[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

mathias dufresne infractory at gmail.com
Wed Dec 2 13:35:51 UTC 2015

2015-12-02 13:24 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:

> On 02/12/15 11:59, mathias dufresne wrote:
>> Rowland,
>> What did you request as DNS? Samba + Bind + DLZ ?
>> If yes, the fact your two DNS are replying "I am SOA" is a feature from
>> Bind9 or from DLZ patch.
> Yes, I use bind9 with the dlz backend.
>> That's important as a standard Samba AD designed without Bind is using
>> defined entry for SOA. Asking to the five Samba DC I have here who's SOA,
>> they all replied the same server, the one declared in SOA LDAP entry.
>> Of course all DC are declared as NS in that zone.
> Not sure if this is a bind9 feature, does your SOA record have the NS
> records for all the DCs, if not, then the first DC will be the only
> Authoritative server.

For me, I can be wrong, SOA is referencing one and only one DNS server. You
can haev several NS and only one SOA. That's why I said several that I
think MS DC reply "I am SOA" and I don't wrote that I think MS DCreply "I
am one SOA".

In Samba AD there is a LDAP entry for SOA record. This entry references
only one server. I have several NS declared, one per DC as all my DC (Samba
standard DC, no bind-dlz) are hosting the two DNS zones.

Now about if the fact your Bind DNS servers are behaving like MS DNS, as my
Samba DNS are not behaving like MS DNS, I expect this behavior change comes
from the fact we are not using the same DNS servers.
As when DNS request are sent from clients to DNS servers Samba is not
involved (your client ask directly to your Bind9-dlz servers) I think the
difference in our DNS SOA replies comes from the fact our DNS softwares are

This can be easily tested from your side: you have a Bind9-dlz
infrastructure, use it to create a new fake zone, build that zone
identically as the one used by Samba, perhaps just renaming your AD zone,
then you will be able to ask your own Bind9-dlz DNS server about SOA for
that new zone. Then you'll see if your Bind reply "I am SOA" or if they
reply "this one is SOA".

More information about the samba mailing list