truenas loses connectivity to AD server after full shutdown.

[vtheman93]

Hello All,

This is concerning truenas instance in general, observed in VM and BareMetal instances.

Domain Joined, Domain FW on DC is off. naming convention as per the AD connectivity guide.

problem: after a full environment shutdown/reboot, DC, FW and truenas, the fileserver will lose connectivity with the DC.

Meaning, any shares issued to an AD member will no longer be valid because the user ID cannot find an associated username.

via the user and group drop down, I can still see and select users and groups available to be assigned, however the operation errors out. I will post a screenshot later tonight.

as it stands right now, I will have to create the users as a local user in TN instead of leveraging the power of AD.

Any ideas on what could be wrong?

 

[unseen]

Do both the AD machine and the TrueNAS server have fixed IP addresses? What manages IP addresses on your LAN? The AD machine's DCHP server or one on your router? Is the TrueNAS server defined in the DNS settings on the AD machine as well as in the forest?

My AD machine is a VM on my Proxmox cluster and all my Windows machines log in to the domain using that VM. They all get static IP addresses. My router allocates addresses on my LAN. Both TrueNAS and the AD machine are set up with static IP addresses which the router knows about and won't change. Keeping responsibilities well separated works for me and after a power down, TrueNAS Core finds the AD machine and reconnects without problems.

 

[vtheman93]

their static IPs not via network settings, but in router static DHCP lease. in pfsense, I have my DNS resolver point to my AD ctrl for any domain inquiries so it's always resolving. I don't have any issues with AD joined windows machines. if I rebuild the storage server in WS 2019 or 2022, it works fine, but TN falls off.

 

[vtheman93]

Do both the AD machine and the TrueNAS server have fixed IP addresses? What manages IP addresses on your LAN? The AD machine's DCHP server or one on your router? Is the TrueNAS server defined in the DNS settings on the AD machine as well as in the forest?

My AD machine is a VM on my Proxmox cluster and all my Windows machines log in to the domain using that VM. They all get static IP addresses. My router allocates addresses on my LAN. Both TrueNAS and the AD machine are set up with static IP addresses which the router knows about and won't change. Keeping responsibilities well separated works for me and after a power down, TrueNAS Core finds the AD machine and reconnects without problems.

their static IPs not via network settings, but in router static DHCP lease. in pfsense, I have my DNS resolver point to my AD ctrl for any domain inquiries so it's always resolving. I don't have any issues with AD joined windows machines. if I rebuild the storage server in WS 2019 or 2022, it works fine, but TN falls off.

 

[unseen]

Time to start digging into the TrueNAS and Windows logs. The only difference compared to my configuration would seem to be DNS.

I have my TrueNAS server set to use the AD as the primary DNS and my router as the secondary DNS. Both TrueNAS and the AD have static IP addresses which are reserved in the router so that it knows about their DNS names. All addresses I set as static are set on the machine in question and fall in a range which the DHCP server on my router won't give out to any other machine.
All the machines which connect to the AD are defined in the AD forest and the DNS settings on the AD.

 

[anodos]

Time to start digging into the TrueNAS and Windows logs. The only difference compared to my configuration would seem to be DNS.

I have my TrueNAS server set to use the AD as the primary DNS and my router as the secondary DNS. Both TrueNAS and the AD have static IP addresses which are reserved in the router so that it knows about their DNS names. All addresses I set as static are set on the machine in question and fall in a range which the DHCP server on my router won't give out to any other machine.
All the machines which connect to the AD are defined in the AD forest and the DNS settings on the AD.

Router DNS probably isn't populated with AD SRV records. You should only use DCs for nameservers when possible.

 

[anodos]

If DNS is configured correctly, you're running latest release, and don't have weird circular dependencies (like having your nameservers hosted on the NAS itself), then feel free to PM me a debug (with a link pointing back to this ticket) and I'll see if there's an underlying issue.

 

[vtheman93]

my pfsense router doesn't have any AD records.
it also acts as a nameserver and TBH it works wonders as-is. minus this mishap.
meaning that FQDNs populate and are remembered as the router learns them.

IDK, straight up think that I am missing something and for the life of me I can't figure it out.

