INFO> Base.pm:231 EBox::Module::Base::save - Restarting service for module: firewall
2017/06/14 19:25:33 INFO> Base.pm:231 EBox::Module::Base::save - Restarting service for module: dns
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host pdc.somedomain.com with IP 10.5.0.2 is not going to be added $
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host jira.somedomain.com with IP 10.5.0.41 is not going to be adde$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host jenkins.somedomain.com with IP 10.5.0.44 is not going to be a$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host fileserver.somedomain.com with IP 10.5.0.45 is not going to b$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host git.somedomain.com with IP 10.5.0.40 is not going to be added$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host unitycache.somedomain.com with IP 10.5.0.39 is not going to b$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 176.68.184 is already mapped to domain dev.somedomain.com. The host vpn.somedomain.com with IP 184.68.176.202 is not going to$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host maas.somedomain.com with IP 10.5.0.144 is not going to be add$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host igg-srv-001.somedomain.com with IP 10.5.0.220 is not going to$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host igg-srv-005.somedomain.com with IP 10.5.0.242 is not going to$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host igg-srv-007.somedomain.com with IP 10.5.0.232 is not going to$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host potato.somedomain.com with IP 10.5.0.62 is not going to be ad$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host kube-master.somedomain.com with IP 10.5.0.34 is not going to $
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host bigdata-database.somedomain.com with IP 10.5.0.35 is not goin$
2017/06/14 19:25:35 WARN> DNS.pm:838 EBox::DNS::_reverseData - Inconsistent DNS configuration detected. IP group 0.5.10 is already mapped to domain dev.somedomain.com. The host docker-node-a.somedomain.com with IP 10.5.0.37 is not going t$
2017/06/14 19:25:36 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2017/06/14 19:25:37 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-pdc failed.
Error output: Password has expired
 dns-pdc@somedomain.COM's Password:

Command output: .
Exit value: 1 at root command kinit -k -t /var/lib/samba/private/dns.keytab dns-pdc failed.
Error output: Password has expired
 dns-pdc@somedomain.COM's Password:


Will these tools help I wonder? about to try it anyway

https://www.microsoft.com/en-ca/download/details.aspx?id=45520
« Last Edit: June 15, 2017, 05:25:14 am by ivan.m »

ivan.m

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
« Reply #19 on: June 15, 2017, 05:32:38 am »
Update, indeed, I was able to use the Microsoft Tools to get further, however, there is no DNS related groups at all in the active directory group membership. I added to Domain Admins, set that as the primary group, and remove Domain Users as the secodry membership for that dns-pdc user.

jgould

  • Zen Apprentice
  • *
  • Posts: 48
  • Karma: +6/-0
    • View Profile
Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
« Reply #20 on: June 15, 2017, 11:05:51 pm »
ivan.m

The Active Directory User and Computers is provided through Window RSAT (remote server administrative tools) which you will find references as the simplest way to manage a Samba 4 Active Directory.

Simply search google for Windows RSAT for whatever windows OS you can get (Windows 7, 8, 10) or if you have a Windows Server you can add these through adding Roles.

Once you have them installed you must have the Windows machine added to the domain or it won't be able to access the Samba4/Zentyal server to manage it.

Once you have that setup you can launch the Active Directory Users and Computers (and others like DNS, Group Policy Management, etc) provided by RSAT and manage your domain. The whole collection of tools is in "Administratove Tools" in windows (just search for it).



And here you will see my dns-vdc01 user (vdc01 being the name of my server) and DnsAdmin Group in my Active Directory under the "Users" folder.



And here you will see the dns-vdc01 user account properties where I've added the account to the DnsAdmins group.



« Last Edit: June 15, 2017, 11:08:05 pm by jgould »

jgould

  • Zen Apprentice
  • *
  • Posts: 48
  • Karma: +6/-0
    • View Profile
Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
« Reply #21 on: June 16, 2017, 03:13:38 pm »
Here is why it matters. Using the DNS Manager of Windows RSAT you can check the security permissions on the various parts of DNS;

DNS server (vdc01 in my case)


Forward Lookup Zone for your Domain


All DNS records (kerberos record as example)


As you can see, all records list the AD Group DnsAdmins. So it stands to reason that if the dns user account needs to update DNS records it will need to be apart of the DnsAdmins group (the dns user account doesn't have permissions otherwise).

When you restart the DNS module (through the web GUI or CLI) it updates some of the DNS records by running;
Code: [Select]
nsupdate -g -t 10 /var/lib/zentyal/tmp/[somerandomfile]but it can't if the dns user doesn't have those necessary permissions. Same goes for changing any of the setting in the DNS module (like adding a record). Should also note that using Windows RSAT DNS tool I was still able to add records and change settings. I suspect because I was connected as a "Domain Admin" which DID have permissions while the Web GUI runs under the dns-vdc01 user account on the localhost (127.0.0.1).

The domain joined PC's are able to update their own DNS records because, if you look in their security properties, you will find that the PC has permissions to update its OWN DNS records only.

PS: I'm almost 100% certain that the dns user account should be set to "password never expires" but even in the current Zentyal download this setting is not checked. Which means that the password will eventually expire and will stop working.
« Last Edit: June 16, 2017, 04:04:01 pm by jgould »

jgould

  • Zen Apprentice
  • *
  • Posts: 48
  • Karma: +6/-0
    • View Profile
Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
« Reply #22 on: June 16, 2017, 03:35:44 pm »
Sorry for the multiple posts but I figure I should get all the information I can into this thread for others to benefit from.

If you don't have access to a Windows PC to join to the domain and install RSAT, you can accomplish all of this through the CLI.

Check if Account Flags has an "L" in it meaning the account is locked;
Code: [Select]
pdbedit -Lvu username
Unlock the account if necessary;
Code: [Select]
pdbedit -c='[]' --user=username
Set the user account to never expire;
Code: [Select]
samba-tool user setexpiry username --noexpiry
Check members of DnsAdmins group;
Code: [Select]
samba-tool group listmembers "DnsAdmins"
Add user to DnsAdmins group;
Code: [Select]
samba-tool group addmembers DnsAdmins username
I didn't do it this way but those SHOULD work.
« Last Edit: June 16, 2017, 04:04:50 pm by jgould »

ap1821

  • Zen Monk
  • **
  • Posts: 72
  • Karma: +4/-0
    • View Profile
Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
« Reply #23 on: August 18, 2017, 02:02:39 pm »
Same problem. Very similar solution.
Upgrade from 4.2 to 5.0 went suprisingly well, some minor changes had to be made to the configuration only.
Had the same problem with DNS, wasnt able to add DNS entries anymore. Only problem was that I didnt had that DnsAdmins group. Luckly Domain Admins group worked just fine instead.
Now DNS updates again and works normally.

desperados

  • Zen Monk
  • **
  • Posts: 60
  • Karma: +2/-0
    • View Profile
Re: DNS Updates stopped working after Upgrade from 4.2 to 5.0
« Reply #24 on: April 17, 2019, 10:39:04 am »
I've the same problem and it seems I've fixed, thanks to jgould

pay attention to the fact that if pdbedit results show "Password must change: never" it's NOT ok, it must show something like "Password must change: Tue, 19 Jan 2038 04:14:07 CET"