SOLVED FreeNAS 9.10 - Successfully Joined 2012 R2 AD - after days of struggle!

[Tom Murphy]

Hi all, just thought I would post because I have spent many days pulling my hair out trying to AD Join FreeNAS to Windows 2012 R2 running at 2012 R2 Domain Function Level . I followed lots of guides and all failed.
Here is what I had to do, I hope it helps others.

On the Windows 2012R2 Domain Controller, I forced the server to accept SMB 1 connections (you should do this on any file servers also in the domain). To do this you have to edit the registry at.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerDependOnService

set the following.

SamSS
Srv
Srv2

Next, restart the server service, after the restart if you click dependence's on the server service you will see that SMB 1 is active.

Next in ADUC, create a computer account for the freenas server.
then...

• add a static DNS entry in the forward lookup zone in Windows DNS and create a pointer record (i hope you have reverse DNS setup)
• Ensure that in Sites and Services you have the right subnets for your domain in the right sites, make a note of the site name that the FreeNAS server will reside in. Thats the Windows side of things done.

Now move to your FreeNAS server.

• At the console or at the GUI, set a static IP address, Subnet mask and default route and DNS/NAME servers
  
• In the GUI, under SYSTEM, INFORMATION - set the hostname and use a FQDN
• Under SYSTEM, GENERAL select the NTP servers and remove the 3 servers and add your Domain controller(s) IPs if they are the NTP servers on your domain (they are in mine)
• Under SYSTEM, GENERAL , Ensure your time zone matches your region of the world.
• Create your Storage Pool, then your DataSet and Select Windows file share permissions.
• Select NETWORK, Ensure the hostname matches the server name you created in ADUC and DNS in Windows, ensure the domain is FQDN
• Next Click services and go to CIFS and edit, Ensure the NETBIOS name matches the DNS name and computer name you created in Windows ADUC and DNS.
• Ensure the WORKGROUP , matches the pre Windows 2000 name for your Domain and is capitalized.
• Set Server maximum protocol to SMB2
  
• Turn off UNIX extensions

At this point I would restart the FreeNAS server, not sure if it is needed but I do it anyway.

After the reboot, log back into the GUI

• Click on Directory then Active Directory.
• Click on Advanced mode.
• Ensure Domain Name (DNS/Realm-Name): is set and capitalized and FQDN
• Domain account name I used my administrator account
• Turn off UNIX extensions
• Ensure Site Name: matches the site name the FreeNAS server sits in in AD Sites and Services.
• Domain Controller: Enter the FQDN of the domain controller in capitalized
• Global Catalog: Enter the FQDN of the domain controller in capitalized
• Idmap backend:rid
• SASL wrapping:sign
• NetBIOS name: ensure matches the DNS name and capitalized
• Put you Domain account password
• Save, and you will see Active Directory succesfully updated at the top of the screen.
• Click Basic mode now and check the enabled button and then save, this will now join it to the domain after 30 to 60 seconds, again you will see the success green notification, if it says failed to restart services then recheck the above.

You can now open a shell and type

wbinfo -u
or
wbinfo -g
and you should get a list of AD users and Groups and can now assign them to shares on FreeNAS!

Hope this helps!

Tom

 

[anodos]

I didn't have to force my DCs to accept SMB1 connections.

 

[Tom Murphy]

Just to give an update, this is still working 2 months later without any problems!

 

[eliohann]

awesome !
I've been trying to get it work for months ... with your post's intructions it's up and running.

Thank you.

By the way, i didn't have to limitate SMB protocol

 

[jharm73]

I just posted a new thread related to this too. I didnt have to do all of this for it to work. But my issue is that I dont want to have to use a Domain Admin account as the service account, AUDITORS, need i say more? Anyway i tried delegating control to the service account I am using to add computer objects ect. but its not working until I add them back to Domain Admin group. Anyone know what permissions are needed?

