SRV Records

When attempting to join macs to AD, the results are a little random. Sometimes it works, sometimes it doesn't. During the join process, I am always able to create a computer object, but am sometimes unable to set a password for it. Since I attach to Domain Servers randomly, it could be a difference in config. Specicifcally it could be that
  • Port  464 is not open on all firewalls
  • Not all server records are in place

The error (on the client side) looks like this.


2009-11-19 08:02:21 EST - T[0x0000000101981000] - Active Directory: kadmEntry port is nil, will use default 464
2009-11-19 08:02:22 EST - T[0x0000000101981000] - Active Directory:       Password verify for gattis@OHIO.EDU succeeded - cache MEMORY:tVDot6R
2009-11-19 08:02:22 EST - T[0x0000000101981000] - Active Directory:          Secure BIND Session Success with server ad3.ohio.edu.:389 using cache MEMORY:tVDot6R user gattis@OHIO.EDU
2009-11-19 08:02:22 EST - T[0x0000000101981000] - Active Directory:    Looking for existing Record of oit-w87511euz64
2009-11-19 08:02:22 EST - T[0x0000000101981000] - Active Directory:      Doing DN search for account - oit-w87511euz64
2009-11-19 08:02:22 EST - T[0x0000000101981000] - Active Directory: kadmEntry port is nil, will use default 464
2009-11-19 08:02:22 EST - T[0x0000000101981000] - Active Directory:          Secure BIND Session Success with server ad3.ohio.edu.:389 using cache MEMORY:tVDot6R user gattis@OHIO.EDU
2009-11-19 08:02:22 EST - T[0x0000000101981000] - Active Directory:    Attempting Add Record......
2009-11-19 08:02:22 EST - T[0x0000000101981000] - Active Directory:       Adding in OU = OU=Workstations,OU=OIT-SysOps,OU=OIT,OU=Ohio,DC=ohio,DC=edu
2009-11-19 08:02:23 EST - T[0x0000000101981000] - Active Directory:    Added record CN=oit-w87511euz64,OU=Workstations,OU=OIT-SysOps,OU=OIT,OU=Ohio,DC=ohio,DC=edu
2009-11-19 08:02:23 EST - T[0x0000000101981000] - Active Directory:    Setting Computer Password......
2009-11-19 08:02:40 EST - T[0x0000000101981000] - Active Directory:    Setting Computer Password FAILED Deleted Record......
2009-11-19 08:02:40 EST - T[0x0000000101981000] - Active Directory: Computer password change date is 2009-11-18 12:36:24 -0500
2009-11-19 08:02:40 EST - T[0x0000000101981000] - Active Directory: Scheduled computer password change every 1209600 seconds - starting 2009-11-19 08:02:40 -0500
2009-11-19 08:02:40 EST - T[0x0000000101981000] - Active Directory: Closing All Connections



In doing research on the web on the error message, I found this

Ok, we have FINALLY resolved this issue. The problem in our case is that our DNS SRV records were not setup correctly. We needed to explicitly include all three DCs for each of the 6 SRVs. Once we published each of the three DCs in the SRV record, binding works without a problem. If anyone else is experiencing similar issues and needs help, feel free to contact me.

I looked up what should be there


http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx

_kerberos._tcp. DnsDomainName.

Enables a client to locate a server that is running the Kerberos KDC service for the domain that is named in DnsDomainName. The server is not necessarily a domain controller. All Windows Server 2003–based domain controllers that are running an RFC 1510–compliant Kerberos KDC service register this SRV record.



Here is what I get when I try to resolve our kerberos servers

dhcp-062-091:~ ohio$ nslookup _kerberos._tcp.ohio.edu
Server: 132.235.64.1
Address: 132.235.64.1#53

Non-authoritative answer:
*** Can't find _kerberos._tcp.ohio.edu: No answer


dhcp-062-091:~ ohio$ nslookup _kpasswd._tcp.ohio.edu
Server: 132.235.64.1
Address: 132.235.64.1#53

Non-authoritative answer:
*** Can't find _kpasswd._tcp.ohio.edu: No answer

Comments