SOLVED Active directory issues with setting "Allow DNS Updates" after upgrade from Bluefin to Cobia

[nightcore500]

Greetings,
I updated my TrueNAS Scale instance from Bluefin to Cobia today. The instance was previously running on version 22.12.0 (Bluefin). I first updated from 22.12.0 to the latest Bluefin version 22.12.4.2. The update went through without any problems. After this update I switched to the latest Cobia Release Train version 23.10.1.3. After the instance booted again I got the following alert:
"Attempt to connect to netlogon share failed with error: [EINVAL] Automatically disabling ActiveDirectory service due to invalid configuration.."

The status of the Active Directory service suddenly changed to "FAULTED".

I then tried a rejoin. This failed with this message:
"No server IP addresses passed DNS validation. This may indicate an improperly configured reverse zone. Review middleware log files for details regarding errors encountered."

The middlewared.log contains the following:
"[2024/02/09 16:04:06] (WARNING) ActiveDirectoryService.ipaddresses_to_register():105 - No nameservers configured to handle reverse pointer for 10.30.2.101. Omitting from list of addresses to use for Active Directory purposes."

After unchecking the Active Directory setting "Allow DNS Updates", the connection to the AD was suddenly possible again and the status was HEALTHY again.

The nameservers are 2 interconnected Windows AD servers which both provide a DNS server. No changes were made to these servers.
I also have a second TrueNAS Scale instance which I only use as a replication server. This is currently still on the old Bluefin version and has no problems with the AD.

Is this a bug in the current Cobia Release Train?

 

[nightcore500]

The problem has just been solved. I just went through the messages again and realized that some time ago, when setting up the AD structure, no reverse lookup zone was configured for the network ID and a static A entry was created for the truenas without PTR. This was apparently not a problem for the older version of TrueNAS.

 

[Korvenwin]

The problem has just been solved. I just went through the messages again and realized that some time ago, when setting up the AD structure, no reverse lookup zone was configured for the network ID and a static A entry was created for the truenas without PTR. This was apparently not a problem for the older version of TrueNAS.

I'm having same issue.

Could you detail a little more how you solved it? I'm not an Active Directory "guru".

Thank you very much.

 

[nightcore500]

I'm having same issue.

Could you detail a little more how you solved it? I'm not an Active Directory "guru".

Thank you very much.

If your middlewared.log shows the same log entries, the following should help.

Assume your TrueNAS server with the hostname "truenas" has the IP 10.5.0.50 in the subnet 10.5.0.0/24 where your AD server is located and your domain is ad.example.net.
The following settings are required in the DNS Manager:

Add a new zone under "Reverse Lookup Zones". Configure this as "Primary zone". For replication, I have selected "To all DNS servers running on domain controllers in this domain: ad.example.net".
Then select "IPv4 Reverse Lookup Zone". Now enter "10.5.0" as the network ID. Then select "Allow only secure dynamic updates". You should then see the name "0.5.10.in-addr.arpa" as the result.

Then i added a new static host as A record under "Forward Lookup zones" for my domain "ad.example.net". I used the hostname "truenas" and entered its IP address "10.5.0.50" and checked the box "Create associated pointer (PTR) record".
The fully qualified domain name should then be "truenas.ad.example.net".

After that, it is only necessary to add the AD again under TrueNAS, which previously failed.