Skip to end of metadata
Go to start of metadata

Problem

This article is intended to help users who are trying to join BrickStor with Active Directory for the first time and are having trouble.

Solution

Perform a simple check to make sure all of the items pass when running the following helper utility:

# adutil check <domain>
Example with RackTop Labs:
# adutil check racktoplabs.com
# adutil check racktoplabs.com
Starting checks (could take > 5 minutes if many errors encountered)            
PASS domain_membership Results: DomainMember: %!s(bool=false)                            
FAIL domain Results: Local domain does not match target domain.
PASS adservers Results: {[{dc-02.racktoplabs.com. [10.1.14.2]} {dc-01.racktoplabs.com. [10.1.14.1]}] _ldap._tcp.dc._msdcs.racktoplabs.com.}
PASS adping_dc-02.racktoplabs.com. Results: {10.1.18.2 607.557µs}
PASS adping_dc-01.racktoplabs.com. Results: {10.1.18.1 635.886µs}
FAIL time_dc-02.racktoplabs.com. Results: Time delta between dc-02.racktoplabs.com. and localhost is greater than 5 minutes.
FAIL ntp Results: Ntp service is in disabled state.

What it means:

Starting checks (could take > 5 minutes if many errors encountered)               
PASS domain_membership Results: DomainMember: %!s(bool=false)             Good:Not currently a member of a Domain               
FAIL domain Results: Local domain does not match target domain.                  Bad:Domain not set in /etc/resolv.conf
PASS adservers Results: {[{dc-02.racktoplabs.com. [10.1.14.2]} {dc-01.racktoplabs.com. [10.1.14.1]}] _ldap._tcp.dc._msdcs.racktoplabs.com.}   Good:It can find the Domain since DNS is set correctly
PASS adping_dc-02.racktoplabs.com. Results: {10.1.18.2 607.557µs}               Good: You can ping AD
PASS adping_dc-01.racktoplabs.com. Results: {10.1.18.1 635.886µs}               Good: You can ping the second AD server
FAIL time_dc-02.racktoplabs.com. Results: Time delta between dc-02.racktoplabs.com. and localhost is greater than 5 minutes.        Bad:You are too out of sync with time in AD
FAIL ntp Results: Ntp service is in disabled state.                                                 Bad:NTP service is disabled

From this check we see a several issues that need to be solved.

  1. We need to set the proper domain and name servers in /etc/resolv.conf (Resolve line 2 output) -DNS is already configured on this BrickStor
  2. We need to sync time with Active Directory. This can be done with the following command

    This BrickStor is joined to Racktoplabs.com
    #ntpdate <Timesource>
    Example
    #ntpdate dc-02.racktoplabs.com
  3. Now that ntp is in sync with AD we must enable the ntp service

    This BrickStor is joined to Racktoplabs.com
    #svcadm enable ntp
  4. Now rerun the adutil check <domain>

    This BrickStor is joined to Racktoplabs.com
    adutil check racktoplabs.com
  5. If all the checks pass you should be able to run the Active Directory (AD) join command. The Administrator account must be a Domain Administrator or it will not work.

    This BrickStor is joined to Racktoplabs.com
    #smbadm join -y -u Administrator YOURDOMAIN.com
  6. There are instances where it doesn't work the first time so it is worth re-running the command if it fails the first time. If you are still unable to join it is likely that your account doesn't have domain admin privileges.

To view the Domain You Are Connected To

This BrickStor is joined to Racktoplabs.com
#smbadm list
[*] [RACKTOPLABS]
[*] [racktoplabs.com]
        [+dc-01.racktoplabs.com] [10.1.14.1]
[.] [BSR-FDB711E2] [S-1-5-21-1813420391-1883027364-384222262]
[*] [RACKTOPLABS] [S-1-5-21-2103861846-1878089256-5222290406]

 

 

#svcadm enable ntp