[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Rowland penny rpenny at samba.org
Thu Dec 24 16:32:36 UTC 2015

On 24/12/15 15:32, mathias dufresne wrote:
> And to get mentioned entries list I used:
> "samba_dnsupdate --verbose --all-names | grep Default-First-Site-name"
> This list 8 DNS records related to Default Site.
> Next was to change Default-First... by the name of another AD Site (sed is
> still working :p)
> I was able to create DNS entries which were missing for one of my sites.
> Next, test:
> Back on one Windows on the network associated to that AD Site, reboot it,
> and tcpdump on my DNS server (all requests goes through this DNS server)
> 1° Site related DNS SRV request:
> 35752:15:24:38.907301 IP >
> dns1.ad.dgfip.finances.gouv.fr.domain: 23013+ *SRV?
> _ldap._tcp.authentification._sites.dc.*_msdcs.ad.dgfip.finances.gouv.fr.
> (88)
> 2° Site related DNS SRV reply:
> 35753-15:24:38.907520 IP dns1.ad.dgfip.finances.gouv.fr.domain >
> 23013 2/2/4 *SRV* *m705.ad.dgfip.finances.gouv.fr.:389
> 0 100, SRV m706.ad.dgfip.finances.gouv.fr.:389 0 100* (291)
> 3° Then A request on one DC returned by previous request:
> 35754-15:24:38.908731 IP >
> dns1.ad.dgfip.finances.gouv.fr.domain: 16037+ *A?
> m705.ad.dgfip.finances.gouv.fr <http://m705.ad.dgfip.finances.gouv.fr>*.
> (48)
> 4° the reply:
> 35755-15:24:38.908859 IP dns1.ad.dgfip.finances.gouv.fr.domain >
> 16037 1/2/2 *A* (135)
> Now my Windows clients receive answer when they request SRV record
> according to the AD site they belong to.
> I must say I've also manually declared each DC as NS. As explained
> yesterday evening I don't think this should be important (even if I say the
> contrary few weeks ago).
> NS record should be used only when clients use a DNS server which is not AD
> DNS and if the declared DNS server on client do not need to ask upper level
> for NS.
> This is so badly described here is an example of my thought:
> With AD Domain = samba.org
> and Win_client -> DNS server non-AD and nothing configured on this DNS to
> help it to find samba.org name servers
> When Win_client request DNS server about samba.org, as DNS server do not
> know anything about samba.org, the DNS server would ask to root DNS server
> (the one for ORG) which servers are responsible for samba.org. Here is the
> case where NS should be used.
> And with my lack of knowledge about DNS I don't see any other case where NS
> should be used.

Hi Mathias, one of the problems with your setup, is that you seem to be 
running dns differently from what Samba (and for that matter, windows) 
recommends, you seem to be using a dns server that is not an AD DC.

Normally to find a DC, you would ask the dns server that is 
authoritative for the domain, with a Samba AD domain this is usually a 
DC, and is identified by its SOA record, which is supposed to contain 
the authoritative name servers.
Now, with a Samba domain, if you use the internal dns server, you only 
get *one*  authoritative name server even if you add the required 
records to the domain SOA. The net result is, if the first DC in the 
domain goes down, you don't have an authoritative name server. If you 
use bind9 instead of the internal dns server, each DC becomes 
authoritative for the domain after you add the required records to the 
domain SOA.

As you are using bind9 (although in a non recommended way), each of your 
DCs will be authoritative as you have added the required records.

When I get the time, I will create a bug report for this, this will 
probably be after Christmas though.


More information about the samba mailing list