I’ve recently upgraded to 25.10.0 - Goldeye and I’ve had a couple of problems with Active Directory. It appeared to be to do with the clocks going out of sync between the two AD servers, but the problems did not go away once the time was synchronised.
I had some warnings to say:
• Stored machine account secret is invalid. This may indicate that the machine account password was reset in Active Directory without corresponding changes being made to the TrueNAS server configuration..
and then another one to say it was fixed again…
I tried to fix active directory in TrueNAS by disabling the setting in Directory Settings, but i was unable to since the status is shown as FAULTED. I’ve then tried various commands and tricks to try and remove the server from Active Directory but have been unable to.
I’ve now deleted the computer from Active Directory and also all references to the NAS within DNS on both windows directory controllers.
Is there a way to forcefully remove the Active Directory configuration from TrueNAS so that I can rejoin (or not)? I really don’t want to destroy the server and start again…
I found this post from 2023 from NugentS for what sounds exactly like your issue, hope this helps:
*”I had the same issue. My DC connection shat itself (with possibly a major contributing factor from me, maybe a bit (say 100%)) and I couldn’t remove the NAS from the domain to reset the connection.
“When you joined AD with the wrong name it would have clobbered the machine account password and DNS entries for the other server. If you want to clear this stuff out, disable the AD plugin, clear its fields, remove kerberos realm and kerberos principal from old domain. You will also need to go into services->SMB and reset the workgroup to “WORKGROUP” or set it to the correct value for your new domain.”
This is what I was told. I was using the dropdowns and it just didn’t allow the removal operation. If you empty the fields then you can remove the connection which then allows you to reset the connection.”*
My only comment is, why do you only have one AD Domain Controller should have at least two, and where possible not on the same hardware for minimum best practice for an AD Environment. But anyway, hopefully that guide helps.
Thanks for your help. Unfortunately it didn’t solve my problem. Many of the settings it suggests changing are locked out due to the service being faulted!
Since I did this out-of-hours, I was able to restore backups for the domain controllers and then load a previous configuration for the TrueNAS box. The restore meant that the NAS is still part of Active Directory (I take backups of both DCs every 6 hours because I’m paranoid, so the backup was literally a couple of hours old). It’s taught me that backups are my saviour and I now need to find a way of automating the TrueNAS config backups - even if that’s just a repeating appointment in Outlook
TLDR: You can’t (currently) manually remove Active Directory from a trueNAS box without resetting the configuration. In my case I was able to restore from a backup from when it was working and then I have the option to leave the domain.
Thanks for that. I found a similar script (Probably based on Joe’s) that saves a backup to a path on the server. I then set up a replication task to send it to my Google drive! Probably not the most elegant solution, but the crucial part is that i understand each part
This happens to me on every single reboot, either of the TN box or of my DC. And every time it happened, the issue fixed itself after about ten minutes.
Seems to be a bug, as I had never experienced this before 25.10.
Jira tickets are automatically marked private if a debug is publicly attached instead of via our private upload service, to protect user data from public access, which is what happened with that one.
It appears that the devs are still investigating and attempting to reproduce/determine a cause for it
Appreciate the info. It should be easy to reproduce: it happens on all my TrueNAS servers that authenticate against an AD DC. As the issue gets sorted out automatically after 10 minutes, I’ve learned to live with it for the moment.
should have at least two, and where possible not on the same hardware for minimum best practice for an AD Environment. But anyway, hopefully that guide helps.
