[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
James
lingpanda101 at gmail.com
Fri Nov 27 14:30:04 UTC 2015
On 11/27/2015 9:16 AM, Rowland Penny wrote:
> On 27/11/15 13:23, James wrote:
>> On 11/26/2015 11:12 AM, Ole Traupe wrote:
>>>
>>>>> Then you re-run your test with only DC2 up and running.
>>>>> Note DNS have need time to be updated if you are using others DNS
>>>>> servers between clients and AD DCs.
>>>> The SOA RR identifies a primary DNS name server for the zone as the
>>>> best source of information for the data within that zone and as a
>>>> entity processing the updates for the zone.
>>>>
>>>> The NS resource record is used to notate which DNS servers are
>>>> designated as authoritative for the zone. Listing a server in the
>>>> NS RR, it becomes known to others as an authoritative server for
>>>> the zone. This means that any server specified in the NS RR is to
>>>> be considered an authoritative source by others, and is able to
>>>> answer with certainty any queries made for names included in the zone.
>>>>
>>>> Much of the above was taken almost verbatim from online Microsoft
>>>> tech documents. I don't believe that DC's create NS records by
>>>> default.
>>>
>>> You mean Samba DCs or DCs in general?
>>>
>>> I am not sure I understand the above. Do you suggest to create
>>> another NS record for the Second_DC, or not to?
>>>
>>> In the resolv.conf on my member servers both DCs are listed as DNS
>>> servers. I like to think that the member servers eventually ask the
>>> second DNS server, if the first won't respond. This seems to be
>>> reflected by ping taking more than 5 s for the first packet to arrive.
>>>
>>> BUT what does the second DNS server (Second_DC) reply? Which logon
>>> server does it announce?
>>>
>>>
>> DNS can be very confusing. You do not need to create a NS record for
>> your second DC if the zone is directory integrated. By default the DC
>> is authoritative for that zone.
>>
>
> Probably with windows it is, but not with Samba AD, you only get one
> NS and one SOA. The only authoritative Samba AD DC is the first one,
> when you join a second DC, it runs the same code that created the SOA
> during the first DCs provision and because the SOA already exists, it
> fails.
>
> Rowland
>
>
Yikes! Are you saying DC's with directory integrated zones are not
authoritative for them? That means a NS record needs to be created
manually for each DC added.
--
-James
More information about the samba
mailing list