Author Topic: question about Zentyal replication and AD authentication  (Read 2678 times)

zippydan

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +1/-0
    • View Profile
question about Zentyal replication and AD authentication
« on: September 13, 2014, 02:50:11 am »
Here is my setup

Network1 is connected to Network2 by a VPN

Network1 has ZenServ1 and Network2 has ZenServ2

Important Edit: Both ZenServ1 and ZenServ2 are running Zentyal 3.5

ZenServ1 is the Primary Domain Controller, and I setup ZenServ2 to connect over the VPN as an Additional Domain Controller

On initial connection, I saw all the same users and groups and everything was great.

I also have two Synology boxes, we can call them NAS1 and NAS2, also located at Network1 and Network2 respectively.

NAS1 has already authenticated with ZenServ1 and can also see all the Domain users and groups: great.

NAS2 is new at Network2, so, after reading that Zentyal should do two-way replication, I created a new Domain Admin user for NAS2 on ZenServ2.  I then tried connecting NAS2 to the domain using ZenServ2's info as the Domain controller.  I was unsuccessful.

I then noticed that when browsing ZenServ1's Users and Groups, NAS2 did not appear in the list even though it was in the list on ZenServ2.

Question 1: How long does it take for a newly created user on an Additional Domain Controller to replicate to the Primary Domain Controller?
Question 1b: How long does it take for a newly created user on the Primary Domain Controller to replicate to Additional Domain Controllers?
Question 2: Is there a way to force replication of all servers?
Question 3: Does the lack of replication to the Primary Domain Controller explain why my NAS2 could not authenticate with ZenServ2?  It actually doesn't make sense that that would cause a problem since NAS2 DID in fact exist in the local list of Users and Groups.

Continuing: I decided to try a different approach.  I deleted NAS2 from ZenServ2 and created it again directly on ZenServ1 (the Primary Domain Controller).  I then directed NAS2 to connect to the domain, over the VPN, by using ZenServ1.  This time, everything worked great.  However, on an additional note, NAS2 has yet to show up as a user on ZenServ2.

Question 4: Why does NAS2 authenticate successfully with ZenServ1 but not ZenServ2?
Question 5: How can I get my NAS2 to authenticate to ZenServ2 which is on the same LAN, rather than to ZenServ1 which is on the sometimes-less-reliable VPN?  It seems silly to have an Additional Domain Controller if I can't use it to authenticate locally.
« Last Edit: September 13, 2014, 04:12:12 pm by zippydan »

zippydan

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +1/-0
    • View Profile
Re: question about Zentyal replication and AD authentication
« Reply #1 on: September 13, 2014, 04:21:20 pm »
Update:

The next day and it looks like the information from ZenServ1 has replicated to ZenServ2.  Meaning, after defining NAS2 on ZenServ1 yesterday, it now appears as a user on ZenServ2.

HOWEVER, when I try to authenticate NAS2 with ZenServ2, it is STILL failing.  Clearly this must be related to the original issue I had where creating the NAS2 user first on ZenServ2 did not allow me to authenticate with ZenServ2 either.  What is going on with ZenServ2's failure to authenticate?

zippydan

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +1/-0
    • View Profile
Re: question about Zentyal replication and AD authentication
« Reply #2 on: September 13, 2014, 10:02:55 pm »
Update 2:  NAS2 is now successfully connected to ZenServ2.  I made several changes at once, so I'm not sure which one fixed the problem.  I will go over them one by one in the hopes that it might help someone in the future:

1. My realm is something like local.domainname.com.  I actually own domanname.com on the interwebs, and I had forgotten that for that host's DNS records I had defined local.domainname.com with another IP (an A Record).  I'm not sure if that would make any difference as I was telling NAS2 to use ZenServ2 as its DNS server, and I would assume that ZenServ2's DNS would override any external DNS.  Anyway, I deleted the A Record on my internet name server.

2. On both ZenServ1 and ZenServ2 I defined the OTHER Domain Controller under the webadmin -> DNS -> Domains.  That includes adding the IP of the OTHER server, adding the Hostname of the OTHER server (and then the IP again), and finally adding the OTHER server again under Name Servers.  I can't find the page on the Internet anymore, but I did this because I remember following a guide for setting up two Zentyal Servers as PDC and ADC back in the 3.0 days and it instructed me to do this.  Once again, I'm not sure if this is necessary, pointless, or harmful in 3.5.

3. On my Gateway Servers, which we can call Gate1 and Gate2 for Network1 and Network2 respectively, and which were formerly my primary DNS servers as well, I made sure to define local.domainname.com as the IP for ZenServ1 (on Gate1) and ZenServ2 (on Gate2).  Again, I'm not sure why this would make a difference since I was telling NAS2 to use ZenServ2 as its DNS server; however, Gate2 had been its DNS server before.

4. I also rebooted NAS2 after making all changes.  Even after rebooting, it still wouldn't work (a new error now: told me "Windows Domain cannot be found").  I had to load the Directory Service tab, then change to another tab, and then go back to the Directory Service tab again before it worked.  I actually just finished making a change to both ZenServ1 and ZenServ2 and it looks like NAS2 lost its connection to the domain.  I actually had to reboot it and then change tabs SEVERAL TIMES before it finally connected (same error about "Windows domain cannot be found").  Honestly, at this point I'm not sure if the changing of tabs was doing anything, or if I just had to wait a certain amount of time for "something"...
« Last Edit: September 13, 2014, 11:08:31 pm by zippydan »

zippydan

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +1/-0
    • View Profile
Re: question about Zentyal replication and AD authentication
« Reply #3 on: September 16, 2014, 11:55:31 pm »
I'm going to have to reopen this.  Sometimes my NAS2 will authenticate with my ZenServ2, and sometimes it won't.

I've been having some trouble with my VPN connection this day as well, so that will interrupt the communication between ZenServ2 and ZenServ1.  I'm wondering, can NAS2 not authenticate with ZenServ2 if ZenServ2 can't reach ZenServ1?  That seems retarted, since I always assumed that the purpose of an ADC was to be like a local cache of users for exactly those situations when remote connections are disrupted.

Another thing I have noticed: it doesn't seem like changes made to ZenServ2 are replicating to ZenServ1.  Only the other way around.  Is that how Zentyal is supposed to behave?  The documentation indicates that it is two-way replication.

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: question about Zentyal replication and AD authentication
« Reply #4 on: September 17, 2014, 01:18:24 pm »
ADC's are not BDC's. Actually they work in a round robin fashion (so if you have a DC down, you have chances that some users are rejected login)


zippydan

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +1/-0
    • View Profile
Re: question about Zentyal replication and AD authentication
« Reply #5 on: September 17, 2014, 03:55:28 pm »
I think I need more clarification on this.  The computers and NAS2 on Network2 are only pointing to ZenServ2 as their domain name server.  ZenServ2 has itself listed first in the list of Domain controllers, would they not try to authorize with ZenServ2 first?

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: question about Zentyal replication and AD authentication
« Reply #6 on: September 20, 2014, 06:36:43 pm »
Not really. He will check DNS records for domain name and the dns server will answer with every DC ip, ordered in RR