Synology DS ignores second AD DC server.

All questions pertaining to Windows Active Directory Service can go here
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:

https://account.synology.com/support/su ... p?lang=enu



2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
ascheucher
I'm New!
I'm New!
Posts: 5
Joined: Fri Mar 23, 2018 10:34 am

Synology DS ignores second AD DC server.

Unread post by ascheucher » Wed May 02, 2018 12:13 pm

Scenario:
Two disk stations DS1817 and DS413j both on DSM 6.1.6-15266 Update 1
Two Samba 4 Active Directory Domain Controller DC01 and DC02.

The two DS have joined the domain and are working as expected. Domain users can log in and read, write... I know, replication between the two domain controllers work. A user created in one of them shows up in the other immediately.

When DC01 is shut down, DC02 should work as a fallback, but the disk stations are loosing the connection to the domains. User's can't log in anymore.

Is this by desing, or should DSM be able to use the fallback AD DC?

Thanks for your response.

User avatar
Shadow771
Knowledgeable
Knowledgeable
Posts: 318
Joined: Sun Jan 28, 2018 11:48 pm
Location: the Netherlands

Re: Synology DS ignores second AD DC server.

Unread post by Shadow771 » Thu May 03, 2018 10:49 am

Is DC02 missing FSMO roles?
Synology DS216+II <--> Synology RT1900AC <--> <site-to-site VPN tunnel> <--> Synology RT1900AC <--> Synology DS118

ascheucher
I'm New!
I'm New!
Posts: 5
Joined: Fri Mar 23, 2018 10:34 am

Re: Synology DS ignores second AD DC server.

Unread post by ascheucher » Mon May 07, 2018 4:55 pm

Hi Shadow771,
thanks for your reply!
Sorry to say, I am a real rookie in this area. I checked the roles with: samba-tool fsmo show
I got the same seve rules as response on both nodes. Hence, I guess this is fine.

User avatar
Shadow771
Knowledgeable
Knowledgeable
Posts: 318
Joined: Sun Jan 28, 2018 11:48 pm
Location: the Netherlands

Re: Synology DS ignores second AD DC server.

Unread post by Shadow771 » Sat May 12, 2018 12:03 pm

Then maybe it's a DNS problem.

On a domain-joined Windows machine I would run this command to see if both DC's show up in the list. Do they in your case?

Code: Select all

nltest /dclist:yourdomainname
Synology DS216+II <--> Synology RT1900AC <--> <site-to-site VPN tunnel> <--> Synology RT1900AC <--> Synology DS118

ascheucher
I'm New!
I'm New!
Posts: 5
Joined: Fri Mar 23, 2018 10:34 am

Re: Synology DS ignores second AD DC server.

Unread post by ascheucher » Mon May 14, 2018 12:39 pm

Shadow771, thanks for your further input!

I tried to test this:

Code: Select all

nltest /dclist:aaa.bbbb.cc
Get list of DCs in domain 'aaa.bbbb.cc' from '\\dc01.aaa.bbbb.cc'.
Cannot call DsGetDomainControllerInfoW to aaa.bbbb.cc (\\dc01.aaa.bbbb.cc).Status = 50 0x32 ERROR_NOT_SUPPORTED
Seems Samba 4 does not support this. But if I omit the domain name, I get following:

Code: Select all

nltest /dclist:
Get list of DCs in domain '' from '\\dc01.aaa.bbbb.cc'.
Cannot call DsGetDomainControllerInfoW to  (\\dc01.aaa.bbbb.cc).Status = 50 0x32 ERROR_NOT_SUPPORTED
List of DCs in Domain
    \\DC01 (PDC)
The command completed successfully
Here only DC01 is listed.

