[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Rowland Penny rowlandpenny241155 at gmail.com
Wed Dec 2 10:57:59 UTC 2015 

On 02/12/15 10:31, mj wrote:
>> I can find on the internet multiple instances of 'every DC running dns
>> should have a SOA record', but I cannot find any concrete examples of an
>> ldif that shows this. Does each DC have a separate SOA record in AD, or
>> is there just one SOA record and the DC just claims to be the SOA, or is
>> there just one SOA record with an NS record for each DC. Samba would
>> seem to be the later, but I am struggling with adding the NS record for
>> a new DC during the join, I think what happens is that the NS record
>> does get added, but is wiped out when replication kicks in. It is very
>> easy to add the NS record after the join with samba-tool.
>>
>> Rowland
>>
> Hi,
>
> I remember vaguely that someone once told me that MS DCs always 
> announce themselves as the soa if asked. If they always reply that, 
> perhaps there is no need for it to actually be in the database (so it 
> would perhaps not show up in an ldif)
>
> MJ
>

This is what I think happens and if this is the case, then samba itself 
will have to do this, but I have added an NS record for the 2nd DC to 
the SOA record with samba-tool and if I use nslookup I get this:

nslookup
 > set querytype=soa
 > samdom.example.com
Server:        192.168.0.5
Address:    192.168.0.5#53

samdom.example.com
     origin = dc1.samdom.example.com
     mail addr = hostmaster.samdom.example.com
     serial = 101
     refresh = 900
     retry = 600
     expire = 86400
     minimum = 3600

If I then exit from nslookup and swap the nameservers in 
/etc/resolv.conf and rerun nslookup, I get this:

nslookup
 > set querytype=soa
 > samdom.example.com
Server:        192.168.0.6
Address:    192.168.0.6#53

samdom.example.com
     origin = dc2.samdom.example.com
     mail addr = hostmaster.samdom.example.com
     serial = 101
     refresh = 900
     retry = 600
     expire = 86400
     minimum = 3600

Which, to me, says that both DCs are authoritative for the domain, if 
this is correct, I just need to find a way of adding the NS record 
during the join.

Rowland

More information about the samba mailing list