2 files changed, 11 insertions, 2 deletions

diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns
index b7af98c30d..9c1a6b4d5a 100755
--- a/source4/scripting/bin/samba_upgradedns
+++ b/source4/scripting/bin/samba_upgradedns
@@ -436,10 +436,19 @@ if __name__ == '__main__':
                     "DNSNAME" : dnsname }
                            )
 
+            res = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT,
+                                  expression='(sAMAccountName=dns-%s)' % (hostname),
+                                  attrs=["msDS-KeyVersionNumber"])
+            if "msDS-KeyVersionNumber" in res[0]:
+                dns_key_version_number = int(res[0]["msDS-KeyVersionNumber"][0])
+            else:
+                dns_key_version_number = None
+
             secretsdb_setup_dns(ldbs.secrets, names,
                                 paths.private_dir, realm=names.realm,
                                 dnsdomain=names.dnsdomain,
-                                dns_keytab_path=paths.dns_keytab, dnspass=dnspass)
+                                dns_keytab_path=paths.dns_keytab, dnspass=dnspass,
+                                key_version_number=dns_key_version_number)
         else:
             logger.info("dns-%s account already exists" % hostname)
 
diff --git a/source4/setup/secrets_dns.ldif b/source4/setup/secrets_dns.ldif
index 67fd66b057..192c06d286 100644
--- a/source4/setup/secrets_dns.ldif
+++ b/source4/setup/secrets_dns.ldif
@@ -5,7 +5,7 @@ objectClass: secret
 objectClass: kerberosSecret
 realm: ${REALM}
 servicePrincipalName: DNS/${DNSNAME}
-msDS-KeyVersionNumber: 1
+msDS-KeyVersionNumber: ${KEY_VERSION_NUMBER}
 privateKeytab: ${DNS_KEYTAB}
 secret:: ${DNSPASS_B64}
 samAccountName: dns-${HOSTNAME}