I was looking for an alternative to "dclist", some googlefu let me to this page: https://wiki.samba.org/index.php/Active_Directory_Sites

On dc01 I did a dns update: samba_dnsupdate --verbose, which gave me a long list of entries and the final message "No DNS update needed". Also DNS lookup for ldap and kerberos look fine:

Code: Select all

asw002:~ andi$ host -t SRV _ldap._tcp.Maiffredygasse-Site._sites.dc._msdcs.aaa.bbbb.cc.
_ldap._tcp.Maiffredygasse-Site._sites.dc._msdcs.aaa.bbbb.cc has SRV record 0 100 389 dc01.aaa.bbbb.cc.
_ldap._tcp.Maiffredygasse-Site._sites.dc._msdcs.aaa.bbbb.cc has SRV record 0 100 389 dc02.aaa.bbbb.cc.
asw002:~ andi$ host -t SRV _kerberos._tcp.Maiffredygasse-Site._sites.dc._msdcs.aaa.bbbb.cc.
_kerberos._tcp.Maiffredygasse-Site._sites.dc._msdcs.aaa.bbbb.cc has SRV record 0 100 88 dc01.aaa.bbbb.cc.
_kerberos._tcp.Maiffredygasse-Site._sites.dc._msdcs.aaa.bbbb.cc has SRV record 0 100 88 dc02.aaa.bbbb.cc.
asw002:~ andi$
What could be interesting, logon server is \\DC02:

Code: Select all

echo %LogonServer%
\\DC02
But the request for the DC deliveres \\DC01:

Code: Select all

nltest /dsgetdc:aaa.bbbb.cc
           DC: \\dc01.aaa.bbbb.cc
      Address: \\10.0.0.25
     Dom Guid: d4ee72f7-86a6-490c-a03e-d327f89469a5
     Dom Name: aaa.bbbb.cc
  Forest Name: aaa.bbbb.cc
 Dc Site Name: Maiffredygasse-Site
Our Site Name: Maiffredygasse-Site
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET
The command completed successfully
Do you have any other suggestion? Greets, Andreas

User avatar
Shadow771
Knowledgeable
Knowledgeable
Posts: 318
Joined: Sun Jan 28, 2018 11:48 pm
Location: the Netherlands

Re: Synology DS ignores second AD DC server.

Unread post by Shadow771 » Tue May 15, 2018 7:53 pm

ascheucher wrote:
Mon May 14, 2018 12:39 pm
Seems Samba 4 does not support this. But if I omit the domain name, I get following:

Code: Select all

nltest /dclist:
Get list of DCs in domain '' from '\\dc01.aaa.bbbb.cc'.
Cannot call DsGetDomainControllerInfoW to  (\\dc01.aaa.bbbb.cc).Status = 50 0x32 ERROR_NOT_SUPPORTED
List of DCs in Domain
    \\DC01 (PDC)
The command completed successfully
Here only DC01 is listed.
And there is the problem. DC02 should also be in that list, but for some reason it is not. I mentioned a possible DNS problem because I tought maybe there are some SVR records missing. But you already verified that's not the case. At the moment I'm not sure where to look at next.

When it comes to Active Directory I'm more advanced with Windows servers then Synology servers unfortunately. So I'll join the rookie club. :(
Synology DS216+II <--> Synology RT1900AC <--> <site-to-site VPN tunnel> <--> Synology RT1900AC <--> Synology DS118

dognose
Rookie
Rookie
Posts: 30
Joined: Sun Feb 28, 2016 2:03 am

Re: Synology DS ignores second AD DC server.

Unread post by dognose » Mon Jun 11, 2018 2:50 pm

What Windows Version are you DCs?

ascheucher
I'm New!
I'm New!
Posts: 5
Joined: Fri Mar 23, 2018 10:34 am

Re: Synology DS ignores second AD DC server.

Unread post by ascheucher » Mon Jun 11, 2018 3:23 pm

Hi dognose,

it's not a Windows DC, it's Ubuntu 16.04 LTS with Samba 4...

Post Reply

Return to “Windows AD Domain”