Nethserver in AWS EC2 Centos Instance - AD Problem

Support
1

Hi

I am trying to move a Windows SBS2011 user into the IaaS model. The customer’s current infrastructure is quite modest at about 20 Win10 clients and one SBS2011 server.

I have built a couple of Windows clients and a CentOS server with Nethserver using AWS EC2 Instances. They all exist within one VPC and subnet. There is just one Security Group (which, in AWS land, defines which TCP/UDP etc ports are open/closed both internally and to the outside World). My build of CentOS does not seem to have Firewalld installed. Nethserver has had only minimal configurations per the attached screenshots. My AD Domain name is h-s-m.local (I don’t have an external domain name reg’d at present).

Although my Windows clients can do a successful nslookup for my Nethserver DC they cannot join the domain? The failure message generated when I try to move them from Workgroup to h-s-m.local is as follows:-

DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain “h-s-m.local”:
The query was for the SRV record for _ldap._tcp.dc._msdcs.h-s-m.local
The following domain controllers were identified by the query:
nsdc-ip-1713262.h-s-m.local
However no domain controllers could be contacted.
Common causes of this error include:

  • Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.
  • Domain controllers registered in DNS are not connected to the network or are not running.

I have the following ports open in my Security Group
All ICMP - IPv4|ICMP|
TCP|22|
TCP|53|
TCP|88|
TCP|443|
TCP|445|
TCP|464|
TCP|3389|
TCP|9090|
TCP|135 - 139|
TCP|3268 - 3269|
UDP|53|
UDP|88|
UDP|389|
UDP|445|
UDP|464|
UDP|135 - 139|
UDP|3268 - 3269|

Can anyone point me in the right direction as to why my Windows clients will not join the domain please?

Screenshot 2022-10-22 at 21.13.43

2

Ah… as a new user I can only upload one file at a time… here are the others…

Screenshot 2022-10-22 at 21.12.23
Screenshot 2022-10-22 at 21.12.231423×358 19 KB

3

Screenshot 2022-10-22 at 21.11.39

4

Screenshot 2022-10-23 at 10.47.56
Screenshot 2022-10-23 at 10.47.562052×447 38.8 KB

5

Hi @gray_em

Still using a .local as an AD Domain? Even though Microsoft themselves strongly suggest using a subdomain of a real, existing domain? And for more than 12 years now!

As .local is a “fantasy” domain, you also probably didn’t bother creating DNS records for your AD server.

Microsoft AD is DNS based, it needs working DNS resolution to work!

Without a correct DNS, you also don’t have the option to use a verified LetsEncrypt SSL cert for your AD. This is of great use, if you intend to use PHP or JAVA based Apps with your AD - JAVA and PHP are very fussy about correct SSL certs, and won’t work without SSL, therefore also won’t work using just an IP or a .local domain.

Note:
A valid, correct SSL cert is NOT critical to join a Windows workstation to your AD, but working DNS is!

I’ld strongly suggest you change your AD DNS name, before the AD gets too large to do so.
NethServer will not allow a configured AD AccountProvider to change name, so you’ll have to remove your AD for this, and set up a new AD.
I’d also suggest using a subdomain name for your AD, see my examples below.

For me at home, and also for my ca. 30 clients, I generally use:

NethServer Hostname: XXXX-NethServer
NethServer FQDN: XXXX-nethserver.domain.tld
NethServer AD: ad.domain.tld

The 4 X (XXXX-) are an individual Shortcode I assign to each client.
The first two XX represent Initials or Shortform of Company / Institution, the last two XX represent the site (Town, City).

I create at least two DNS entries, one for NethServer and one for the AD, both using the correct, internal IPs.

My 2 cents
Andy

6

Hi Andre

Thanks for such an astonishingly quick reply and great tips! :o)

Just to explain a little further, I’m only evaluating Nethserver at the moment (hence my lack of a ‘real’ domain name) added to which I’m trying to get my head around AWS’ networking constructs. I’m not looking at any external access to this ‘test’ domain other than Nethserver’s web admin. Once evaluated I’ll be setting it all up afresh.

In terms of DNS entries, my Nethserver is both my AD and DNS server. I have an entry in Netserver DNS pointing h-s-m.local to the Nethserver IP Address with a wildcard… I have manually configured my windows clients’ DNS entries as the IP address of the Nethserver too. However, from what you say, my DNS config is insufficient? Can you suggest further entries?

Thanks

7

Hi @gray_em

As Windows, so does NethServer create actually two separate names. One in dns format for AD, eg: ad.domain.tld, the other in the older NetBIOS format without any seperators. The Cockpit of NethServer doesn’t actually show this name correctly, but the older Server-Manager (Can be installed from Software Center parallel to Cockpit, both can run on the same server) does.

Bildschirmfoto 2022-10-23 um 15.30.18
Bildschirmfoto 2022-10-23 um 15.30.181164×1040 149 KB

Bildschirmfoto 2022-10-23 um 15.29.54
Bildschirmfoto 2022-10-23 um 15.29.542852×1438 283 KB

These entries should cover most requirements…

My 2 cents
Andy

8

Hi

I think the problem I have is that there are no SRV records. Because my test domain does not have a FQDN parent in the real world and thus no SRV records and there are no SRV records in DNS on the Nethserver, the windows clients can’t find the services they need to join the domain.

If I recall from a long (very long) time ago SBS sets up AD SRV records auto-magically in it’s DNS server. I have looked around about how to add these records in CentOS/Nethserver with dnsmasq.conf and templates (?) but I have now gone a little snow-blind. Can anyone lead me through this please?

