Windows Server 2019 Datacenter not updating DDNS records (GSS-TSIG) after applying CIS Benchmarks.

paperback · ‎03-05-2020

We have GSS-TSIG enabled in Infoblox and version is 8.4.4.

Newly provisioned Vm Guests running Windows 2019 Datacenter with the CIS benchmarks applied.

When these new serves are joined to our domain, the DNS records (A, PTR or Host) are not being created in Infoblox.

Spoke to support who mentioned something in the CIS benchmark template is causing the GSS-TSIG Tkey to not communicate with the Infoblox DNS server from the client.

I have tried changing the local GPO on the new servers (Local computer policy>Admin templates>Network>DNS client>Update Security level>only Secure) and then running ipconfig /registerdns but still unable to see the DNS records being created.

CIS benchmark is here:

https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Windows_Server_2019_RTM_Release_1809_Benchmark...

Anyone know which setting needs to be changed here ?

Thanks!

paperback · ‎03-05-2020

No worries, I resolved it.

CIS hardening enabled the following setting:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos

AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types

I unchecked all three encryption types and rebooted the server and saw a successfull key auth message in Infoblox syslog:
client @xxxxxxxxxx 10.x.x.x.#xxxx/key xxxxx\$.xxxxxxxx signer "xxxxxxxx\$.xxxxxxxx" approved

THE GAME HAS CHANGED

NIOS DNS DHCP IPAM

Windows Server 2019 Datacenter not updating DDNS records (GSS-TSIG) after applying CIS Benchmarks.

Re: Windows Server 2019 Datacenter not updating DDNS records (GSS-TSIG) after applying CIS Benchmark