SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0002767: Endian Firewall 2.3 Failed to join domain when connecting to Active Directory (NTLM) Server 2008 - MantisBT
MantisBT - Endian Firewall
View Issue Details
0002767Endian FirewallInstallationpublic2010-03-12 12:552010-11-22 12:08
bertusfloor 
simon-endian 
normalmajoralways
closedfixed 
2.3 
2.4.1 
0002767: Endian Firewall 2.3 Failed to join domain when connecting to Active Directory (NTLM) Server 2008
I have tried connecting to Active Directory on a client Endian Firewall 2.3 and also at our office on a fresh install of Endian Firewall 2.3. We have never been able to connect.

Tried varies, this is how it is now:

Proxy\http\authentication - selected windows active directory (ntlm)
then authentication realm = wit.local, under domainname = wit.local, PDC = SBS2008, PDC ip = 10.0.0.2,

Clicked Join, entered admin username + password, then I get the error: Failed to join domain.
Added host and hostname under network\edit hosts\add a host
Made sure the timeserver is matching domain time
No tags attached.
jpg Authentication.jpg (159,125) 2010-03-14 12:58
https://bugs.endian.com/file_download.php?file_id=364&type=bug
jpg

jpg AD Join.jpg (141,731) 2010-03-14 12:58
https://bugs.endian.com/file_download.php?file_id=365&type=bug
jpg

jpg Group policy setting.jpg (195,718) 2010-03-14 13:00
https://bugs.endian.com/file_download.php?file_id=366&type=bug
jpg

jpg dns.jpg (45,773) 2010-03-15 07:45
https://bugs.endian.com/file_download.php?file_id=368&type=bug
jpg

jpg Working DNS.jpg (144,280) 2010-03-15 16:42
https://bugs.endian.com/file_download.php?file_id=369&type=bug
jpg

jpg Custom DNS.jpg (153,292) 2010-03-15 21:56
https://bugs.endian.com/file_download.php?file_id=370&type=bug
jpg

jpg running-services.jpg (149,005) 2010-03-16 07:42
https://bugs.endian.com/file_download.php?file_id=371&type=bug
jpg

jpg My services.jpg (158,312) 2010-03-16 08:33
https://bugs.endian.com/file_download.php?file_id=372&type=bug
jpg

jpg fix.jpg (76,867) 2010-03-16 09:31
https://bugs.endian.com/file_download.php?file_id=373&type=bug
jpg
Issue History
2010-03-12 12:55bertusfloorNew Issue
2010-03-12 14:43ra-endianAssigned To => simon-endian
2010-03-12 14:43ra-endianStatusnew => acknowledged
2010-03-12 17:22baldyNote Added: 0004028
2010-03-12 17:26baldyNote Edited: 0004028
2010-03-14 12:58baldyFile Added: Authentication.jpg
2010-03-14 12:58baldyFile Added: AD Join.jpg
2010-03-14 13:00baldyFile Added: Group policy setting.jpg
2010-03-14 13:01baldyNote Added: 0004030
2010-03-15 07:43bertusfloorNote Added: 0004031
2010-03-15 07:45bertusfloorFile Added: dns.jpg
2010-03-15 16:42baldyFile Added: Working DNS.jpg
2010-03-15 16:44baldyNote Added: 0004034
2010-03-15 21:56baldyNote Added: 0004035
2010-03-15 21:56baldyFile Added: Custom DNS.jpg
2010-03-16 07:16bertusfloorNote Added: 0004036
2010-03-16 07:42bertusfloorFile Added: running-services.jpg
2010-03-16 07:42bertusfloorNote Added: 0004037
2010-03-16 08:33baldyFile Added: My services.jpg
2010-03-16 08:43baldyNote Added: 0004038
2010-03-16 09:31bertusfloorFile Added: fix.jpg
2010-03-16 09:33bertusfloorNote Added: 0004040
2010-03-16 09:37simon-endianNote Added: 0004041
2010-03-16 09:51bertusfloorNote Added: 0004042
2010-03-16 09:52bertusfloorStatusacknowledged => resolved
2010-03-16 09:52bertusfloorResolutionopen => fixed
2010-11-22 12:08peter-endianFixed in Version => 2.4.1
2010-11-22 12:08peter-endianStatusresolved => closed

Notes
(0004028)
baldy   
2010-03-12 17:22   
(edited on: 2010-03-12 17:26)
Hi Bertus,

I have been able to successfully join Endian 2.3 my SBS2008 server domain.

