Drops domain after a couple of minutes:

[JohnL7]

First post, I apologize if I dont have all the information needed but please feel free to let me know what else I might need to provide to troubleshoot.

I am running: FreeNAS-11.1-U4

I demoted a domain controller on Friday and then started getting reports of issues with network drive access issues. I have limited experience on FreeNAS as it was setup before my time but here is the /var/log/messages that appear:

Code:

May  7 09:39:09 freenas ActiveDirectory: activedirectory_start: skipping join, already joined
May  7 09:39:09 freenas ActiveDirectory: /usr/sbin/service ix-activedirectory status
May  7 09:39:10 freenas ActiveDirectory: activedirectory_status: checking status
May  7 09:39:10 freenas ActiveDirectory: AD_status_domain: net -k ads status DOMAIN
May  7 09:39:11 freenas ActiveDirectory: AD_status_domain: Okay
May  7 09:39:11 freenas ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.stop cifs
May  7 09:39:12 freenas ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.start cifs
May  7 09:39:15 freenas ActiveDirectory: /usr/sbin/service ix-pam quietstart
May  7 09:39:17 freenas ActiveDirectory: /usr/sbin/service ix-cache quietstart &
May  7 09:39:20 freenas ActiveDirectory: kerberos_status: klist -t
May  7 09:39:20 freenas ActiveDirectory: kerberos_status: Successful
May  7 09:39:21 freenas ActiveDirectory: activedirectory_status: checking status
May  7 09:39:21 freenas ActiveDirectory: AD_status_domain: net -k ads status DOMAIN
May  7 09:39:22 freenas ActiveDirectory: AD_status_domain: Okay
May  7 09:39:53 freenas ActiveDirectory: kerberos_status: klist -t
May  7 09:39:53 freenas ActiveDirectory: kerberos_status: Successful
May  7 09:39:53 freenas ActiveDirectory: activedirectory_status: checking status
May  7 09:39:53 freenas ActiveDirectory: AD_status_domain: net -k ads status DOMAIN
May  7 09:39:54 freenas ActiveDirectory: AD_status_domain: Okay
May  7 09:39:55 freenas ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.stop cifs
May  7 09:39:56 freenas ActiveDirectory: /usr/sbin/service ix-kerberos quietstop
May  7 09:39:56 freenas ActiveDirectory: /usr/sbin/service ix-nsswitch quietstop
May  7 09:39:56 freenas ActiveDirectory: /usr/sbin/service ix-pam quietstop
May  7 09:39:58 freenas ActiveDirectory: /usr/sbin/service ix-activedirectory forcestop
May  7 09:40:01 freenas ActiveDirectory: activedirectory_stop: leaving domain
May  7 09:40:01 freenas ActiveDirectory: /usr/sbin/service ix-cache quietstop &
May  7 09:40:04 freenas ActiveDirectory: /usr/sbin/service samba_server forcestop
May  7 09:40:04 freenas ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.start cifs
May  7 09:40:07 freenas ActiveDirectory: /usr/sbin/service ix-kinit forcestop
May  7 09:40:07 freenas ActiveDirectory: /usr/sbin/service ix-hostname quietstart

The system appears to join the domain no problem but maybe 2-3 minutes later it just drops the domain and then the system check attempts to rejoin.


I have checked the Network configuration to make sure that the old domain controller is no longer listed as a Name Server. I have tried various changes to the settings in the Directory Service > Active Directory tab to no solid results. Where should i be looking for more information??

 

[JohnL7]

So i wanted to update this with some additional information that I managed to wrestle out of the system.

First, I want to share that the two most likely causes of problems with AD as told to me are time and DNS issues. I verified Time was not an issue several times over the course of working through this issue. That left DNS and it ended up causing the problem. There was a stale record that pointed to the now demoted DC with DNS removed from its roles. My best guess is that it was load balancing the requests between the working and non-working DNS server entries and this caused it to time out or fail on the follow up check for DNS and removing it from the domain for some reason. On fixing this, I have been connected to AD now overnight without any signs of having dropping or needing to rejoin the domain.

 

[Grimm Spector]

I'm having similar issues, single domain controller. Everything seems fine, but for some reason it just won't behave. It connects, everything seems fine for a bit, and then all of a sudden it starts making reconnection attempts and fails. Sometimes I can get it to rebuild the cache and show me users and groups even, but then it disconnects again. It has it's DNS and everything, so I'm really at a loss here. Some help would be super, it's a problem to try to use SMB with my clients without this working properly.

 

[JohnL7]

I'm having similar issues, single domain controller. Everything seems fine, but for some reason it just won't behave. It connects, everything seems fine for a bit, and then all of a sudden it starts making reconnection attempts and fails. Sometimes I can get it to rebuild the cache and show me users and groups even, but then it disconnects again. It has it's DNS and everything, so I'm really at a loss here. Some help would be super, it's a problem to try to use SMB with my clients without this working properly.

Grimm,

Are you using version 11 by chance? When you look at the messages log, what are you finding there?

 

[Grimm Spector]

Grimm,

Are you using version 11 by chance? When you look at the messages log, what are you finding there?

Yes. 11U4. The log says it failed to find domain controller, indicates the retry number. This occurs after it successfully bonds to the domain during boot. Very odd.

 

[JohnL7]

If it failed to find the DC then its DNS causing the problem.

 

[Grimm Spector]

If it failed to find the DC then its DNS causing the problem.

In theory I’d agree. Though I cannot nail it down. DNS seems to be running fine. Hostnames are resolving without issue. The join is fine but then it drops without any failure to resolve or timeout messages.

 

[JohnL7]

In theory I’d agree. Though I cannot nail it down. DNS seems to be running fine. Hostnames are resolving without issue. The join is fine but then it drops without any failure to resolve or timeout messages.

Look at the thread I started, i had the same scenario of the Join working properly and it ended up being a bad entry in DNS that was causing the problem. In my case, it was an entry of esstenially two IPs listed for the same server and the second IP pointing to a server that was being decommissioned and had the DNS role removed. Once it joined and it attempted to do DNS resolution again, it would sometimes hit that "second DNS" and time out so it would fail the health check and drop out of the domain. I would closely review your DNS and verify that everything is correct. It took a second set of eyes looking at everything to find this and correct it on my side.

 

[Grimm Spector]

Haven't found any DNS errors thus far, but who knows. I disabled it checking for the domain and it stays connected most of the time now at least.

 

[deafen]

I've just started experiencing this problem myself after upgrading to 11.1-U5. For unimportant reasons, I did the upgrade "backwards" - saved the U4 config, did a clean U5 install, then uploaded the U4 config. In the process, it disabled CIFS and AD join. When I turned AD join back on, it would work for up to 10 minutes, then clients would start getting authz errors.

I haven't tried completely unconfiguring and starting over yet - plan to do that today. But first I wanted to check if there were any known issues. Has there been any other progress on the issues in this post?

 

[Grimm Spector]

I suggest clearing your AD configs and doing that portion over again. I still haven't found any reason for this, in DNS or any other setting anywhere on the network.

 

[deafen]

Did that and it seemed to work fine when I had verbose logging turned on, but as soon as I turned that off it started flapping again. I'll open a new thread.