Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-72-2387868.1
Update Date:2018-05-01
Keywords:
Solution Type  Problem Resolution Sure

Solution  2387868.1 :   Oracle ZFS Storage Appliance: Active Directory - Join Domain (CLI) configuration services ad domain> commit errors  

Related Items 
    

  • Sun ZFS Storage 7420
    •  
  • Oracle ZFS Storage ZS5-2
    •  
  • Oracle ZFS Storage ZS3-2
    •  
  • Sun Storage 7110 Unified Storage System
    •  
  • Oracle ZFS Storage ZS4-4
    •  
  • Sun Storage 7210 Unified Storage System
    •  
  • Oracle ZFS Storage ZS5-4
    •  
  • Sun Storage 7410 Unified Storage System
    •  
  • Oracle ZFS Storage ZS3-4
    •  
  • Sun ZFS Storage 7120
    •  
  • Sun Storage 7310 Unified Storage System
    •  
  • Sun ZFS Storage 7320
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>DISK>ZFS Storage>SN-DK: ZS
    •  






In this Document


Symptoms


Cause


Solution


References

Created from <SR 3-17106938471>


Applies to:  

Oracle ZFS Storage ZS4-4 - Version All Versions and later
Oracle ZFS Storage ZS3-2 - Version All Versions and later
Sun Storage 7410 Unified Storage System - Version All Versions and later
Sun ZFS Storage 7420 - Version All Versions and later
Oracle ZFS Storage ZS5-2 - Version All Versions and later
7000 Appliance OS (Fishworks)



Symptoms


Error messages when join Active Directory:


1. zfssa:configuration services ad domain> commit
   error: The attempt to join the Active Directory domain failed for unknown reasons. Check that all properties are
           correct and try again. If the problem persists, contact your service provider.


a.  Message in debug.sys: smbd[4819]: [ID 702911 daemon.error] smbd: failed locating domain controller for my.domain.com


b.  Message in debug.sys: smbd[22038]: [ID 702911 daemon.error] unable to join computer.my.domain.com to my.domain.com (DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED)


c.  Message in debug.sys: smbd[5245]: [ID 702911 daemon.error] smbns_krb: getting initial credentials (Clock skew too great: 'Administrator@MY.DOMAIN.COM' requesting ticket 'krbtgt/MY.DOMAIN.COM@MY.DOMAIN.COM' from KDC 'unknown' (29/03/2018 10:07). Skew is 179m)


 




2. zfssa:configuration services ad domain> commit


   error: The specified user does not have the appropriate permissions to create a computer account in Active Directory.




Messages in debug.sys:


smbd[22038]: [ID 801593 daemon.notice] GBZFS2$: Workstation trust account creation failed
smbd[22038]: [ID 702911 daemon.error] unable to join computer.my.domain.com to my.domain.com (ACCESS_DENIED)


 


Cause


1.a  DNS error - Ensure that the DNS server responds with the list of Domain Controllers for the target domain


         Missing SRV record in DNS or wrong DNS server for my.domain.com:_kerberos._tcp.dc._msdcs.my.domain.com      service = 0 100 88 dc1.my.domain.com.:



1.b  The user exceeds the number of computers who can join the domain (domain attribute: ms-DS-MachineAccountQuota = 10 by default)


1.c  Time skew from computer to Domain Controller is greater than 5 min; NTP service configuration is incorrect


 


2.  The specified user does not have the appropriate permissions to create a computer account in Active Directory.


 


Solution


1.a    Administrator must create requested SRV records on DNS server:  _kerberos._tcp.dc._msdcs.my.domain.com      service = 0 100 88 dc1.my.domain.com


    

  • or change DNS servers on ZFS Storage Appliance

      

    • zfssa:configuration services dns > set servers=new_IP1,new_IP2
       
      • 

    

    • 

  • Review Document ID 1402003.1 - Sun Storage 7000 Unified Storage System: DNS server settings required for integration of the ZFS Storage Appliance with Active Directory
    • 



Test before resolving the issue:


From traffic capture between ZFS SA and DNS server when domain join was committed:


ZFS SA: > configuration services ad domain > commit
151   0.00006 computer.my.domain.com -> DNS1.my.domain.com DNS C _kerberos-master._tcp.MY.DOMAIN.COM. Internet Unknown (33) ?
152   0.00066 DNS1.my.domain.com -> computer.my.domain.com DNS R  Error: 3(Name Error)


... or from nslookup




# nslookup


> set type=SRV
> _kerberos._tcp.dc._msdcs.my.domain.com
Server:         10.145.x.y
Address:        10.145.x.y#53
*** Can't find _kerberos._tcp.dc._msdcs.my.domain.com: No answer




 


Test after changing the DNS server or add to DNS server SRV record:


> _kerberos._tcp.dc._msdcs.my.domain.com
Server:         goodDNS.my.domain.com
Address:        10.145.a.b#53

_kerberos._tcp.dc._msdcs.my.domain.com      service = 0 100 88 DC1.my.domain.com.
_kerberos._tcp.dc._msdcs.my.domain.com      service = 0 100 88 DC2.my.domain.com.


 


1.b  Document ID 1402173.1 - Sun Storage 7000 Unified Storage System: Admin user privileges required to join the ZFSSA to an Active Directory Domain


 


1.c  Correct the NTP service configuration - recommended NTP server is PDC for domain my.domain.com


       zfssa:configuration services ntp> set servers=PDC_IP


       Review Document ID 1402353.1 - Sun Storage 7000 Unified Storage System: How to Troubleshoot Active Directory Issue


 


2.  Document ID 1402173.1 - Sun Storage 7000 Unified Storage System: Admin user privileges required to join the ZFSSA to an Active Directory Domain


 


References
<NOTE:1402173.1> - Sun Storage 7000 Unified Storage System: Admin user privileges required to join the ZFSSA to an Active Directory Domain
<NOTE:1395461.1> - Sun Storage 7000 Unified Storage System: Best Practice Recommendations for Network Configuration
<NOTE:1402248.1> - Sun Storage 7000 Unified Storage System: system log messages for Active Directory issues
<NOTE:1402353.1> - Sun Storage 7000 Unified Storage System: How to Troubleshoot Active Directory Issues



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback