Univention Bugzilla – Bug 35870
AD Member Mode fails if dynamic DNS updates are disabled on Windows DC
Last modified: 2015-01-29 11:43:00 CET
If (for some reason) dynamic DNS updates are disabled on the Windows Domaincontroller, the Active Directory Connection Wizard (member mode) fails. UMC: > Ein unerwarteter Fehler trat auf: failed to add SRV record to 10.200.30.201 management-console-module-adconnector.log: > [...] > 10.09.14 12:59:26.778 MODULE ( PROCESS ) : Create _domaincontroller_master SRV record on 10.200.30.201 > 10.09.14 12:59:26.872 MODULE ( PROCESS ) : > 10.09.14 12:59:26.872 MODULE ( ERROR ) : ['kinit', '--password-file=/etc/machine.secret', 'ucs\\$', 'nsupdate', '-v', '-g', '/tmp/tmpiV5u5H'] failed with 2 (; TSIG error with server: tsig verify failure > update failed: NOTIMP > ) > 10.09.14 12:59:26.872 MODULE ( ERROR ) : Join process failed [failedToAddServiceRecordToAD]: failed to add SRV record to 10.200.30.201 > 10.09.14 12:59:26.874 MODULE ( ERROR ) : Traceback: > Traceback (most recent call last): > File "/usr/lib/pymodules/python2.6/univention/management/console/modules/adconnector/__init__.py", line 482, in admember_join > admember.add_domaincontroller_srv_record_in_ad(ad_server_ip) > File "/usr/lib/pymodules/python2.6/univention/lib/admember.py", line 643, in add_domaincontroller_srv_record_in_ad > raise failedToAddServiceRecordToAD("failed to add SRV record to %s" % ad_ip) > failedToAddServiceRecordToAD: failed to add SRV record to 10.200.30.201 > > 10.09.14 12:59:26.874 MODULE ( PROCESS ) : Der Domänenbeitritt wurde mit Fehlern abgeschlossen. > 10.09.14 12:59:27.075 MODULE ( PROCESS ) : Revert UCR settings > [...] complete log file is attached. Since adding the SRV record to the AD DNS can't work (because the functionality is disabled in the AD DNS), we should catch this error and show a more helpful message or at least add a hint in the documentation. How to reproduce: - Install Windows Server with AD DC Services and DNS - Disable dynamic Updates (DNS -> Settings of Lookupzone -> General -> Dynamic Updates -> None) & probably restart DNS service - Install UCS 3.2-3 and start AD Connection (member mode)
Created attachment 6105 [details] full log file
This error also occured in an environment where "only secure" Updates are allowed. context: [Ticket#2014111021000654]
(In reply to Dirk Ahrnke from comment #2) > This error also occured in an environment where "only secure" Updates are > allowed. > > context: [Ticket#2014111021000654] please ignore this comment, though the same error "failedToAddServiceRecordToAD" occurs, the source of the problem in the context of the ticket is most likely different.
Another option would be to 1. Check if the DC(AD) already can resolve _domainctontroller_master._tcp (to allow partners/customers to manually pre-create the record as a workaround): If it's there and points to us then simply continue. 2. Attempt to create the record directly in the AD. We chose the DNS update method because we didn't have to bother with AD-DNS-backend details, but technically it's possible to do that. We only need to find out where the DNS-Zone is located in AD (probably below DC=DomainDnsZones but maybe also in CN=MicrosoftDNS,CN=System), create the object and finally check if it's resolvable via DNS. 3. If both these strategies fail, we could continue the setup none the less and just finally show a bold warning to the user saying that this record needs to be created in AD before attempting to join other UCS Systems. AFAIK the SRV record is only required for other UCS systems to join ("somebody" should check..).
Point one of the above three options has been implemented now for errata4.0-0. Advisory: 2014-12-09-univention-lib.yaml
(In reply to Arvid Requate from comment #4) > 3. If both these strategies fail, we could continue the setup none the less > and just finally show a bold warning to the user saying that this record > needs to be created in AD before attempting to join other UCS Systems. AFAIK > the SRV record is only required for other UCS systems to join ("somebody" > should check..). Yes, it is only required for the join. (In reply to Arvid Requate from comment #5) > Point one of the above three options has been implemented now for > errata4.0-0. > > Advisory: 2014-12-09-univention-lib.yaml YAML: OK (small adjustment r57407) Tests: Fail System setup shows a message that the setup failed: "failed to add SRV record to 10.201.65.1". I don't know what to do next. Maybe we could change it in the following way: - Don't show a setup failure in this case - Show a notification at the first UMC login that the SRV record is missing - Link to the SDB article which describes the creation of this SRV record
Ok, adjusted UMC module in univention-ad-connector to show a message. I guess we can handle this with the same Bug. Advisory: 2014-12-09-univention-ad-connector.yaml Dependency: 2014-12-09-univention-lib.yaml
(In reply to Arvid Requate from comment #7) > Ok, adjusted UMC module in univention-ad-connector to show a message. > I guess we can handle this with the same Bug. > > Advisory: 2014-12-09-univention-ad-connector.yaml > Dependency: 2014-12-09-univention-lib.yaml Yes that looks good. But I think we need a specific SDB article for exactly this case. No domaincontroller_master SRV record and how to create it in the AD DNS.
Ok, here we go: http://sdb.univention.de/1299 Package re-built with adjusted URL.
(In reply to Arvid Requate from comment #9) > Ok, here we go: http://sdb.univention.de/1299 > Package re-built with adjusted URL. Very good. I've published the SDB article.
<http://errata.univention.de/ucs/4.0/55.html>
<http://errata.univention.de/ucs/4.0/56.html>