AD DNS issues

I

iXen

Cadet
Joined
Sep 28, 2023
Messages
2
Hey all,

I’m new to TrueNAS scale. We’re trying to add the link to our Active Directory network but I’m getting the following issue:

_kerberos._tcp.dc1.domain.local.: Nameserver 192.168.0.104 (dns server from ipconfig) failed to resolve SRV. This may indicate a DNS misconfiguration of the TrueNAS server.

Both servers can ping each other fine and TrueNAS can resolve the DNS server within shell.

I’m really lost and unsure if it’s an issue with my domain controller or TrueNAS.

Sorry if it’s in the wrong section but I would appreciate some assistance:)
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
iXen said:
Hey all,

I’m new to TrueNAS scale. We’re trying to add the link to our Active Directory network but I’m getting the following issue:

_kerberos._tcp.dc1.domain.local.: Nameserver 192.168.0.104 (dns server from ipconfig) failed to resolve SRV. This may indicate a DNS misconfiguration of the TrueNAS server.

Both servers can ping each other fine and TrueNAS can resolve the DNS server within shell.

I’m really lost and unsure if it’s an issue with my domain controller or TrueNAS.

Sorry if it’s in the wrong section but I would appreciate some assistance:)
Click to expand...
This indicates that SRV lookups for kerberos are failing. Perhaps the above nameserver is not your AD domain controller.
 
I

iXen

Cadet
Joined
Sep 28, 2023
Messages
2
anodos said:
This indicates that SRV lookups for kerberos are failing. Perhaps the above nameserver is not your AD domain controller.
Click to expand...
This is what I thought, I'm going to do some more digging. I had a feeling it was nothing to do with TrueNAS but wanted to double check to see if there was something I'm missing.

I'll update on the way to see if it ends up being something else.
 
R

rodpas

Cadet
Joined
Jul 17, 2022
Messages
3
I happened to upgrade to Cobia last Friday and I've been burning my brains all weekend why the AD was not working even when everything seemed to be right. Even the "host -t srv.... etc' can see the _kerberos._tcp and the _ldap._tcp services (in the command line). Finally, analyzing the message thoroughly when trying to enable AD, we discovered it always told us the 2nd DNS server was the one not "seeing" the services. We have set up TrueNAS with 2 FIX DNS Servers (nameserver1 and nameserver2). Specifically, it was always telling the NameServer2 was the one failing which is absolutely true, since the nameserver1 routes towards the PDC but the Nameserver2 does not.

As soon as we "ELIMINATE" the Nameserver 2, the AD started working like a champ.

This was working fine on version 22.x but started failing as soon as we upgraded to 23. I don't know what you think guys, but this sounds like a bug to me.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
rodpas said:
I happened to upgrade to Cobia last Friday and I've been burning my brains all weekend why the AD was not working even when everything seemed to be right. Even the "host -t srv.... etc' can see the _kerberos._tcp and the _ldap._tcp services (in the command line). Finally, analyzing the message thoroughly when trying to enable AD, we discovered it always told us the 2nd DNS server was the one not "seeing" the services. We have set up TrueNAS with 2 FIX DNS Servers (nameserver1 and nameserver2). Specifically, it was always telling the NameServer2 was the one failing which is absolutely true, since the nameserver1 routes towards the PDC but the Nameserver2 does not.

As soon as we "ELIMINATE" the Nameserver 2, the AD started working like a champ.

This was working fine on version 22.x but started failing as soon as we upgraded to 23. I don't know what you think guys, but this sounds like a bug to me.
Click to expand...
Not a bug. We improved validation. How do you expect AD to work if nameserver1 goes down or we roundrobin to nameserver2? We have had many users knock themselves out of production by not configuring their nameservers on the NAS correctly (having non-AD ones present).
 
R

rodpas

Cadet
Joined
Jul 17, 2022
Messages
3
anodos said:
Not a bug. We improved validation. How do you expect AD to work if nameserver1 goes down or we roundrobin to nameserver2? We have had many users knock themselves out of production by not configuring their nameservers on the NAS correctly (having non-AD ones present).
Click to expand...
Let me see if I follow you, I am supposed to use DC servers only as Nameservers (our 2nd DNS server is just a proxy to one outside in the DMZ, so it is not a DC)? Excuse my ignorance.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
rodpas said:
Let me see if I follow you, I am supposed to use DC servers only as Nameservers (our 2nd DNS server is just a proxy to one outside in the DMZ, so it is not a DC)? Excuse my ignorance.
Click to expand...
Typically an activedirectory domain will have multiple domain controllers each with a DNS server running. You can configure them as the TrueNAS nameservers and have AD DNS forward external requests to other nameservers as appropriate. You can also take some other topology as-needed. The main problem ideally you want all nameservers configured on the NAS to be able to resolve queries (A, AAA, SRV, etc) for the AD domain, otherwise you are introducing a point of failure in your NAS configuration.
 
Patrick M. Hausen

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,776
rodpas said:
Let me see if I follow you, I am supposed to use DC servers only as Nameservers
Click to expand...
Yes. Most resolver libraries simply round-robin their configured recursive name servers and if the query for the A or AAAA of "$DOMAIN" does not answer with the IP addresses of the DCs, AD breaks. Additionally there's all the glue in SRV and TXT records that Microsoft throws in there. DNS is part of the Active Directory. Without DNS no AD. Complete and consistent DNS, that is.

Really this is rather well documented and a fundamental requirement of running AD. All clients must use AD name servers only.

Now how to get around that requirement - a bit :wink:

A non-AD name server, frequently the firewall or some other infrastructure related system, can use three approaches:
  • Unconditionally forward all requests to the AD DCs. Begs the question why use that extra name server at all? But possibly it's e.g. in a branch office so request are cached locally while all DCs are in the main office. Breaks if the VPN between the two offices goes away, because unconditionally ...
  • Configure a forward zone for "$DOMAIN" that forwards queries to the DCs but resolve anything else on its own starting with the root hints.
  • Configure a secondary zone for "$DOMAIN" pulling from the DCs. Regardless if the name server itself is in any way interested in those AD specific records, it is completely sufficient that all the domain's contents are present to be served to clients.
I prefer and frequently use the third approach.

HTH,
Patrick
 
You must log in or register to reply here.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "AD DNS issues"

Similar threads

S
Nameserver <<ip>> failed to resolve SRV records for domain <<domain.name>>. This may indicate a DNS misconfiguration on the TrueNAS server.
Replies
13
Views
3K
anodos
anodos
K
Cannot setup TrueNas Active Directory service using AD's with IPv6 only addresses
Replies
0
Views
182
kepker
K
chucktryon
  • Locked
AD and multiple KDCs in a domain -- picks WRONG KDC
Replies
12
Views
17K
byroncollege
B
M
DNS not resolving over OpenVPN - nslookup & drill work fine
Replies
1
Views
1K
micro8765
M
R
Failed to discover Active Directory Domain Controller for domain. This may indicate a DNS misconfiguration
Replies
8
Views
4K
anodos
anodos
Top