[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

[Rowland penny]

On 10/12/15 14:00, Ole Traupe wrote:
>
>
> Am 10.12.2015 um 14:38 schrieb Rowland penny:
>> On 10/12/15 13:25, Ole Traupe wrote:
>>> Is it possible that kdc server is always the SOA,  at least if 
>>> derived from DNS and not specified *explicitly* in the krb5.conf?
>>>
>>> In my DNS-Manager console I find that
>>>
>>> _tcp.dc._msdcs.bpn.tu-berlin.de
>>>
>>> contains only 1 "_kerberos" record, and that one points to my First_DC.
>>>
>>> Ole
>>>
>>>
>>>
>>
>> Your problem doesn't seem to be a dns problem, you should have two 
>> 'kerberos' records and no matter how good your dns is, it cannot 
>> obtain something that isn't there :-)
>
> That's basically what I just wrote...
>
>>
>> See Louis's earlier post for how to attempt to fix this, but before 
>> you do anything, restart samba on the second DC and then check the 
>> logs, samba_dnsupdate should add the records you are missing.
>>
>> Rowland
>>
>>
>
> However, my 2nd DC is not that new, I restarted it many times, just 
> again (samba service). No DNS records are created anywhere.
>
> If I go through the DNS console, in each and every container there is 
> some entry for the 1st DC, but none for the 2nd (except on the top 
> levels: FQDN and _msdcs.FQDN).
>
> Could this have to do with...
> a) I demoted my initial 1st DC (seized FSMO roles) and got rid of DNS 
> entries via this script on the wiki?
> b) set up the *new* 2nd DC on the hardware of the prior 1st DC (with 
> the same IP address)?
>
>
>

Possibly, but can you try this on your second DC, run 'samba_dnsupdate 
--verbose'

Rowland