Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

NIOS DNS DHCP IPAM

Reply

Windows Server 2019 Datacenter not updating DDNS records (GSS-TSIG) after applying CIS Benchmarks.

New Member
Posts: 2
4123     0

We have GSS-TSIG enabled in Infoblox and version is 8.4.4.

 

Newly provisioned Vm Guests running Windows 2019 Datacenter with the CIS benchmarks applied.

 

When these new serves are joined to our domain, the DNS records (A, PTR or Host) are not being created in Infoblox.

 

Spoke to support who mentioned something in the CIS benchmark template is causing the GSS-TSIG Tkey to not communicate with the Infoblox DNS server from the client.

 

I have tried changing the local GPO on the new servers (Local computer policy>Admin templates>Network>DNS client>Update Security level>only Secure) and then running ipconfig /registerdns but still unable  to see the DNS records being created.

 

CIS benchmark is here:

https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Windows_Server_2019_RTM_Release_1809_Benchmark...

 

Anyone know which setting needs to be changed here ?

 

Thanks!

 

Re: Windows Server 2019 Datacenter not updating DDNS records (GSS-TSIG) after applying CIS Benchmark

New Member
Posts: 2
4124     0

No worries, I resolved it.

 

CIS hardening enabled the following setting:

 

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos

AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types

 

I unchecked all three encryption types and rebooted the server and saw a successfull key auth message in Infoblox syslog:
client @xxxxxxxxxx 10.x.x.x.#xxxx/key xxxxx\$.xxxxxxxx signer "xxxxxxxx\$.xxxxxxxx" approved

Showing results for 
Search instead for 
Did you mean: 

Recommended for You