 

[eliohann]

I created à standard service account (normal account with service name) , and give full control over computer account corresponding to freenas computer under security tab of computer account properties

 

[jharm73]

I created à standard service account (normal account with service name) , and give full control over computer account corresponding to freenas computer under security tab of computer account properties

This worked! Thanks!!!

 

[JeroenvdBerg]

You sir, are a hero.
Did not have to set "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerDependOnService"
And I have succesfully set the account to a freenas service account, just make sure you set 'full controll' on the freenas computer object.

 

[PD_ANZ]

Anyone tried this with a 2016 DC and Forrest Level set to 2016?

 

[anodos]

Anyone tried this with a 2016 DC and Forrest Level set to 2016?

I imagine there's no problem. Forest / Domain Functional level is only really an issue if you're trying to integrate a Samba DC.

 

[PD_ANZ]

I imagine there's no problem. Forest / Domain Functional level is only really an issue if you're trying to integrate a Samba DC.

anodos you were spot on. I can confirm following these instructions did indeed get my FreeNAS 11 U3 box joined to a 2016 domain controller and domain.

I also left out the steps

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerDependOnService

set the following.

SamSS
Srv
Srv2

which don't seem to be required.

Awesome stuff!!! Thanks Tom Murphy

 

[PD_ANZ]

EDIT: Sorry to be the bearer of bad news but after getting the box connected, and successfully running
"wbinfo - u"
one time I now have an error.

Code:

[root@freenas ~]# wbinfo -u													
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE	  
could not obtain winbind domain name!										  
Error looking up domain users	

Time to google.

EDIT: back working again..... strange. Might just take a little while to syn up properly. Carry on :)

 

[anodos]

anodos you were spot on. I can confirm following these instructions did indeed get my FreeNAS 11 U3 box joined to a 2016 domain controller and domain.

I also left out the steps



which don't seem to be required.

Awesome stuff!!! Thanks Tom Murphy

You're correct. Those steps aren't required.

 

[PD_ANZ]

So after having this running fine for a day I continue to get the flashing yellow warning light on my freenas box.

The error is:

Code:

WARNING: Sept. 13, 2017, 11:15 a.m. - attempt 2 to recover service activedirectory
 WARNING: Sept. 13, 2017, 11:15 a.m. - attempt 1 to recover service activedirectory
 WARNING: Sept. 13, 2017, 11:15 a.m. - attempt 6 to recover service activedirectory
 WARNING: Sept. 13, 2017, 11:15 a.m. - attempt 3 to recover service activedirectory
 WARNING: Sept. 13, 2017, 11:15 a.m. - tried 10 attempts to recover service activedirectory

The share and the AD integration works fine. Its just annoying to see a warning sign.

Any ideas on why the warning?

 

[anodos]

So after having this running fine for a day I continue to get the flashing yellow warning light on my freenas box.

The error is:

Code:

WARNING: Sept. 13, 2017, 11:15 a.m. - attempt 2 to recover service activedirectory
WARNING: Sept. 13, 2017, 11:15 a.m. - attempt 1 to recover service activedirectory
WARNING: Sept. 13, 2017, 11:15 a.m. - attempt 6 to recover service activedirectory
WARNING: Sept. 13, 2017, 11:15 a.m. - attempt 3 to recover service activedirectory
WARNING: Sept. 13, 2017, 11:15 a.m. - tried 10 attempts to recover service activedirectory

The share and the AD integration works fine. Its just annoying to see a warning sign.

Any ideas on why the warning?

Did you check the box 'enable monitoring' under Directory Services -> Active Directory? If so, perhaps uncheck it.

 

[Paze]

Hi Guys,

i just tried above settings with my FN 11.1 Stable install, but still get Error "Failed to reload Active Directory" .
Anything I can try out more?
Working with Domaincontroller 2012R2, just basic things, nothing special.

 

[Quest]

I did exactly step by step what you did but i get an error: Invalid Host/Port operation timed out. but when i try to ping the dc it all works 0 packed lost. freenas.domain.xyz and dc1.domain.xyz dns records created, computer account created as well.