I am running UCS 4.x (“free for personal use” version). The server is 4.0-1 errata142. After I installed the server, I joined an Windows 8.1 PC to the domain with no problems. I was able to join an XP PC to the domain today.
However, Win7 Pro PCs will not join. This is the troubleshooting info I see:
An Active Directory Domain Controller (AD DC) for the domain “mydomain.private” could not be contacted.
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain “mydomain.private”
The query was for the SRV record for ldap.tcp.dc._msdcs.mydomain.private
The following domain controllers were identified by the query:
server1.mydomain.private
I am not aware of any specialties which would allow win8.1 and xp to join th UCS master but block win7 systems.
I would check the dns settings at the client - you can take a look at the following SDB article for further reference: Troubleshooting domain joins of Windows clients
I am able to join one of my test Win7 clients to an MS AD domain. I believe this error is on the UCS server, not on the client side. The UCS DNS server seems to be missing something that a client needs in order to join the domain.
When testing, my clients always point to the DC of the domain we wish to join as the only DNS server.
In the absence of any helpful troubleshooting information, it does not appear that we can proceed with UCS testing.
After a successful default installation of an UCS system (here 4.0-1) with samba 4, all needed things should already be present for joining windows clients - especially all relevant SRV records.
Did I got you right that Windows 8.1 client and Windows XP clients can be joined and only Windows 7 doesn’t work? Is it one special client that you are testing, or several machines? Just to clarify my intention of asking: I am aware of many windows 7 clients in several customer environments that are successfully joined and working in UCS 4 domains.
I am sorry to hear that the Troubleshooting domain joins of Windows clients article in our support knowledge database wasn’t able to help you.
Did you get the chance to test these things?
Could you please show me the outputs that I am able to help you?
[code]# At your UCS master
host -al $(dnsdomainname) | grep " SRV "
At your Windows 7 client
ipconfig /registerdns[/code]
Is the system time correct at the client? This is mandatory for kerberos/samba4 to proper authenticate.
As a last step, as mentioned in the troubleshooting article, I would raise samba debug and analyse the log files:
ucr set samba/debug/level=4
/etc/init.d/samba restart
less /var/log/samba/log.samba
From the client:
“ipconfig /registerdns” returns only the generic message that the update has been initiated, but I see no related messages in Event Viewer.
After setting the Samba log level to 4 as recommended, I see this message frequently in the log:
Runtime Error: kinit for SRV1$DOMAIN.PRIVATE failed (Cannot contact any KDC for requested realm)
. . . SRV1 and DOMAIN.PRIVATE being placeholders for my real server and domain name.
When this UCS server was installed about two months ago, I was able to join clients regardless of OS. I was able to join an XP client earlier this week, but three Win7 desktops cannot join. My only Win8x test PC is already joined and sees domain resources, but I would guess that another 8x client could not join now.
[quote]The query was for the SRV record for ldap.tcp.dc._msdcs.mydomain.private
The following domain controllers were identified by the query:
server1.mydomain.private
However no domain controllers could be contacted.
[/quote]
from your last post:
I would guess that there is a mismatch between the DNS-settings of the client(s) and the server. In addition the hostname of the server should be checked against the existing SRV-records for your domain.
Thanks. Where would I find documentation for what DNS records might need to be recreated, and does either the server or management console have any tools to troubleshoot DNS?
same problem here - fresh install, not able to join a win7 pro workstation into the domain. i followed that link sdb.univention.de/1263 - which didn’t help me.
the samba logfile didn’t deliver any clues…
its a testserver on an esx host. as i mentioned before, its an installation from the scratch, using the latest iso image. at the installer, i only chose “active directory compatible domain controller”.
i suppose, as soon as the setup assistant got all the asked information and the installation is complete, one can join a windows 7 or 8 client? at least i didn’t find any more steps so far to go for AD-services in the official documentation.
which errors can i do at these few basic steps?
thanks for any help in advance!
