[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Thu Nov 12 14:33:21 UTC 2015

>>> On server side you may set shorter TTL for the server records, but
>>> then you have more DNS traffic. On small netwoks (sites up to 20
>>> clients, no wifi) I have good experience with a TTL of 180.
>> Ok. So I do this on my Samba DCs (my domain DNS servers), and this
>> will affect Windows and Linux domain clients/member servers
>> likewise?
> Theoretically yes. Assume you have a imap or web server installed on
> your DC ( bad idea). I am pretty sure that some mail clients and
> browsers have their own cache for ip adressess. So the a records may be
> cached on application level. How do this caches works?
> The soa record should only be used by the resolver libs.
> The srv txt records are used by many apps. ie the netlogon process.
> Netlogon picks randomly one dc, if more than one record exist for a
> site. If this dc is down or unreachable, netlogon try this dc until ttl
> times out and then try the next one. This is at least true for windows
> xp, not for 2000. Should be true for all current windows versions.

Sorry that I ask again, I have little experience with DNS.

I have A records for all my DCs in "my.domain.com" and 
"_msdcs.my.domain.com". I have SOA and NS records in both places, but 
only for the First_DC (FSMO role holder). Is that ok?

Only SOA and NS records have TTL settings. Do I have to change both? 
 From your above comment I take that you would advise it. Otherwise, 
trying to resolve a host wouldn't be diagnostic of the DNS request 
during the logon process.

To whom it may concern: TTL seems to be set to 1h, by default, with Samba4.

More information about the samba mailing list