Domain Controller Service

short-stack

short-stack

Explorer
Joined
Feb 28, 2017
Messages
80
Has anyone successfully gotten the Domain Controller Service configured/started?

I've gone through the Samba how to that is linked in the official doc: https://wiki.samba.org/index.php/Se...troller#Provisioning_a_Samba_Active_Directory but no matter what when I start the service it just says 'Domain Controller service failed to start', there isn't much other output to go on so I'm not even sure where to start debugging and looking for what's not configured right. Normally I google it and find a how-to or thread of how people worked through the issues, but there is not a single one that I could find of running FreeNAS as a Samba Domain Controller.

This is the only output in the logs:
Code:
Oct  6 16:49:42 FreeNAS DomainController: /usr/local/bin/python /usr/local/bin/midclt call notifier.stop cifs
Oct  6 16:49:44 FreeNAS DomainController: /usr/sbin/service ix-kerberos quietstart
Oct  6 16:49:45 FreeNAS DomainController: /usr/sbin/service ix-resolv quietstart
Oct  6 16:49:47 FreeNAS DomainController: /usr/sbin/service ix-nsswitch quietstart
Oct  6 16:49:47 FreeNAS DomainController: /usr/sbin/service ix-pam quietstart
Oct  6 16:49:48 FreeNAS DomainController: /usr/local/bin/python /usr/local/bin/midclt call notifier.start cifs
Oct  6 16:49:51 FreeNAS root: /usr/local/etc/rc.d/samba_server: WARNING: /usr/local/etc/smb4.conf is not readable.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
I just verified that a regression was introduced in 11.2-U6 regarding provisioning new AD domains. That said, the DC role for FreeNAS is scheduled to be discontinued in FreeNAS 11.3, so it's probably better to look for an alternative.
 
short-stack

short-stack

Explorer
Joined
Feb 28, 2017
Messages
80
anodos said:
I just verified that a regression was introduced in 11.2-U6 regarding provisioning new AD domains. That said, the DC role for FreeNAS is scheduled to be discontinued in FreeNAS 11.3, so it's probably better to look for an alternative.
Click to expand...
I've seen you quote the Samba doc in a few threads that recommend against running the DC on the same box as a file share, but a different user (https://www.ixsystems.com/community...-primary-domain-controller.41530/#post-268946) got an official response that both TrueNAS and FreeNAS were a-ok to run the DC service on the same box as a file share.

Does this deprecation mean that it's once again not ok to run them both? I'm assuming the alternative is to run it in a jail which could introduce race conditions?
 
Last edited:
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
short-stack said:
I've seen you quote the Samba doc in a few threads that recommend against running the DC on the same box as a file share, but a different user (https://www.ixsystems.com/community...-primary-domain-controller.41530/#post-268946) got an official response that both TrueNAS and FreeNAS were a-ok to run the DC service on the same box as a file share.

Does this deprecation mean that it's once again not ok to run them both? I'm assuming the alternative is to run it in a jail which could introduce race conditions?
Click to expand...
Well, my presence on the forums pre-dates working for iX, so postings that are more than a year or so old should not be taken as representative of what iX may or may not recommend. I do not believe that sharing files from a DC is best practice (regardless of whether there are bugs preventing you from doing this).

You can review MS security best practices for AD environments here:
https://docs.microsoft.com/en-us/wi.../best-practices-for-securing-active-directory

The Samba team also advises against using a DC as a file server:
https://wiki.samba.org/index.php/Se...#Using_the_Domain_Controller_as_a_File_Server

Jailed DCs will not currently work on FreeBSD because I have yet to fix provisioning on ZFS-backed sysvol shares past Samba 4.9 (and these fixes - the 4.9 ones - are not present in the FreeBSD port).
 
short-stack

short-stack

Explorer
Joined
Feb 28, 2017
Messages
80
anodos said:
Well, my presence on the forums pre-dates working for iX, so postings that are more than a year or so old should not be taken as representative of what iX may or may not recommend. I do not believe that sharing files from a DC is best practice (regardless of whether there are bugs preventing you from doing this).

You can review MS security best practices for AD environments here:
https://docs.microsoft.com/en-us/wi.../best-practices-for-securing-active-directory

The Samba team also advises against using a DC as a file server:
https://wiki.samba.org/index.php/Se...#Using_the_Domain_Controller_as_a_File_Server

Jailed DCs will not currently work on FreeBSD because I have yet to fix provisioning on ZFS-backed sysvol shares past Samba 4.9 (and these fixes - the 4.9 ones - are not present in the FreeBSD port).
Click to expand...

thanks for the responses, I wasn't insinuating that your old posts were representative of iX. I was saying that iX had allegedly said that running this service on the same box was acceptable - https://www.ixsystems.com/community...-primary-domain-controller.41530/#post-268946

It's unfortunate that it's being taken away in 11.3, is it a silent deprecation? I only see feature enhancements on the roadmap here https://redmine.ixsystems.com/versions/445

I have a cousin who has a small business office, where he doesn't need a full stand alone server to run a DC, just need need something to provide central management of users, and I hope that this would do the trick... off to find another solution I guess.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
short-stack said:
thanks for the responses, I wasn't insinuating that your old posts were representative of iX. I was saying that iX had allegedly said that running this service on the same box was acceptable - https://www.ixsystems.com/community...-primary-domain-controller.41530/#post-268946

It's unfortunate that it's being taken away in 11.3, is it a silent deprecation? I only see feature enhancements on the roadmap here https://redmine.ixsystems.com/versions/445

I have a cousin who has a small business office, where he doesn't need a full stand alone server to run a DC, just need need something to provide central management of users, and I hope that this would do the trick... off to find another solution I guess.
Click to expand...

Sure. The key thing to remember is to separate out our fileservers from your domain controllers (and follow the relevant best-practices guides). They don't have to be physical appliances, but they should be at a minimum separate VMs.
 
You must log in or register to reply here.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "Domain Controller Service"

Similar threads

B
  • Locked
Domain Controller service will not start
Replies
9
Views
5K
jstam
J
D
  • Locked
AD connection flapping after upgrade to U5
Replies
1
Views
1K
deafen
D
Quiltface
SOLVED Active Directory Failed to load after reinstall
Replies
3
Views
3K
Quiltface
Quiltface
A
  • Locked
SOLVED Join to Active Directory manually
Replies
4
Views
3K
aklyuk
A
E
  • Locked
FreeNAS-8.3.0-BETA3-x64 and Windows Server 2012 AD?
Replies
2
Views
4K
snaketek
S
Top