[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Thu Dec 17 15:20:59 UTC 2015

On 12/17/2015 9:56 AM, Ole Traupe wrote:
>
>
> Am 17.12.2015 um 15:33 schrieb Rowland penny:
>> On 17/12/15 13:54, Ole Traupe wrote:
>>> Rowland, thank you, but before we do that:
>>>
>>> - what now with the 'gc' record? 2nd DC yes or no?
>>
>> Which one ? I have these:
>>
>> dn: 
>> DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>
>> dn: 
>> DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>
>> dn: 
>> DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>
>> dn: 
>> DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>
>> dn: 
>> DC=gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>
>> They all contain two dnsrecords, one from each DC
>>
>>> - if you say that the internal DNS is not compatible with a multi-DC 
>>> setting, than we can stop here, no?
>>>
>>
>> Please stop putting words in my mouth :-)
>>
>> All I said was that you will only get one NS record if you use the 
>> internal DNS server, 
>
> Ok. And do you *need* both?
>
>
>> everything else seems to work though, although I haven't tried 
>> turning the first DC off yet.
>
> Why? I mean, could you perhaps? Please?
>
>>
>> Rowland
>>
>>> Ole
>>>
>>>
>>> Am 17.12.2015 um 14:32 schrieb Rowland penny:
>>>> On 17/12/15 12:50, Ole Traupe wrote:
>>>>>
>>>>> I somehow doubt that. Still it seems that no one here has an idea 
>>>>> of why log-on from member servers isn't working properly (for me). 
>>>>> However, in the meantime I have created all the necessary DNS 
>>>>> records. This can't be the issue anymore.
>>>>>
>>>>>
>>>>
>>>> If you are sure that you now have all the dns records for both DCs 
>>>> in AD, then I would agree that this is probably not the issue 
>>>> (there is just the 0.1% chance you are still missing something)
>>>>
>>>> Can your domain members find the DCs ?
>>>> Do your domain members have a FQDN ?
>>>> Are they joined to the domain ?
>>>> What have got in smb.conf on the domain members ?
>>>>
>>>> You may have posted all or some of this before, but lets start again.
>>>>
>>>> Rowland
>>>>
>>>
>>>
>>
>>
>
>
I just disabled my DC that is listed as SOA in a production 
environment.  I'm using the internal DNS. I have 6 DC's in total across 
3 sites. Around 200+ users and 140+ workstations. Everything appears to 
be working as normal aside from my monitoring tools going crazy. No 
issues so far. I am not authenticating local users to my member server 
however. I will monitor for a awhile and see if anything creeps up or I 
start to get phone calls..

-- 
-James