I just spent the last 2 business days working on trying to get my Astaro SG 120 v7.507 to re-join the domain, after I deleted the “computer” entry from our Windows 2003 SBS AD. After deleting the computer entry, I rebooted the Astaro box and attempted to join it to the domain (with the same flawless effort I experienced during the initial setup). No luck.
I ran across several Astaro User Forum posts telling people the same things over and over about what to check, and none of it was helping.
I’ll try and give a run through of some error message appearances from the Fallback error log, and what you should do to fix them. If you have more, leave them in the comments below, and I’ll add them.
ads_get_dnshostname: No dNSHostName attribute!
ads_keytab_add_entry: unable to determine machine account’s dns name in AD
- You need to make sure your Astaro box doesn’t show up as a Computer listed in Active Directory anywhere there are computers listed, then you need to make sure there is a DNS Host (A) entry for your hostname, and also you need to reboot your Active Directory and/or DNS server. (For me, they were the same Windows SBS Box, but a reboot fixed this error message.)
»clock skew too great«
- You need to make sure the Time & Date on both the Astaro box and the Active Directory server are no more than 5 minutes apart.
»pre-authentication failed«
Below is the fix that finally worked for me, but I never saw anything in the User Forums (or anywhere else, for that matter) related to these error codes and the Astaro box (only to Samba and Linux Servers).
libsmb/clientgen.c:cli_receive_smb
rpc_client/cli_pipe.c:rpc_api_pipe
pipe \lsarpc fnum
- This means that the Intrusion Prevention System is preventing the Active Directory server from approving the Active Directory join. You need to create an Exception like this:
I’m sure there are probably more items in the Fallback error logs that folks have encountered. Surprisingly, I didn’t even come across this PDF document detailing a lot of them during my searches until I was researching the error codes for this post. Check that document out and see if your answer is in there.
The main rebuttals from most of the “suggestions” you’ll find on the User Forums are:
- You don’t need to create a Pre-Win2000 Computer in Active Directory for this to work.
- You can’t have an existing computer entry in Active Directory for the hostname you’ve given your Astaro box.
- You should create a DNS Host (A) entry for the Astaro box, if you run a DNS server outside of the Astaro box
- The Time & Date on both the Server and Astaro Box need to be within 5 minutes of each other.
- You don’t have to be able to ping the Astaro box from the server for this to work.
- You do have to be able to ping the Active Directory server from the Astaro box’s Support > Tools area
- Domains ending in .local will work.
- You don’t have to use all CAPS when filling in the hostname & domain name, but it’s suggested by the Astaro people. It won’t make a difference to DNS – CAPS or lowercase both resolve the same.
As I mentioned above, if you have any other error messages or tips or suggestions, etc., related to getting the Astaro box on the domain, please post them in the comments. Too many people have spent too long trying to get things to work simply because the information wasn’t out there when they were searching.
