TrueNAS fails to connect to Active Directory

[jlinyamato]

Hi,

I am new to the TrueNAS community and I just got my TrueNAS-mini with version TrueNAS-12.0.U8.

I try to connect TrueNAS to my AD but an error popup.

Code:

Error: Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/middlewared/job.py", line 367, in run
    await self.future
  File "/usr/local/lib/python3.9/site-packages/middlewared/job.py", line 403, in __run_body
    rv = await self.method(*([self] + args))
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 690, in start
    await self._net_ads_join()
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 1023, in _net_ads_join
    await self._parse_join_err(netads.stdout.decode().split(':', 1))
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 1006, in _parse_join_err
    raise CallError(msg[1])
middlewared.service_exception.CallError: [EFAULT] Failed to join domain: failed to lookup DC info for domain 'YTCUSA02.COM' over rpc: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.

Does anyone have the same issue and know how to fix it?

 

[anodos]

Do you have DNS configured so that it's using your DC as nameserver1?

 

[jhiga]

Hello, Thank you for getting back to us.
We setup 2 nameservers. We setup nameserver 1 which is on the east coast (eastern time zone) and nameserver 2 on the west coast (western time zone).

 

[anodos]

Hello, Thank you for getting back to us.
We setup 2 nameservers. We setup nameserver 1 which is on the east coast (eastern time zone) and nameserver 2 on the west coast (western time zone).

What version of Windows server? Is TN located in same datacenter as DCs? Is this over a WAN link?

 

[jhiga]

Hello,
Our domain controllers are windows server 2012 R2, one in each west and east datacenters and we are connected via a WAN link from our branch office.
The TN is located in our LA branch office and not at the datacenters.

 

[anodos]

You can check from the shell "net ads -S <domain name> lookup" and see if you have timeouts there. It might be the operations for joining AD are either being blocked or simply timing out. If these requests are borderline timing out you may wish to consider setting up at least an RODC on-premises so that you have better usability and reliability.

 

[jhiga]

It looks like we don't get a timeout error. Below is the output of the command. I have removed our information of domain etc. w/ xxxx

Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: c8c797c6-8ea8-41bb-80e1-3b61643ae832
Flags:
Is a PDC: no
Is a GC of the forest: yes
Is an LDAP server: yes
Supports DS: yes
Is running a KDC: yes
Is running time services: yes
Is the closest DC: yes
Is writable: yes
Has a hardware clock: no
Is a non-domain NC serviced by LDAP server: no
Is NT6 DC that has some secrets: no
Is NT6 DC that has all secrets: yes
Runs Active Directory Web Services: yes
Runs on Windows 2012 or later: yes
Forest: xxx.com
Domain: xxx.com
Domain Controller: xxxx.xxx.com
Pre-Win2k Domain: xxxxx
Pre-Win2k Hostname: xxxx
Server Site Name: xxxx
Client Site Name: xxxx
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff

 

[jhiga]

Hello,

Can you provide link or documents on how we may add the user on AD to access the NAS.

Best regards,
Jeff