On January 11, 2010 11:55:08 AM -0800 Jordan Brown <[email protected]>
wrote:
Frank Cusack wrote:
I do notice that in the XYZ.COM/Computers container that the machine
account has a "DNS name" field of "fs1.XYZ.COM" instead of
"fs1.loc.XYZ.COM". The hostname of the machine itself is fully
qualified and is the full name fs1.loc.XYZ.COM. It doesn't matter
if I join the domain with
smbadm join -u frank.cusack loc.XYZ.COM
or
smbadm join -u frank.cusack XYZ.COM
Both cases yield the same result with the machine account having
the incorrectly DNS name field. That field is not editable in
the Windows GUI.
I believe that could indeed cause the kind of problems you're seeing.
Could you describe your actual domain topology? Feel free to anonymize,
but retain the domain-subdomain structure. In particular, I need to know
where this Solaris system is, where the Active Directory domain
controller is, and how the Active Directory domain relates to the two of
them. "klist -k" as root would also be useful.
The topology is quite simple. There is a single domain controller,
in a single domain in a single forest. The domain is XYZ.COM but the
hostname of the domain controller is dc1.loc.XYZ.COM. I do notice
now that the computers (desktops) in the domain all are missing the
.loc part of the hostname. These are all client PCs, all obtain IPs
via DHCP and no hostname is assigned. So they must pick a name that
is just PC-NAME.DOMAIN.NAME.
klist -k does indeed show all the keys as being fs1.XYZ.COM without
the .loc part.
I did change the hostname of the Solaris server to remove the .loc part
and even rebooted, and still no worky.
One other thing, fs1 in DNS resolves to fs1.loc.XYZ.COM. I can see how
that is a problem.
Crap. What is the recommended practice here? I will have a second AD
site but did not want a second domain. Should I just change the domain
name to be LOC.XYZ.COM, as unappealing as that is? I'd much rather do
that than expose my internal names or have to do a split DNS. The reason
I chose XYZ.COM as the domain name is I don't want machines at my
other site (loc2) to have a hostname in loc.xyz.com, but I do want
them to be in the same domain (I don't want more than 1 domain in
the forest). I've chosen site names that match the ".loc" part of the
fdqn, is there a way to convince Windows to assign names which include
the site as part of the name? I haven't defined subnets to go along
with sites, should that help? Should I just create AD subdomains that
match the dns subdomains?
I do have to note again, that when I join the domain with samba, using
the net command, the fqdn does get populated correctly, and inspection
of the secrets.tdb file seems to show a keytab with the correct fqdn.
I believe there are issues when the DC is not itself a member of the
domain. I know there are such issues with kclient, see 6899608.
I didn't know the DC had to be a member of the domain, or even could be.
How do I do that?
-frank
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
