[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Thu Nov 12 15:34:39 UTC 2015


Am 12.11.2015 um 16:17 schrieb L.P.H. van Belle:
> Ahi Ole,
> An hany site.
> http://blogs.msdn.com/b/servergeeks/archive/2014/07/12/dns-records-that-are-required-for-proper-functionality-of-active-directory.aspx
> greetz,
> Louis
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
>> Verzonden: donderdag 12 november 2015 15:33
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
>> initially fails when PDC is offline
>>>>> On server side you may set shorter TTL for the server records, but
>>>>> then you have more DNS traffic. On small netwoks (sites up to 20
>>>>> clients, no wifi) I have good experience with a TTL of 180.
>>>> Ok. So I do this on my Samba DCs (my domain DNS servers), and this
>>>> will affect Windows and Linux domain clients/member servers
>>>> likewise?
>>> Theoretically yes. Assume you have a imap or web server installed on
>>> your DC ( bad idea). I am pretty sure that some mail clients and
>>> browsers have their own cache for ip adressess. So the a records may be
>>> cached on application level. How do this caches works?
>>> The soa record should only be used by the resolver libs.
>>> The srv txt records are used by many apps. ie the netlogon process.
>>> Netlogon picks randomly one dc, if more than one record exist for a
>>> site. If this dc is down or unreachable, netlogon try this dc until ttl
>>> times out and then try the next one. This is at least true for windows
>>> xp, not for 2000. Should be true for all current windows versions.
>> Sorry that I ask again, I have little experience with DNS.
>> I have A records for all my DCs in "my.domain.com" and
>> "_msdcs.my.domain.com". I have SOA and NS records in both places, but
>> only for the First_DC (FSMO role holder). Is that ok?
>> Only SOA and NS records have TTL settings. Do I have to change both?
>>   From your above comment I take that you would advise it. Otherwise,
>> trying to resolve a host wouldn't be diagnostic of the DNS request
>> during the logon process.
>> To whom it may concern: TTL seems to be set to 1h, by default, with
>> Samba4.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list