edit:
root@srv01:/usr/bin# samba-tool domain info 10.0.0.60
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[IPC$]"
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface eth0 ip=10.0.0.60 bcast=10.255.255.255 netmask=255.0.0.0
added interface eth0 ip=10.0.0.60 bcast=10.255.255.255 netmask=255.0.0.0
added interface eth0 ip=10.0.0.60 bcast=10.255.255.255 netmask=255.0.0.0
added interface eth0 ip=10.0.0.60 bcast=10.255.255.255 netmask=255.0.0.0
finddcs: searching for a DC by IP 10.0.0.60
finddcs: performing CLDAP query on 10.0.0.60
finddcs: Found matching DC 10.0.0.60 with server_type=0x000003fd
Forest : XXX.intranet
Domain : XXX.intranet
Netbios domain : XXXXXXXXXX
DC name : srv01.XXXXX.intranet
DC netbios name : SRV01
Server site : Default-First-Site-Name
Client site : Default-First-Site-Name
root@srv01:/usr/bin#
So the samba service seems to be configured but the Win 8.1 client says that either the domain is not available or there is no connection…
In general the same things can go wrong during the attempt to join a Windows-based AD as with UCS/Samba4.
From my point of view there is no need (anymore) to describe the join-process for Windows-Clients in an extra documentation.
Basically most of these issues are related to IP-configuration, DNS and Time/NTP problems on the client side.
As a rule of thumb and to make things easier I would configure DHCP on the server to make sure that clients can get correct routing and DNS-informations.
If these steps are not successful it would help if you could describe some more details.
I have often wondered in my earlier days in this business that some bugs I have filed have been closed as “WORKSFORME”. The reason was simply that I did not describe the scenario, the steps and of course the results I expected in a way that the people reading my problem are able to understand it. (“it doesnt work” is not an error description)
Resolving external hosts is unrelated to the join issue but your test proves:
the client is using 10.0.0.60 as DNS-server (which is your DC according to your previous post)
name services on the UCS are operational
You should be able to resolve “srv01.XXXXX.intranet” too.
Checking the necessary SRV records (see SDB 1263) in Windows is a bit complicated- Lets assume the client gets them if you have checked this on the server as mentioned in the SDB article.
The next step should be to verify that time on client and server do not differ. Take care of different timezones.
I would first try to join by using the domain, see output of “samba-tool domain info”. Netbios domain should work too, but it is not the preferred method anymore (AFAIR).
If it still doesnt work you may try to get more informations from the event log of the client.
the clients can both resolve “srv01” and “srv01.domain.intranet” and i both tried a domain join with “domain” and fqdn.
time settings also seem to be correct.
i really believe, that something at the ucs installation went wrong or is missing:
i’m not sure - but when i installed samba 4 (several alpha and rc releases) on a ubuntu server, i used also bind9 for dns.
but:
root@srv01:/var/log/samba# ps fax | grep bind9
10055 pts/1 S+ 0:00 _ grep bind9
root@srv01:/var/log/samba#
-> returns no running bind server.
I already tried several test installations the last few hours. there also was a “full-on” installation and i do believe that i noticed a running bind server…?
does the univention configuration use the samba-internal dns or bind?
#####edit#####
sorry, my fault:
root@srv01:/var/log/samba# ps fax | grep bind
2468 ? Ss 0:00 /sbin/rpcbind -w
2902 ? Ss 0:00 _ runsv univention-bind-samba4
9838 ? Sl 0:00 | _ /usr/sbin/named -c /etc/bind/named.conf.samba4 -f -d 0
2903 ? Ss 0:00 _ runsv univention-bind
2905 ? Ss 0:00 _ runsv univention-bind-proxy
10442 pts/1 S+ 0:00 _ grep bind
7664 ? Ss 0:00 | _ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
7667 ? S 0:00 | _ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
8710 ? S 0:00 | _ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
root@srv01:/var/log/samba#
the server had preconfigured my home-router as external dns. i removed that enty and tried again to ping heise.de - but now without success. although the nameserver seems to be up and running?
Update:
It worked, when I deactivated IPv6 on the clients. I genereally don’t use IPv6 in my network, although some components have it activated. Perhaps there’s some misscofig, which I should have a closer look into…
Dear god. I’ve been troubleshooting the problem for two days straight, on 4 different Microsoft AD replacement solutions. It’s been the same across all of them. But WHY must ipv6 be disabled? How can this be fixed so that this setting can be re-enabled now that I’ve joined the domain?