 

[unseen]

I think anodos put his finger on the problem. The AD's DNS serves records which your router won't have and won't support, even if you configure the pFsense DNS to query the AD server. So, for TrueNAS to find and properly connect to the AD machine, the primary DNS must be satisfied by the DNS server on the AD machine and you need to define the AD machine with static addresses and not provide the address to the AD machine via DHCP on the router.

 

[vtheman93]

hmm, definition of hitting the nail on the head.

Would you both be willing to stick it out with me till the end? I will recreate a dummy domain and set it up as you guys have described and report back.

Thank you both for your in-depth input!

 

[unseen]

Good luck!

 

[vtheman93]

Update:

remade the domain as per the advice, same result. truenas shares become unusable due to being "unable to find a username for this user ID". This is observed immediately a shutdown or a reboot.

checked domain connectivity and it lost access to the domain somehow. in GPO, domain firewall is disabled. in truenas, I manually added the IP of the DC as nameserver.

Which way to go now?

 

[unseen]

All I can do to help you here is to show you exactly how my TrueNAS and domain controller are configured, so here comes a lot of screen shots...

First off, here's how my networking is configured on TrueNAS

My Domain Controller has the static IP address 192.168.1.200, my router is 192.168.1.1 and as you can see, my domain is camelot.lan.
IPV6 is disabled and is not used in my network.

 

[unseen]

Next, on the domain controller, here is how the DNS Manager is configured:

My TrueNAS server is called 'freenas' and has the static IP address 192.168.1.12. This is assigned on the TrueNAS server and there is a corresponding entry as a permanent lease in my router.

The forward lookup zone 'camelot.lan' was added by me manually and that's where I've also defined all the machines that the domain needs to talk to. The domain controller itself is called DC01 and is defined here as well. The domain controller has the static IP address 192.168.1.200 and that is defined in the domain controller's network configuration as well as here.

Server Manager->Local Server shows the following:

 

[unseen]

I'm not sure what else I can show you. If I reboot either the domain controller or the TrueNAS server, then once both of them are up and running again, the connection between TrueNAS and the domain controller is automatically reestablished.
Of course, during the time that the domain controller is down, domain users will have problems, even though TrueNAS is up and running.

To set all this up, I followed the TrueNAS documentation at: https://www.truenas.com/docs/core/coretutorials/directoryservices/activedirectory/
I think I may have also found some other information regarding configuring the Windows side of this, but I don't appear to have saved a bookmark to it.

To be able to help you further, more information is needed about exactly how you have configured things.

 

[vtheman93]

Thank you for your continued support in trying to resolve this issue, or to at least understand it.

here is my setup as well. similar to yours. the only difference is truenas receives its IP via pfsense, which has a static lease for it, I did not manually set a static IP in truenas settings.

Currently my domain controller is a physical machine which is also acting as a file server. but the preference and goal is to virtualize both.

 

[unseen]

You don't seem to have a forward lookup zone for the domain and I think that's a requirement. Also, the domain controller must be the TrueNAS server's primary DNS server and should be what both TrueNAS and the domain controller consider to be the authoritative DNS for the network.

I'm far from an expert in configuring Windows Active Directory, so I'm out of further ideas. Hopefully someone more experienced might be able to comment.

 

[Patrick M. Hausen]

For AD to work the AD domain controllers must be the only name servers configured for all systems joined to the domain. Unless you have set up secondaries manually or some such. Also if you configure more than one nameserver in e.g. TrueNAS there is no priority. All are used in random fashion.

 

[vtheman93]

You don't seem to have a forward lookup zone for the domain and I think that's a requirement. Also, the domain controller must be the TrueNAS server's primary DNS server and should be what both TrueNAS and the domain controller consider to be the authoritative DNS for the network.

I'm far from an expert in configuring Windows Active Directory, so I'm out of further ideas. Hopefully someone more experienced might be able to comment.

the photo of my DNS is the forward lookup zone.

For AD to work the AD domain controllers must be the only name servers configured for all systems joined to the domain. Unless you have set up secondaries manually or some such. Also if you configure more than one nameserver in e.g. TrueNAS there is no priority. All are used in random fashion.

it is the only name server configured.

 

[unseen]

A recent thread jogged my memory about this one.

Could the reason be the same as in this thread: https://www.truenas.com/community/t...indows-mapped-shares-lose-credentials.115351/