OD Master, PDC, Tiger 10.4.11, xp clients unable to locate domain controller

[fhmiv]

After a migration/upgrade from 10.3.9 to 10.4.11 Server, windows XP clients are intermittently unable to log in to or even bind to the PDC running on that server.

I did a clean format and install from the 10.4 media, choosing the standalone server type, and applied all the Software Updates, I got forward and reverse DNS working for my zone, then I followed the instructions at https://www.afp548.com/article.php?story=20050615173039158 to move my OD from a working 10.3.9 server to 10.4.

This server goes against the usual recommendations, as it provides DNS, OD master, PDC and file services to 32 clients all in the same subnet, 20 running Windows XP SP2 and 12 running OS X Client 10.4.x or 10.5.x.

File services and various other users of the OD/LDAP, for example Wildfire Jabber/XMPP server and Apache2/LDAP running on a separate Linux server, are able to authenticate against the new 10.4.11 OD.

However, at this point the symptoms become intermittent approx. 40% of the Windows XP clients were unable to log in with various domain accounts, yielding errors of the form “Unable to find domain FOO”. If I remove a client from the domain by joining it to WORKGROUP and rebooting, then try to join FOO again, I’ll get an error, “Unable to locate Domain Controller for FOO…”

The set-up:
My server’s FQDN is myserver.foo.example.com
The server’s DNS is authoritative for the 10.10.10.0/24, foo.example.com zone and I have the trailing dot’s in the right places, so ping myserver.foo.example.com, ping myserver, and ping 10.10.10.10 (server’s example IP from the foo.example.com zone) all work correctly.

The DHCP server for this vlan is providing my DNS server to the clients, but is providing no netbios server. The XP clients are all set to use the DHCP server setting, which, according to the TCP/IP Advanced Settings panel, means that they’ll revert to netbios over tcp/ip since no wins server is specified.

In Server Admin->Windows->General:
Role: Primary Domain Controller (PDC)
Description: FOO Domain at example.com
Computer Name: myserver
Domain: FOO

Server Admin->Windows->Access:
Allow Guest Access: Check
Client Connections: Unlimited
Authentication: NTLMv2 & Kerberos, NTLM, and LAN Manager: All check

Logging->Log Detail: High

Advanced->Code Page: Latin US
Services: Workgroup Master browser and Domain master browser: check
WINS Registration: Off
Homes: Enable virtual share points: check

Should my Windows service on 10.4.11 be providing WINS or not? If so, should the DHCP server be set to point the clients to it? If not, how do the XP clients reliably resolve the FOO domain?

Why did all these XP clients work fine with a 10.3.9 Windows PDC but don’t work with 10.4.11?

Another strange point – I can use the XP-side ‘net view’ command to poke around and things look reasonable. I.E. even the clients that aren’t joined to the domain and can’t locate the domain controller will return sane results for ‘net view /domain:FOO’.

[mosx86]

Just throwing two ideas out there…

1. If you have a workgroup that is named the same as the domain on the same network it will result in behavior very close to what you’re describing…

2. If your new PDC is using the same domain name as the previous one, your clients may be expecting to see the previous SID.

[mosx86]

[QUOTE][u]Quote by: mosx86[/u][p]Just throwing two ideas out there…

1. If you have a workgroup that is named the same as the domain on the same network it will result in behavior very close to what you’re describing…

2. If your new PDC is using the same domain name as the previous one, your clients may be expecting to see the previous SID. [/p][/QUOTE]

This may be helpful as well: (while this is regarding 10.4=>10.5, the process should be the same from 10.3=>10.4).

http://lists.apple.com/archives/macos-x-server/2007/Nov/msg00607.html

[fhmiv]

I appreciate the reply.

1) I don’t have any workgroups with the same name as the domain, but I agree, if I did, that I would experience problems with that set-up.

2) The new PDC does use the same domain name as the old PDC, and I agree with you that the SID mismatch is to blame. After I’d performed the upgrade and gotten the windows boxes all confused, I saw the advice on using samba’s net command to duplicate the old PDC’s SID to the new PDC. Maybe someday I’ll have the opportunity to try that.

I resorted to removing all the XP clients from the domain and re-joining them. The XP clients were still able to contact the domain intermittently. I used various command-line tools on the XP side, including the built-in net command as well as some others I downloaded such as the quite useful [url]http://www.joeware.net/freetools/tools/findpdc/index.htm[/url], as well as the client-side error messages during the domain join attempts and the messages in the Event log, to determine that the clients couldn’t find the domain.

The XP client TCP/IP settings state that the clients will revert to using netbios if no WINS server is specified, but that clearly wasn’t working reliably, so I just enabled the WINS server on the PDC, told the DHCP server to hand out its address for the netbios-related options for that subnet, rebooted the PDC, waited a while for things to settle out, and now all the clients can reliably find the PDC.

I still have no idea why the WINS-less set-up worked in 10.3 server but didn’t work in 10.4 server, but believe me, I’ll remember it now!

[fhmiv]

A follow-up question – should I be using WINS or should I add SRV entries for the PDC to my DNS?

I’m running Bind-9.2.2 and dhcp-3.0pl2 on an old Linux system. Can the 10.4 included Samba publish the SRV entries dynamically to the DNS or would I need to put them in by hand?

[mosx86]

[QUOTE][u]Quote by: fhmiv[/u][p]A follow-up question – should I be using WINS or should I add SRV entries for the PDC to my DNS?

I’m running Bind-9.2.2 and dhcp-3.0pl2 on an old Linux system. Can the 10.4 included Samba publish the SRV entries dynamically to the DNS or would I need to put them in by hand? [/p][/QUOTE]

I’m not sure. We’ve set our PDC to register with our DNS server that is serving WINS.

[Author]

Posts