Project

General

Profile

Feature #27584

Get DC/GC SRV records from the default site if DNS is broken in local site

Added by Emanuel Klein over 1 year ago. Updated 5 months ago.

Status:
Done
Priority:
No priority
Assignee:
Andrew Walker
Category:
Services
Target version:
Estimated time:
Severity:
Low Medium
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

Description

Assuming two Active Directory Sites. Domain Controller in Site A. FreeNAS in Site B.
Assuming a working DNS infrastructure with properly set resolver/forwarder on FreeNAS.

Current behaviour
Upon joining a domain using basic settings
1) The script properly resolves the site in which FreeNAS currently resides. -> SiteB
2) The script tries to contact a DC in its current site. -> no DC available
<service>.<SiteB>._sites.dc._msdcs.<domain>
3) The join process fails

Upon joining a domain using advanced settings,
1) "hardcoding" SiteA - where an active DC resides.
2) The script properly resolves services in the hardcoded SiteA.
<service>.<SiteA>._sites.dc._msdcs.<domain>
3) The join process succeeds

Drawback of this variant is lost resiliency when SiteA is not reachable, but potential other DCs available in potential other Sites.

Expected behaviour -> Standard Windows Client behaviour
1) The script fails to contact a DC in its local site
<service>.<SiteB>._sites.dc._msdcs.<domain>
2) The script performs a fallback lookup to find non site-specific services.
<service>.dc._msdcs.<domain>

This will also fix the drawback mentioned when "hardcoding" the site.

History

#1 Updated by Dru Lavigne over 1 year ago

  • Assignee changed from Release Council to John Hixson
  • Target version set to 11.3
  • Seen in changed from TrueNAS 11.1-U1 to 11.1

#2 Updated by John Hixson over 1 year ago

  • Status changed from Unscreened to Screened

#3 Avatar?id=14398&size=24x24 Updated by Kris Moore over 1 year ago

  • Status changed from Screened to Not Started

#4 Updated by John Hixson over 1 year ago

  • Assignee changed from John Hixson to Timur Bakeyev

#5 Updated by Timur Bakeyev over 1 year ago

  • Severity set to Low Medium

#6 Avatar?id=13649&size=24x24 Updated by Ben Gadd over 1 year ago

  • Target version changed from 11.3 to Backlog

#7 Updated by Timur Bakeyev about 1 year ago

  • Tracker changed from Bug to Feature
  • Category changed from OS to Services
  • Status changed from Not Started to Screened
  • Seen in deleted (11.1)
  • ChangeLog Required deleted (No)

#8 Updated by Timur Bakeyev about 1 year ago

  • Target version changed from Backlog to 11.3
  • Needs Doc changed from Yes to No
  • Needs Merging changed from Yes to No

That sounds as a reasonable idea, but we need to make sure that there are no drawbacks of such a change.

#9 Updated by Dru Lavigne 12 months ago

  • Assignee changed from Timur Bakeyev to John Hixson

#10 Updated by Dru Lavigne 10 months ago

  • Assignee changed from John Hixson to William Grzybowski

#11 Updated by William Grzybowski 10 months ago

  • Status changed from Screened to Unscreened
  • Assignee changed from William Grzybowski to Andrew Walker
  • Target version changed from 11.3 to Backlog

#12 Updated by Andrew Walker 10 months ago

The situation is now different in 11.1-U6. The proper procedure in the circumstances laid out above is to hardcode Site A.

This site will be used for operations where we rebuild the directory service cache, and we will try to use it to regenerate the smb4.conf file; however, if the site is unavailable we now leave the smb4.conf file configured and samba running. This means that services should not be interrupted while the winbind connection manager transitions to the next available DC.

The key manual configuration step (apart from hardcoding the site) is to also add multiple servers (space delimited list) in the advanced settings for your kerberos realm. The list should be in order of preference.

Eventually, the issue in the ticket will need to be resolved by reworking how some of our ancillary directory service code works, but the reported issue can now be worked around.

#13 Updated by Andrew Walker 10 months ago

  • Status changed from Unscreened to Screened

#17 Updated by Bug Clerk 9 months ago

  • Status changed from Screened to In Progress

#18 Updated by Bug Clerk 9 months ago

  • Status changed from In Progress to Ready for Testing

#19 Updated by Bug Clerk 9 months ago

  • Target version changed from Backlog to 11.3

#20 Updated by Dru Lavigne 9 months ago

  • Subject changed from AD join fails with no Domain Controller in local site to Get DC/GC SRV records from the default site if DNS is broken in local site

#21 Updated by Dru Lavigne 7 months ago

  • Target version changed from 11.3 to 11.3-BETA1

#24 Updated by Dru Lavigne 5 months ago

  • Status changed from Ready for Testing to Done
  • Needs QA changed from Yes to No

#26 Updated by Dru Lavigne 5 months ago

  • Target version changed from 11.3-BETA1 to 11.3-ALPHA1

Also available in: Atom PDF