Greetings, I’m unable to join my TrueNAS 25.10.2.1 system to a FreeBSD hosted samba4 Activedirectory domain due to the following error:
directoryservices.update.configuration.domain: DOMAINREDACTED: Failed to discover Active Directory Domain Controller for domain. This may indicate a DNS misconfiguration.
I’ve successfully joined a windows 11 client to the domain. The FreeBSD host is running BIND 9 and has all the proper SRV, NS, and A records defined for the Active directory. From my TrueNAS I can query all the SRV records using ‘host -t srv’ without any issue. As I’ve mentioned, a windows 11 host on the same subnet as my NAS was successfully joined to the Activedirectory domain and is using the user accounts there. Only TrueNAS 25.10.2.1 is having an issue discovering the domain controller. Does TrueNAS require a unique SRV record? The logs on the NAS don’t give much helpful info.
Still fails to join. My FreeBSD host clock is synced using NTP. My TrueNAS host clock is synced using NTP. My TrueNAS host’s primary DNS Server is the FreeBSD Active Directory host that is serving the DNS BIND 9 configuration. Here is my DNS configuration:
dc1 IN A IP_REDACTED
dc1 IN AAAA IP_REDACTED
_kerberos-adm._tcp IN SRV 0 0 749 dc1
_kerberos-adm._udp IN SRV 0 0 749 dc1
_kerberos._tcp IN SRV 0 0 88 dc1
_kerberos._udp IN SRV 0 0 88 dc1
_kpasswd._tcp IN SRV 0 0 464 dc1
_kpasswd._udp IN SRV 0 0 464 dc1
_ldap._tcp IN SRV 0 0 389 dc1
_ldap._udp IN SRV 0 0 389 dc1
_ldap._tcp.pdc._msdcs IN SRV 0 0 389 dc1
_ldap._tcp.gc._msdcs IN SRV 0 0 389 dc1
_ldap._tcp.dc._msdcs IN SRV 0 0 389 dc1
gc._msdcs IN A IP_REDACTED
Windows has no problem joining this Active Directory domain but TrueNAS refuses and says my DNS may be misconfigured. Does anyone see any issues in my DNS configuration? As far as I know, the SRV records above are all that’s required by TrueNAS to join my AD.
Well I’m convinced it’s not a DNS issue now. I was looking at /usr/lib/python3/dist-packages/middlewared/plugins/directoryservices_/activedirectory_join_mixin.py and I see their using the samba libads library to get the Active Directory configuration. I think under the hood this SMBcmd.Net call is using ‘net ads info’ which fails because it doesn’t know the kerberos realm. I edited my /etc/smb4.conf and added ‘realm = MY_AD_DOMAIN and now ‘net ads info’ works and I get past the original error looking up the domain controller. I’m also now able to ‘kinit’ on the NAS to get a kerberos ticket from the Domain Controller. But now, both the TrueNAS GUI and ‘net ads join’ CLI command fails complaining that I can only join from the domain PDC. Of course restarting SMB on the NAS wipes out my manual additions to smb4.conf.
Is anyone able to join TrueNAS scale to an Active Directory domain? I’m no expert at this and am not familiar with this samba libads but it seems to me there is some chicken or egg kind of problems with this join process. However, I’m not ruling out that I’m doing something stupid
How did you do that? A DC creates these automatically. You are using AD integrated DNS and all systems use the Windows DCs as their DNS servers, right?
AD join issues on TrueNAS are almost always DNS related. The TrueNAS box needs to resolve the AD domain name to your domain controller IPs. Check these things: (1) set your DNS server to point to your domain controller IP (not a public DNS), (2) make sure nslookup yourdomain.local returns the correct DC IP from the TrueNAS shell, (3) verify that the SRV records resolve with nslookup -type=srv _ldap._tcp.yourdomain.local. If any of those fail, the AD join will fail with cryptic errors. Also check that the time on your TrueNAS box is within 5 minutes of the DC - Kerberos authentication requires time sync.
