[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Rowland penny
rpenny at samba.org
Fri Dec 18 09:44:32 UTC 2015
On 17/12/15 15:37, Ole Traupe wrote:
>
>
>
>>
>>>
>>>
>>>
>>>> everything else seems to work though, although I haven't tried
>>>> turning the first DC off yet.
>>>
>>> Why? I mean, could you perhaps? Please?
>>>
>>
>> Probably, but not today, will do it as soon as possible.
>
> I would be more than happy about that!
>
>
OK, before I did anything else this morning, I started up my test
domain. Note that this domain only existed to try and find out why the
second DC didn't have a NS record in the SOA and uses the internal dns.
Both of the DCs have the relevant line in the hosts file:
root at testdc1:~# nano /etc/hosts
127.0.0.1 localhost
192.168.0.240 testdc1.home.lan testdc1
root at testdc2:~# nano /etc/hosts
127.0.0.1 localhost
192.168.0.241 testdc2.home.lan testdc2
Both of the DCs point to each other as their nameserver:
root at testdc1:~# nano /etc/resolv.conf
search home.lan
nameserver 192.168.0.241
nameserver 192.168.0.240
root at testdc2:~# nano /etc/resolv.conf
search home.lan
nameserver 192.168.0.240
nameserver 192.168.0.241
If I examine the SOA record in AD I find this:
dn: DC=@,DC=home.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=home,DC=lan
.....................
dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
wDataLength : 0x003f (63)
wType : DNS_TYPE_SOA (6)
version : 0x05 (5)
rank : DNS_RANK_ZONE (240)
flags : 0x0000 (0)
dwSerial : 0x0000006e (110)
dwTtlSeconds : 0x00000e10 (3600)
dwReserved : 0x00000000 (0)
dwTimeStamp : 0x00000000 (0)
data : union dnsRecordData(case 6)
soa: struct dnsp_soa
serial : 0x00000001 (1)
refresh : 0x00000384 (900)
retry : 0x00000258 (600)
expire : 0x00015180 (86400)
minimum : 0x00000e10 (3600)
mname : testdc1.home.lan
rname : hostmaster.home.lan
dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
wDataLength : 0x0014 (20)
wType : DNS_TYPE_NS (2)
version : 0x05 (5)
rank : DNS_RANK_ZONE (240)
flags : 0x0000 (0)
dwSerial : 0x0000006e (110)
dwTtlSeconds : 0x00000384 (900)
dwReserved : 0x00000000 (0)
dwTimeStamp : 0x00000000 (0)
data : union dnsRecordData(case 2)
ns : testdc1.home.lan
dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
wDataLength : 0x0014 (20)
wType : DNS_TYPE_NS (2)
version : 0x05 (5)
rank : DNS_RANK_ZONE (240)
flags : 0x0000 (0)
dwSerial : 0x0000006e (110)
dwTtlSeconds : 0x00000384 (900)
dwReserved : 0x00000000 (0)
dwTimeStamp : 0x00000000 (0)
data : union dnsRecordData(case 2)
ns : testdc2.home.lan
dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
wDataLength : 0x0004 (4)
wType : DNS_TYPE_A (1)
version : 0x05 (5)
rank : DNS_RANK_ZONE (240)
flags : 0x0000 (0)
dwSerial : 0x0000006e (110)
dwTtlSeconds : 0x00000384 (900)
dwReserved : 0x00000000 (0)
dwTimeStamp : 0x00000000 (0)
data : union dnsRecordData(case 1)
ipv4 : 192.168.0.240
dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
wDataLength : 0x0004 (4)
wType : DNS_TYPE_A (1)
version : 0x05 (5)
rank : DNS_RANK_ZONE (240)
flags : 0x0000 (0)
dwSerial : 0x0000006e (110)
dwTtlSeconds : 0x00000384 (900)
dwReserved : 0x00000000 (0)
dwTimeStamp : 0x00000000 (0)
data : union dnsRecordData(case 1)
ipv4 : 192.168.0.241
So, as you can see both the DCs have their NS & A records in the SOA
If I then run nslookup on both machines, I get this:
root at testdc1:~# nslookup
> set querytype=soa
> home.lan
Server: 192.168.0.241
Address: 192.168.0.241#53
home.lan
origin = testdc1.home.lan
mail addr = hostmaster.home.lan
serial = 1
refresh = 900
retry = 600
expire = 86400
minimum = 3600
> exit
root at testdc2:~# nslookup
> set querytype=soa
> home.lan
Server: 192.168.0.240
Address: 192.168.0.240#53
home.lan
origin = testdc1.home.lan
mail addr = hostmaster.home.lan
serial = 1
refresh = 900
retry = 600
expire = 86400
minimum = 3600
> exit
As you can see, only the first DC is show as the NS for the SOA, what
happens if we turn off the first DC?
We get this:
root at testdc2:~# nslookup
> set querytype=soa
> home.lan
Server: 192.168.0.241
Address: 192.168.0.241#53
home.lan
origin = testdc1.home.lan
mail addr = hostmaster.home.lan
serial = 1
refresh = 900
retry = 600
expire = 86400
minimum = 3600
> exit
The second DC is now using itself as its nameserver, but still gives the
first DC as the NS
This is totally different from what is returned if you use Bind9:
Similar setup, only the names & ipaddresses have changed:
root at dc1:~# nslookup
> set querytype=soa
> samdom.example.com
Server: 192.168.0.6
Address: 192.168.0.6#53
samdom.example.com
origin = dc2.samdom.example.com
mail addr = hostmaster.samdom.example.com
serial = 101
refresh = 900
retry = 600
expire = 86400
minimum = 3600
> exit
root at dc2:~# nslookup
> set querytype=soa
> samdom.example.com
Server: 192.168.0.5
Address: 192.168.0.5#53
samdom.example.com
origin = dc1.samdom.example.com
mail addr = hostmaster.samdom.example.com
serial = 101
refresh = 900
retry = 600
expire = 86400
minimum = 3600
> exit
Here, each DC shows the other as being the NS, so what happens if we
turn off the first DC?
root at dc2:~# nslookup
> set querytype=soa
> samdom.example.com
Server: 192.168.0.6
Address: 192.168.0.6#53
samdom.example.com
origin = dc2.samdom.example.com
mail addr = hostmaster.samdom.example.com
serial = 101
refresh = 900
retry = 600
expire = 86400
minimum = 3600
> exit
Now the second DC shows itself as being the NS.
It seems that the internal dns server works very different from Bind9.
Conclusions? From my very limited testing, it would seem that, whilst it
will work if you use multiple DCs running the internal dns servers, it
would probably be better to use Bind9 instead.
Rowland
More information about the samba
mailing list