I am running UCS 4.x (“free for personal use” version). The server is 4.0-1 errata142. After I installed the server, I joined an Windows 8.1 PC to the domain with no problems. I was able to join an XP PC to the domain today.

However, Win7 Pro PCs will not join. This is the troubleshooting info I see:

An Active Directory Domain Controller (AD DC) for the domain “mydomain.private” could not be contacted.

DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain “mydomain.private”

The query was for the SRV record for ldap.tcp.dc._msdcs.mydomain.private

The following domain controllers were identified by the query:
server1.mydomain.private

However no domain controllers could be contacted.

Thanks for any assistance.

I am not aware of any specialties which would allow win8.1 and xp to join th UCS master but block win7 systems.
I would check the dns settings at the client - you can take a look at the following SDB article for further reference:
Troubleshooting domain joins of Windows clients

I am able to join one of my test Win7 clients to an MS AD domain. I believe this error is on the UCS server, not on the client side. The UCS DNS server seems to be missing something that a client needs in order to join the domain.

When testing, my clients always point to the DC of the domain we wish to join as the only DNS server.

In the absence of any helpful troubleshooting information, it does not appear that we can proceed with UCS testing.

Thank you.

Hello!

After a successful default installation of an UCS system (here 4.0-1) with samba 4, all needed things should already be present for joining windows clients - especially all relevant SRV records.
Did I got you right that Windows 8.1 client and Windows XP clients can be joined and only Windows 7 doesn’t work? Is it one special client that you are testing, or several machines? Just to clarify my intention of asking: I am aware of many windows 7 clients in several customer environments that are successfully joined and working in UCS 4 domains.

I am sorry to hear that the Troubleshooting domain joins of Windows clients article in our support knowledge database wasn’t able to help you.
Did you get the chance to test these things?
Could you please show me the outputs that I am able to help you?

[code]# At your UCS master
host -al $(dnsdomainname) | grep " SRV "

At your Windows 7 client

ipconfig /registerdns[/code]
Is the system time correct at the client? This is mandatory for kerberos/samba4 to proper authenticate.

As a last step, as mentioned in the troubleshooting article, I would raise samba debug and analyse the log files:

ucr set samba/debug/level=4 /etc/init.d/samba restart less /var/log/samba/log.samba

Kind regards,
Tim Petersen

host -al $(dnsdomainname) | grep " SRV " [returns no output]

From the client:
“ipconfig /registerdns” returns only the generic message that the update has been initiated, but I see no related messages in Event Viewer.

After setting the Samba log level to 4 as recommended, I see this message frequently in the log:

Runtime Error: kinit for SRV1$DOMAIN.PRIVATE failed (Cannot contact any KDC for requested realm)

. . . SRV1 and DOMAIN.PRIVATE being placeholders for my real server and domain name.

When this UCS server was installed about two months ago, I was able to join clients regardless of OS. I was able to join an XP client earlier this week, but three Win7 desktops cannot join. My only Win8x test PC is already joined and sees domain resources, but I would guess that another 8x client could not join now.

Thank you.

Hi,

from your first post:

[quote]The query was for the SRV record for ldap.tcp.dc._msdcs.mydomain.private

The following domain controllers were identified by the query:
server1.mydomain.private

However no domain controllers could be contacted.
[/quote]

from your last post:

I would guess that there is a mismatch between the DNS-settings of the client(s) and the server. In addition the hostname of the server should be checked against the existing SRV-records for your domain.

Best Regards,
Dirk Ahrnke

Thanks. Where would I find documentation for what DNS records might need to be recreated, and does either the server or management console have any tools to troubleshoot DNS?

Roland

Hi,

for a starting point which DNS records are needed you may have a look at DNS Records that are required for proper functionality of Active Directory.

In general, DNS-Rocords can be fixed in UCS by using the Univention Management Console.

I would start troubleshooting at the server. The “host -al…” command which does not bring up a result in your case may be one of the keypoints.

dnsdomainname

This should report the correct domain, e.g. “domain.private” which has to match the domain in all other components.

