AD Service not working - AD Directory Services Control missing from webgui after GUI upgrade
After GUI upgrade from 8.3.2 to 126.96.36.199 Active Directory connection is not working, and no "Services → Control Services → Directory Services" entry exists, see attached screenshot...
Prior to the update everything worked as expected.
AD running on multiple Windows 2012 R2 Update 1 instances in Windows 2003 mode.
DCs and DNS servers can be reached from FreeNAS server.
The FreeNAS server has 4 network interfaces bundled as 2xLACP groups connected to different IPv4 LANs (one using a tagged VLAN)
#3 Updated by Josh Paetzel about 6 years ago
Ok. There's a post on the forums about how to troubleshoot AD. I don't have the link to it handy, but I'll attach the link next time I'm at my computer.
There's also troubleshooting steps in the documentation.
We'll need to go through that and get some logs to determine exactly what the problem is.
#4 Updated by Peter NESWAL about 6 years ago
Looks like someway on the upgrade process the AD config got messed up - the smb4.conf in /etc/local now shows under security = user instead of ADS. And with all the settings for the Active Directory present - freenas seems to think it's already connected to an AD and don't allow a rejoin. Maybe there is a way to directly modify the freenas database settings?
#6 Updated by John Hixson about 6 years ago
There is a post there by me describing the steps to troubleshoot AD. Follow them and report back here what you find.
#7 Updated by Peter NESWAL about 6 years ago
sqlite3 /data/freenas-v1.db "update services_services set srv_enable = 1 where srv_service = 'directoryservice'"
service ix-kerberos start
service ix-kinit start
service ix-kinit status
echo $? # this should be 0
service ix-kerberos status
returns "ix-kerberos is not running"
#8 Updated by Peter NESWAL about 6 years ago
Unfortunately a few combined things created the trouble:
1.) activation of active directory services finally worked (System -> General -> Directory Service). At first I didn't realize this new config option there.
2.) still no success - kerberos failed. After some testing:
We have two IPv4 adresses pro domain controller - seems that samba didn't like that, and messed things up between DNS and RPC retrieved info. Worked after removing the second IPv4 address from the master domain controller and updating DNS data.
3.) Now kerberos and AD join worked but the "net -k ads status [DOMAIN]" call failed. Probably because the contacted DC is running as VM. Increasing "AD and DNS timeout" to 120 finally worked (60 still failed).