On your SBS server please check your Default Domain Policy.
Expand Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Security Options.
Scroll down to Network Security: LAN Manager authentication level. Change it from Not Defined to Send LM & NTLM - use NTLMv2 session security if negotiated.

NTLM is disabled by default on 2008.

Also when joining the domain use only an account name without domain information. E.g. administrator and not domain.local\administrator, domain\administrator or administrator@domain.local.

Regards,

Klaas-Jan

(0004030)
baldy   
2010-03-14 13:01   
Added screen prints for clarification.

Regards,

Klaas-Jan
(0004031)
bertusfloor   
2010-03-15 07:43   
Hi Klaas-Jan,

Thank you very much for the information and the screenshots. I have configured my firewall exactly the same and changed the setting in the default domain policy. I have also restarted the server.

I still cannot connect to AD but now get a different error: Failed to join domain: failed to find DC for domain WIT.LOCAL

I have added the DC under network\dns as per attached file.

Do you have any ideas?

Regards,
Bertus
(0004034)
baldy   
2010-03-15 16:44   
Bertus,

Might be the all capitals in both server and domainname.

Regards,

Klaas-Jan
(0004035)
baldy   
2010-03-15 21:56   
Bertus,

You can also add a custom nameserver for your domain on the Endian.

That way, for your internal domain name you can point it to the SBS box.

I have added a screen print from where this has to be done.

It is also mentioned in the Endian KB http://kb.endian.com/entry/49/ [^]

Regards,

Klaas-Jan
(0004036)
bertusfloor   
2010-03-16 07:16   
Thank you for you help Klaas-Jan.

I changed all the names to lower-case and added a custom nameserver on the Endian Firewall. I have also synced the time. Both AD and the Endian Firewall have the exact same time and time zone.

I also ran through the network wizard and added our SBS 2008 server's IP address in as DNS 1. I also point the IP address of our SBS 2008 Server to it's name under Network > Edit Hosts.

I am still getting this error: Failed to join domain: "failed to find DC for domain WIT.LOCAL"
(0004037)
bertusfloor   
2010-03-16 07:42   
I attached a screenprint of running services - is this right?
(0004038)
baldy   
2010-03-16 08:43   
Bertus,

I have added a screenprint of my services, only, imho significant, difference is the DNS proxy.

DNS proxy is running on all Endian 2.3 installations I have done so far.

Those installations also have smtp proxy enabled, not sure whether those 2 are related.

I will try to setup a clean 2.3 system with no options enabled and check if that one can join the domain.

Btw, your error still says WIT.LOCAL (uppercase).

Regards,

Klaas-Jan
(0004040)
bertusfloor   
2010-03-16 09:33   
It's working!

I looked at the DNS proxy you suggested, and changed the server name to the IP as per the fix.jpg attached and could connect straight away.

Thanks Klaas-Jan!
(0004041)
simon-endian   
2010-03-16 09:37   
hi,

with 2.3 it is not required to make a dns proxy and host entry.

some questions for clearification:
- did you enable the http proxy before trying to join the domain? (toggle button at proxy > http > configuration)
- did you save & apply the settings at proxy > http > authentication, before trying to join (this is currently required)
- did you use the same value for authentication realm and domain name? in your case you should use WIT.LOCAL (uppercase at authentication realm and lowercase at domain name)
- what did you use for PDC and BDC hostname? this should be the computername of the windows server (there is a bug related to BDC hostname. so you should leave it empty)

Regards,
Simon
(0004042)
bertusfloor   
2010-03-16 09:51   
I did not enable the http proxy before joining the domain, only afterwards to troubleshoot.
I always saved the settings, restarted and made sure the settings applied before trying again.
Yes I did use the same value for the authentication realm and domain name (first upper case and then later lower-case for both). -> I reverted back to my old settings and tested this. It did not work.
I left BDC empty and for PDC I did entered the server name.

It connects as soon as I add the IP address instead of the host name under >Proxy >DNS >DNS Routing.