9

Hi @gray_em

If you recreate your Testdomain with a real domain, NethServer will create the correct DNS entries needed.
→ They won’t show up in NethServers DNS Web-GUI…
and it should not affect any real, existing domains if you add in an ad up front: eg:
domain.tld → ad.domain.tld…

My 2 cents
Andy

10

Excellent… I shall give that a go… thanks Andy

11

And as always, especially when doing something for the first time: Good Luck!

My 2 cents
Andy

12

Hi

I’ve rebuilt my AD using an FQDN i.e.

h-s-m.grptest.co.uk

My server has an IP of 172.31.70.43 and I’ve given my AD an IP of 172.31.70.100 in Nethserver

On my windows client, nslookup can now resolve the AD domain name;

C:\Users\Administrator> nslookup h-s-m.grptest.co.uk
Server: ip-172-31-70-43.ec2.internal
Address: 172.31.70.43

Name: h-s-m.grptest.co.uk
Address: 172.31.70.100

And it can also resolve an _ldap record. However no details (weight, priority, port etc) are returned?

C:\Users\Administrator>nslookup
Default Server: ip-172-31-70-43.ec2.internal
Address: 172.31.70.43

set type=all
_ldap._tcp.dc._msdcs.h-s-m.grptest.co.uk
Server: ip-172-31-70-43.ec2.internal
Address: 172.31.70.43

_ldap._tcp.dc._msdcs.h-s-m.grptest.co.uk internet address = 172.31.70.100

I am getting there little by little… Should Nethserver have created the required AD SRV records auto-magically for me locally? Or do I have to put the SRV records up in my real world FQDN DNS settings?

cheers

13

H @gray_em

Generally, Windows workstations (Maybe excepting Win11 22H2…) have no problems finding, joining and connecting to NethServer shares. The only issue is NethServer doesn’t show up in the network on Win10/11, but connecting is no problem.

Remote clients (eg Home connections via VPN) will need to use your NethServer as DNS for AD to work.

Other entries are not needed…

My 2 cents
Andy

TIP: To handle AD directly, install the PHPLDAPAdmin from here:
https://wiki.nethserver.org/doku.php?id=modules

This can read out / modify almost any detail of AD. Also good to remove retired PCs from AD…

14

Hi

My windows client still cannot join my AD… every attempt fails with:-

The query was for the SRV record for _ldap._tcp.dc._msdcs.h-s-m.grptest.co.uk
The following domain controllers were identified by the query:
nsdc-ip-1713262.h-s-m.grptest.co.uk
However no domain controllers could be contacted.

My current setup looks like this…

Server hostname: ip-172-31-70-43.ec2.internal Note: as built by EC2 provisioning
Server IP Address: 172.31.70.43

FQDN: grptest.co.uk
AD Name: h-s-m.grptest.co.uk
AD IP Address: 172.31.64.100

Neth DNS Entry 1: ip-172-31-70-43.ec2.internal to 172.31.70.43
Neth DNS Entry 2: nsdc-ip-1713262.h-s-m.grptest.co.uk to 172.31.70.43
Neth DNS Entry 3: ip-172-31-65-13.ec2.internal to 172.31.65.13

Windows Client Hostname: ip-172-31-65-13.ec2.internal
Windows Client IP Address: 172.31.65.13

I have SRV records setup - e.g.

SRV Record:

nslookup -q=srv _ldap._tcp.dc._msdcs.h-s-m.grptest.co.uk
Server: ip-172-31-70-43.ec2.internal
Address: 172.31.70.43

_ldap._tcp.dc._msdcs.h-s-m.grptest.co.uk SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = nsdc-ip-1713262.h-s-m.grptest.co.uk
_msdcs.h-s-m.grptest.co.uk
primary name server = nsdc-ip-1713262.h-s-m.grptest.co.uk
responsible mail addr = hostmaster.h-s-m.grptest.co.uk
serial = 1
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)

My Windows client can successfully ping my Nethserver as per the following:
i) nsdc-ip-1713262.h-s-m.grptest.co.uk returning 172.31.70.43
ii) ip-172-31-70-43.ec2.internal returning 172.31.70.43
iii) 172.31.70.43

It CANNOT ping 172.31.64.100 (AD IP Addr)

My Nethserver can successfully ping my Windows as per the following:
i) ip-172-31-65-13.ec2.internal returning 172.31.65.13
ii) 172.31.65.13

There are no firewalls between the Nethserver and the Windows client.

I’m at a complete loss as to why the Window Domain Join cannot find the Domain Controller? Any ideas please?

15

Hi @gray_em

The issue with NethServer AD is with a lot of providers offering VMs or some form of virtualization.
Most of these do NOT allow for “promiscious” mode for networking.

Nethserver uses a form of Jail for the AD, also a sort of virtualization, the reason being RedHat does not distribute an AD capable Samba with RHEL7 / Centos7. So the jail contains a different samba which CAN do Samba-AD (This has to do with Heimdahl Kerberos…). As such, NethServer creates a Bridge and allows the AD to use the Bridge with a different MAC address…

If you’re eg on VMWare, you need to activate the promiscious mode on the NIC assigned to NethServer.
Proxmox provides this out of the box.

I’d say you’ve run into this issue, and I can’t really help with Amazons EWS… They do use massive virtualization, but it may be possible, or ask them…

Good Luck!

My 2 cents
Andy

2 Likes
16

Hi Andy

I think you may well be correct. Even though I’ve switched promiscuous mode on for the [virtual] NIC on the Nethserver host I still cannot join the domain and a telnet to the AD IP on port 389 fails. I suspect that the AWS virtual network filters all packets destined for the AD IP long before they hit the Nethserver host NIC.

Shame… it looks a great product and I was looking forward to using it… I shall have to find another solution (even the dreaded Windows Server!).

Thanks for all your assistance.

Cheers!
Grahame