Active Directory Issues

[taylordude4493]

New to TRUENAS but loving it so far. Trying to join my domain by following the literature. After entering domain and credentials nothing happens, shows no pending task, no errors no nothing and obviously its not working. I have verified DNS and I can ping the domain via TNAS Shell. When I run "midclt call activedirectory.get_state" for a status I get the response "disabled". So obviously I am missing something? Any help would be great.. Thanks in advance..

 

[Kris Moore]

@taylordude4493

Glad you're enjoying TrueNAS! Just to check first, on the AD page did you check the Enable checkbox and click save?

 

[taylordude4493]

That seems to be it, thank you. One last question I now get a Clock Skew error of 3 minutes which makes the process fail. Times look correct to me on both NAS and Domain servers.. Any idea what would be causing that?

 

[Kris Moore]

Both NAS and Domain server should be syncing from the same NTP server to ensure that there is no skew.

 

[taylordude4493]

Thanks for the reply, but I had already set my NTP (FreeNas Server) to my Domain Controller and still get this error..

[EFAULT] activedirectory_update: Failed to validate domain configuration: [EFAULT] Clockskew between XXXXX.XXXXXXX.local and NAS exceeds 3 minutes: 4:58:06.002716

I muted out the actual domain name but it was my domain..

Messed with it for two hours yesterday, shouldn't be this difficult...

 

[Kris Moore]

Yea, clearly something isn't quite right here then. Can you run the "date" command on the TrueNAS and also on your DC to confirm you are seeing the time skew?

 

[taylordude4493]

Yea date command is giving me something different.. Ugh..

# date
Wed Jan 20 04:02:28 EST 2021

My DC/NTP Server has the correct time and do my domain machines..

I have set
System>NTP is set to my domain DC/NTP
System>General is set to New York EST and displays correct time?

 

[anodos]

It might be an issue with timezones as well. I've had issues before in the past where my TrueNAS was on EST and the DC was on PST with clock off by 3 hours. Time looked same on superficial examination, but was 3 hours off (which breaks kerberos entirely).

 

[taylordude4493]

Primary DC is set to UTC - (05:00) Eastern Time (US Canada) and displayed time is correct. 09:11 AM

 

[anodos]

You can manually correct time on the NAS by running the command date 202101200921 year, month, date, hour, minute.

 

[taylordude4493]

Okay changed time manually as you suggested and now I was able to save AD with no clockskew errors, appears to have worked. What is the best method for verifying it did join the Domain?

 

[taylordude4493]

Looks like joining the domain failed, going down a rabbit hole, seems like this might be a bit to much to manage if something this simple is so difficult..

 

[anodos]

Looks like joining the domain failed, going down a rabbit hole, seems like this might be a bit to much to manage if something this simple is so difficult..

There is a task manager on the top-right of the screen that will show where it failed at. Having clock off by 5 hours is a significant error condition in an AD environment.

 

[taylordude4493]

I understand but my NTP server is setup correctly, I have 22 machines that use it everyday and a number of software suites. Group Policies are correct and I have had zero issues with NTP on my domain. Why FREENAS is polling something different no idea but just doing a quick search I am not the only one struggling with this issue. I appreciate the help, thank you.