Join gives an error or users can not login frequently.
User logon works for a while but fails suddenly. Different users are be affected but the users change. When trying to login through Windows they get “No Authentication Server available”.
Check your DNS Settings.
Verify your to-be-joined computer can resolve domain controller DNS entries:
root@master:~# host gc._msdcs.$(ucr get domainname) 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: gc._msdcs.multi.ucs has address 10.250.200.101 gc._msdcs.multi.ucs has address 10.250.200.102 gc._msdcs.multi.ucs has address 10.250.200.100
Check for legacy DNS zones.
root@ucs:~# univention-s4search CN=MicrosoftDNS --cross-ncs dn | grep -i "cn=system" dn: DC=_msdcs,DC=multi.ucs,CN=MicrosoftDNS,CN=System,DC=multi,DC=ucs
There should NOT be an entry in the “System” container (CN=system).
Verify existence of additional zones by the DNS service in
Mar 12 13:26:20 slave named: samba_dlz: Ignoring duplicate zone 'multi.ucs' from 'DC=@,DC=multi.ucs,CN=MicrosoftDNS,DC=DomainDnsZones,DC=multi,DC=ucs' Mar 12 13:26:20 slave named: samba_dlz: Ignoring dnsZone _msdcs.multi.ucs
The S4 connector by default synchronizes DNS entries from OpenLDAP to up-to-date location in Microsoft DNS. Previously (in Windows 2000) the DNS zones have been at a different location. Verify the S4 connector does not use legacy zones:
ucr get connector/s4/mapping/dns/position
There exists a duplicate zone in the legacy tree of “
CN=System” which gets loaded first by the named service. But as the S4 connector by default does not sync into the legacy tree this zone is very likely outdated.
On the master (or @school-slave) migrate existing zone info to new location with this script migrate_legacy_dns_zones.sh
Now make sure the S4 connector does not sync to legacy branches:
ucr unset connector/s4/mapping/dns/position systemctl restart univention-s4-connector
If the issue still exists and you still find entries in your
/var/log/daemon.log regarding duplicate zone, start over with step 1.
Remove the duplicate entry:
ldbdel -H /var/lib/samba/private/sam.ldb DC=_msdcs,DC=multi.ucs,CN=MicrosoftDNS,CN=System,DC=multi,DC=ucs systemctl restart bind9
Now the join should be possible again and users should not notice any issues during logins.