[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Harry Jede walk2sun at arcor.de
Thu Nov 12 10:22:59 UTC 2015

On 11:06:29 wrote Ole Traupe:
> Hi,
> I tested the AD (Samba4) domain log-in on Windows 7 clients and Linux
> member servers with my PDC being offline (plugged the cable). It is
> not working so well.
> On Windows it initially takes forever. It works again after rebooting
> the client, which seems to be the easiest solution (can be performed
> by the user).
> On Linux member servers, ssh log-in eventually times out. It works
> again, after I manually swap the DNS server order in the
> /etc/resolv.conf and the KDC provider order in the /etc/krb5.conf.
> But manual intervention is clearly not preferred here.
> According to the sanity checks for domain controllers and members
> servers on the wiki setup and troubleshooting pages, my domain is
> working at its best.
> Is this due to DNS and kerberos timeouts accumulating?
It is DNS related.

> What is the best way of dealing with this?
The *best way* is a HA solution for your DNS Servers, but its expensive.

The DNS client (resolver) caches the srv records for 15 minutes aka 900 

ipconfig /flushdns drops the cache. Reboot does the same.

On server side you may set shorter TTL for the server records, but then 
you have more DNS traffic. On small netwoks (sites up to 20 clients, no 
wifi) I have good experience with a TTL of 180.
> Best,
> Ole


	Harry Jede

More information about the samba mailing list