[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

L.P.H. van Belle belle at bazuin.nl
Thu Dec 10 14:04:37 UTC 2015 

Ok, im using the RSAT tools so howto get more info and fix this. 

Start  Active Directory Sites and Services 
Klik on Sites, Default-First-Site-Name - Server. 
Your should see you second DC also, if not, you can add it manualy. 
I dont know the samba-tools commands for this one. 

In the DNS admin. 
Go to _msdcs.YOURDOMAIN. 
Look at the aliasses. 
These are the names you need in Active Directory Sites and Services
You should see also 2 ! aliasses, if you seeing one, this must be fixed first. 

And ! VERY IMPORTANT !! 
Under the _msdcs.DOMAINS.. 
In pdc _tcp  here should be ONLY THE PRIMARY DC ! 

Walk throug the _msdcs for what your missing. 
I guest, all the second DC entries. 

Have a look als in zone YOURDOMAIN and looin in the _XXX 
Here you should have also 1 entry per DC. 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> Verzonden: donderdag 10 december 2015 14:50
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
> initially fails when PDC is offline
> 
> On 10/12/15 13:40, Ole Traupe wrote:
> >
> >> You have problems, if you have two DCs, you should get something like
> >> this:
> >>
> >> root at dc1:~# host -t SRV _ldap._tcp.samdom.example.com
> >> _ldap._tcp.samdom.example.com has SRV record 0 100 389
> >> dc2.samdom.example.com.
> >> _ldap._tcp.samdom.example.com has SRV record 0 100 389
> >> dc1.samdom.example.com.
> >> root at dc1:~# host -t SRV _kerberos._udp.samdom.example.com
> >> _kerberos._udp.samdom.example.com has SRV record 0 100 88
> >> dc1.samdom.example.com.
> >> _kerberos._udp.samdom.example.com has SRV record 0 100 88
> >> dc2.samdom.example.com.
> >>
> >> Rowland
> >
> > Definitely, good! :)
> >
> > However, I have been there, done that:
> > https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
> >
> > This page says nothing about ldap or kerberos... why?!
> >
> > Ole
> >
> >
> >
> 
> Probably because either nobody has noticed the problem or the problem
> hasn't been reported before.
> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list