[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Thu Dec 17 16:18:31 UTC 2015 


Am 17.12.2015 um 16:13 schrieb Ole Traupe:
> Can *anyone* report that he/she has a fail-safe domain in the sense 
> that the first DC (FSMO role holder) can be offline and login still 
> works on Windows clients AND Linux member servers?
>
> Samba 4.2.5 (from source)
> Internal DNS

PS: No changes to the default site structure.


>
> Ole
>
>
> Am 17.12.2015 um 15:56 schrieb Ole Traupe:
>>
>>
>> Am 17.12.2015 um 15:33 schrieb Rowland penny:
>>> On 17/12/15 13:54, Ole Traupe wrote:
>>>> Rowland, thank you, but before we do that:
>>>>
>>>> - what now with the 'gc' record? 2nd DC yes or no?
>>>
>>> Which one ? I have these:
>>>
>>> dn: 
>>> DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>>
>>> dn: 
>>> DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>>>
>>> dn: 
>>> DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>>
>>> dn: 
>>> DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>>
>>> dn: 
>>> DC=gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>>
>>> They all contain two dnsrecords, one from each DC
>>>
>>>> - if you say that the internal DNS is not compatible with a 
>>>> multi-DC setting, than we can stop here, no?
>>>>
>>>
>>> Please stop putting words in my mouth :-)
>>>
>>> All I said was that you will only get one NS record if you use the 
>>> internal DNS server, 
>>
>> Ok. And do you *need* both?
>>
>>
>>> everything else seems to work though, although I haven't tried 
>>> turning the first DC off yet.
>>
>> Why? I mean, could you perhaps? Please?
>>
>>>
>>> Rowland
>>>
>>>> Ole
>>>>
>>>>
>>>> Am 17.12.2015 um 14:32 schrieb Rowland penny:
>>>>> On 17/12/15 12:50, Ole Traupe wrote:
>>>>>>
>>>>>> I somehow doubt that. Still it seems that no one here has an idea 
>>>>>> of why log-on from member servers isn't working properly (for 
>>>>>> me). However, in the meantime I have created all the necessary 
>>>>>> DNS records. This can't be the issue anymore.
>>>>>>
>>>>>>
>>>>>
>>>>> If you are sure that you now have all the dns records for both DCs 
>>>>> in AD, then I would agree that this is probably not the issue 
>>>>> (there is just the 0.1% chance you are still missing something)
>>>>>
>>>>> Can your domain members find the DCs ?
>>>>> Do your domain members have a FQDN ?
>>>>> Are they joined to the domain ?
>>>>> What have got in smb.conf on the domain members ?
>>>>>
>>>>> You may have posted all or some of this before, but lets start again.
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

More information about the samba mailing list