Best Regards,
Dirk Ahrnke

same problem here - fresh install, not able to join a win7 pro workstation into the domain. i followed that link sdb.univention.de/1263 - which didn’t help me.
the samba logfile didn’t deliver any clues…

without looking at the logs and exact steps that have been tried we dont have a clue either.

its a testserver on an esx host. as i mentioned before, its an installation from the scratch, using the latest iso image. at the installer, i only chose “active directory compatible domain controller”.
i suppose, as soon as the setup assistant got all the asked information and the installation is complete, one can join a windows 7 or 8 client? at least i didn’t find any more steps so far to go for AD-services in the official documentation.
which errors can i do at these few basic steps?

thanks for any help in advance!

edit:

root@srv01:/usr/bin# samba-tool domain info 10.0.0.60 Processing section "[netlogon]" Processing section "[sysvol]" Processing section "[IPC$]" WARNING: No path in service IPC$ - making it unavailable! NOTE: Service IPC$ is flagged unavailable. Processing section "[homes]" Processing section "[printers]" Processing section "[print$]" pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered added interface eth0 ip=10.0.0.60 bcast=10.255.255.255 netmask=255.0.0.0 added interface eth0 ip=10.0.0.60 bcast=10.255.255.255 netmask=255.0.0.0 added interface eth0 ip=10.0.0.60 bcast=10.255.255.255 netmask=255.0.0.0 added interface eth0 ip=10.0.0.60 bcast=10.255.255.255 netmask=255.0.0.0 finddcs: searching for a DC by IP 10.0.0.60 finddcs: performing CLDAP query on 10.0.0.60 finddcs: Found matching DC 10.0.0.60 with server_type=0x000003fd Forest : XXX.intranet Domain : XXX.intranet Netbios domain : XXXXXXXXXX DC name : srv01.XXXXX.intranet DC netbios name : SRV01 Server site : Default-First-Site-Name Client site : Default-First-Site-Name root@srv01:/usr/bin#

So the samba service seems to be configured but the Win 8.1 client says that either the domain is not available or there is no connection…

In general the same things can go wrong during the attempt to join a Windows-based AD as with UCS/Samba4.
From my point of view there is no need (anymore) to describe the join-process for Windows-Clients in an extra documentation.

Basically most of these issues are related to IP-configuration, DNS and Time/NTP problems on the client side.
As a rule of thumb and to make things easier I would configure DHCP on the server to make sure that clients can get correct routing and DNS-informations.

If these steps are not successful it would help if you could describe some more details.

I have often wondered in my earlier days in this business that some bugs I have filed have been closed as “WORKSFORME”. The reason was simply that I did not describe the scenario, the steps and of course the results I expected in a way that the people reading my problem are able to understand it. (“it doesnt work” is not an error description)

just noted that you updated your post:

I’d really check the client configuration at this point.

thanks for the quick reply.

i checked my configuration on win7+8:
IP-configuration seems to be ok - i can ping the server, nslookup works

[code]C:\Users\schau>nslookup heise.de
Server: srv01.XXXXXXXXX.intranet
Address: 10.0.0.60

Nicht autorisierende Antwort:
Name: heise.de
Addresses: 2a02:2e0:3fe:1001:302::
193.99.144.80[/code]

Resolving external hosts is unrelated to the join issue but your test proves:

• the client is using 10.0.0.60 as DNS-server (which is your DC according to your previous post)
• name services on the UCS are operational

You should be able to resolve “srv01.XXXXX.intranet” too.
Checking the necessary SRV records (see SDB 1263) in Windows is a bit complicated- Lets assume the client gets them if you have checked this on the server as mentioned in the SDB article.

The next step should be to verify that time on client and server do not differ. Take care of different timezones.

I would first try to join by using the domain, see output of “samba-tool domain info”. Netbios domain should work too, but it is not the preferred method anymore (AFAIR).

If it still doesnt work you may try to get more informations from the event log of the client.

cheers,
Dirk

the clients can both resolve “srv01” and “srv01.domain.intranet” and i both tried a domain join with “domain” and fqdn.
time settings also seem to be correct.

i really believe, that something at the ucs installation went wrong or is missing:

root@srv01:/var/log/samba# host -al $ digit-all.intranet | grep " SRV "
root@srv01:/var/log/samba#
-> no entries

i’m not sure - but when i installed samba 4 (several alpha and rc releases) on a ubuntu server, i used also bind9 for dns.
but:
root@srv01:/var/log/samba# ps fax | grep bind9
10055 pts/1 S+ 0:00 _ grep bind9
root@srv01:/var/log/samba#

-> returns no running bind server.
I already tried several test installations the last few hours. there also was a “full-on” installation and i do believe that i noticed a running bind server…?
does the univention configuration use the samba-internal dns or bind?

