[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Thu Dec 17 15:13:56 UTC 2015


Can *anyone* report that he/she has a fail-safe domain in the sense that 
the first DC (FSMO role holder) can be offline and login still works on 
Windows clients AND Linux member servers?

Samba 4.2.5 (from source)
Internal DNS

Ole


Am 17.12.2015 um 15:56 schrieb Ole Traupe:
>
>
> Am 17.12.2015 um 15:33 schrieb Rowland penny:
>> On 17/12/15 13:54, Ole Traupe wrote:
>>> Rowland, thank you, but before we do that:
>>>
>>> - what now with the 'gc' record? 2nd DC yes or no?
>>
>> Which one ? I have these:
>>
>> dn: 
>> DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>
>> dn: 
>> DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>
>> dn: 
>> DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>
>> dn: 
>> DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>
>> dn: 
>> DC=gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>
>> They all contain two dnsrecords, one from each DC
>>
>>> - if you say that the internal DNS is not compatible with a multi-DC 
>>> setting, than we can stop here, no?
>>>
>>
>> Please stop putting words in my mouth :-)
>>
>> All I said was that you will only get one NS record if you use the 
>> internal DNS server, 
>
> Ok. And do you *need* both?
>
>
>> everything else seems to work though, although I haven't tried 
>> turning the first DC off yet.
>
> Why? I mean, could you perhaps? Please?
>
>>
>> Rowland
>>
>>> Ole
>>>
>>>
>>> Am 17.12.2015 um 14:32 schrieb Rowland penny:
>>>> On 17/12/15 12:50, Ole Traupe wrote:
>>>>>
>>>>> I somehow doubt that. Still it seems that no one here has an idea 
>>>>> of why log-on from member servers isn't working properly (for me). 
>>>>> However, in the meantime I have created all the necessary DNS 
>>>>> records. This can't be the issue anymore.
>>>>>
>>>>>
>>>>
>>>> If you are sure that you now have all the dns records for both DCs 
>>>> in AD, then I would agree that this is probably not the issue 
>>>> (there is just the 0.1% chance you are still missing something)
>>>>
>>>> Can your domain members find the DCs ?
>>>> Do your domain members have a FQDN ?
>>>> Are they joined to the domain ?
>>>> What have got in smb.conf on the domain members ?
>>>>
>>>> You may have posted all or some of this before, but lets start again.
>>>>
>>>> Rowland
>>>>
>>>
>>>
>>
>>
>
>




More information about the samba mailing list