Show Table of Contents
2.3. Enabling Dynamic DNS Updates
AD allows its clients to refresh their DNS records automatically. AD also actively maintains DNS records to make sure they are updated, including timing out (aging) and removing (scavenging) inactive records. DNS scavenging is not enabled by default on the AD side.
SSSD allows the Linux system to imitate a Windows client by refreshing its DNS record, which also prevents its record from being marked inactive and removed from the DNS record. When dynamic DNS updates are enabled, the client's DNS record is refreshed:
- when the identity provider comes online (always)
- when the Linux system reboots (always)
- at a specified interval (optional configuration); by default, the AD provider updates the DNS record every 24 hoursYou can set this behavior to the same interval as the DHCP lease. In this case, the Linux client is renewed after the lease is renewed.
DNS updates are sent to the AD server using Kerberos/GSSAPI for DNS (GSS-TSIG). This means that only secure connections need to be enabled.
The dynamic DNS configuration is set for each domain. For example:
[domain/ad.example.com] id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad ldap_schema = addyndns_update = truedyndns_refresh_interval = 43200dyndns_update_ptr = truedyndns_ttl = 3600
For details on these options, see the sssd-ad(5) man page.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.