[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Thu Dec 10 14:00:20 UTC 2015

Am 10.12.2015 um 14:38 schrieb Rowland penny:
> On 10/12/15 13:25, Ole Traupe wrote:
>> Is it possible that kdc server is always the SOA,  at least if 
>> derived from DNS and not specified *explicitly* in the krb5.conf?
>> In my DNS-Manager console I find that
>> _tcp.dc._msdcs.bpn.tu-berlin.de
>> contains only 1 "_kerberos" record, and that one points to my First_DC.
>> Ole
> Your problem doesn't seem to be a dns problem, you should have two 
> 'kerberos' records and no matter how good your dns is, it cannot 
> obtain something that isn't there :-)

That's basically what I just wrote...

> See Louis's earlier post for how to attempt to fix this, but before 
> you do anything, restart samba on the second DC and then check the 
> logs, samba_dnsupdate should add the records you are missing.
> Rowland

However, my 2nd DC is not that new, I restarted it many times, just 
again (samba service). No DNS records are created anywhere.

If I go through the DNS console, in each and every container there is 
some entry for the 1st DC, but none for the 2nd (except on the top 
levels: FQDN and _msdcs.FQDN).

Could this have to do with...
a) I demoted my initial 1st DC (seized FSMO roles) and got rid of DNS 
entries via this script on the wiki?
b) set up the *new* 2nd DC on the hardware of the prior 1st DC (with the 
same IP address)?

More information about the samba mailing list