#####edit#####
sorry, my fault:
root@srv01:/var/log/samba# ps fax | grep bind
2468 ? Ss 0:00 /sbin/rpcbind -w
2902 ? Ss 0:00 _ runsv univention-bind-samba4
9838 ? Sl 0:00 | _ /usr/sbin/named -c /etc/bind/named.conf.samba4 -f -d 0
2903 ? Ss 0:00 _ runsv univention-bind
2905 ? Ss 0:00 _ runsv univention-bind-proxy
10442 pts/1 S+ 0:00 _ grep bind
7664 ? Ss 0:00 | _ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
7667 ? S 0:00 | _ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
8710 ? S 0:00 | _ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
root@srv01:/var/log/samba#

the server had preconfigured my home-router as external dns. i removed that enty and tried again to ping heise.de - but now without success. although the nameserver seems to be up and running?

There should be some. Without them a join is not possible.
example from a local test VM:

root@master:~# host -al $(dnsdomainname) | grep " SRV " _ldap._tcp.gc._msdcs.showcase.it25.de. 900 IN SRV 0 100 3268 master.showcase.it25.de. _ldap._tcp.dc._msdcs.showcase.it25.de. 900 IN SRV 0 100 389 master.showcase.it25.de. _ldap._tcp.pdc._msdcs.showcase.it25.de. 900 IN SRV 0 100 389 master.showcase.it25.de. _kerberos._tcp.dc._msdcs.showcase.it25.de. 900 IN SRV 0 100 88 master.showcase.it25.de. _ldap._tcp.ForestDnsZones.showcase.it25.de. 900 IN SRV 0 100 389 master.showcase.it25.de. _ldap._tcp.DomainDnsZones.showcase.it25.de. 900 IN SRV 0 100 389 master.showcase.it25.de. _domaincontroller_master._tcp.showcase.it25.de. 900 IN SRV 0 0 0 master.showcase.it25.de. _gc._tcp.Default-First-Site-Name._sites.showcase.it25.de. 900 IN SRV 0 100 3268 master.showcase.it25.de. _ldap._tcp.Default-First-Site-Name._sites.showcase.it25.de. 900 IN SRV 0 100 389 master.showcase.it25.de. _kerberos._tcp.Default-First-Site-Name._sites.showcase.it25.de. 900 IN SRV 0 100 88 master.showcase.it25.de. _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.showcase.it25.de. 900 IN SRV 0 100 3268 master.showcase.it25.de. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.showcase.it25.de. 900 IN SRV 0 100 389 master.showcase.it25.de. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.showcase.it25.de. 900 IN SRV 0 100 88 master.showcase.it25.de. _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.showcase.it25.de. 900 IN SRV 0 100 389 master.showcase.it25.de. _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.showcase.it25.de. 900 IN SRV 0 100 389 master.showcase.it25.de.

Either:

• SRV records have not been created during the installation
• $(dnsdomainname) is not your AD-Domain for any reason (can proof with “echo $(dnsdomainname)” )

“bind9” is “named” here. But I’d expect that it works as you got a response for heise.de and you clients could not resolve the server.

root@master:~# netstat -tulpen | grep :53 tcp 0 0 192.168.133.50:53 0.0.0.0:* LISTEN 0 11806 2450/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 0 11804 2450/named tcp6 0 0 :::53 :::* LISTEN 0 11799 2450/named udp 0 0 192.168.133.50:53 0.0.0.0:* 0 11805 2450/named udp 0 0 127.0.0.1:53 0.0.0.0:* 0 11803 2450/named udp6 0 0 :::53 :::* 0 11798 2450/named

i don’t know why it works now - i didn’t change anything (for real), but

host -al $(dnsdomainname) | grep " SRV "
delivers now the entries and a domain join works.

the only thing to do for me was: patience…

anyways: thanks a lot for your help!

Update:
It worked, when I deactivated IPv6 on the clients. I genereally don’t use IPv6 in my network, although some components have it activated. Perhaps there’s some misscofig, which I should have a closer look into…

Dear god. I’ve been troubleshooting the problem for two days straight, on 4 different Microsoft AD replacement solutions. It’s been the same across all of them. But WHY must ipv6 be disabled? How can this be fixed so that this setting can be re-enabled now that I’ve joined the domain?