[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Rowland penny rpenny at samba.org
Thu Dec 17 15:48:50 UTC 2015 

On 17/12/15 15:37, Ole Traupe wrote:
>
>
> Am 17.12.2015 um 16:10 schrieb Rowland penny:
>> On 17/12/15 14:56, Ole Traupe wrote:
>>>
>>>
>>> Am 17.12.2015 um 15:33 schrieb Rowland penny:
>>>> On 17/12/15 13:54, Ole Traupe wrote:
>>>>> Rowland, thank you, but before we do that:
>>>>>
>>>>> - what now with the 'gc' record? 2nd DC yes or no?
>>>>
>>>> Which one ? I have these:
>>>>
>>>> dn: 
>>>> DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>>>
>>>> dn: 
>>>> DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>>>
>>>> dn: 
>>>> DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>>>
>>>> dn: 
>>>> DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>>>
>>>> dn: 
>>>> DC=gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>>>
>>>> They all contain two dnsrecords, one from each DC
>>>>
>>>>> - if you say that the internal DNS is not compatible with a 
>>>>> multi-DC setting, than we can stop here, no?
>>>>>
>>>>
>>>> Please stop putting words in my mouth :-)
>>>>
>>>> All I said was that you will only get one NS record if you use the 
>>>> internal DNS server, 
>>>
>>> Ok. And do you *need* both?
>>
>> Not sure , but microsoft says you should have a SOA record for each 
>> DC that runs DNS.
>
> SOA or NS?
>
> NS I have, SOA seems not possible.

There is one SOA record in Samba AD, but it can hold the NS & A records 
for each DC (not sure about AAAA, I don't use ipv6). If you use the 
internal dns server, you only get one NS record returned and this is for 
the first DC. If you use Bind9, you get a different NS record from each 
DC i.e. each DC acts as if it is authoritative for the domain.


>
>>
>>>
>>>
>>>
>>>> everything else seems to work though, although I haven't tried 
>>>> turning the first DC off yet.
>>>
>>> Why? I mean, could you perhaps? Please?
>>>
>>
>> Probably, but not today, will do it as soon as possible.
>
> I would be more than happy about that!
>
>

Will try it asap

Rowland

More information about the samba mailing list