[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Thu Nov 12 11:10:51 UTC 2015

Am 12.11.2015 um 11:22 schrieb Harry Jede:
> On 11:06:29 wrote Ole Traupe:
>> Hi,
>> I tested the AD (Samba4) domain log-in on Windows 7 clients and Linux
>> member servers with my PDC being offline (plugged the cable). It is
>> not working so well.
>> On Windows it initially takes forever. It works again after rebooting
>> the client, which seems to be the easiest solution (can be performed
>> by the user).
>> On Linux member servers, ssh log-in eventually times out. It works
>> again, after I manually swap the DNS server order in the
>> /etc/resolv.conf and the KDC provider order in the /etc/krb5.conf.
>> But manual intervention is clearly not preferred here.
>> According to the sanity checks for domain controllers and members
>> servers on the wiki setup and troubleshooting pages, my domain is
>> working at its best.
>> Is this due to DNS and kerberos timeouts accumulating?
> It is DNS related.
>> What is the best way of dealing with this?
> The *best way* is a HA solution for your DNS Servers, but its expensive.
> The DNS client (resolver) caches the srv records for 15 minutes aka 900
> seconds.
> ipconfig /flushdns drops the cache. Reboot does the same.

Will try this, thank you!

> On server side you may set shorter TTL for the server records, but then
> you have more DNS traffic. On small netwoks (sites up to 20 clients, no
> wifi) I have good experience with a TTL of 180.

Ok. So I do this on my Samba DCs (my domain DNS servers), and this will 
affect Windows and Linux domain clients/member servers likewise?

More information about the samba mailing list