[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Mueller mueller at tropenklinik.de
Fri Nov 20 07:44:20 UTC 2015

Within a real windows 2008 Domain it ist he same behaviour. Even there you need the clients to reboot.
This feature got lost after the beta status of samba 4. I had a test environment with the first betas and it worked there without any issue. Even mapping the shares by domain
worked: \\my.domain\share.  Test this with the new versions, it will fail. (only netlogon will do).
Would be fine samba does it better. Samba 4 ist to close building windows AD server. It would be a great step it adds his own better features.



EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen 
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de 

-----Ursprüngliche Nachricht-----
Von: Ole Traupe [mailto:ole.traupe at tu-berlin.de] 
Gesendet: Donnerstag, 19. November 2015 16:26
An: mathias dufresne <infractory at gmail.com>
Cc: samba <samba at lists.samba.org>
Betreff: Re: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ok, I see. Nevertheless, thank you very much for your effort!

I must say that I can't actually believe that no one knows an answer to this problem. It must affect MANY people using Samba DCs. According to all the tests on the wiki, everything is working fine. Then I pull the plug on my first DC and no one can log on. And this time I waited far longer than the suggested "refresh interval" of 15 min - even longer than the value called "TTL" in the GUI of 1h. I also tried "ipconfig /flushdns" on my windows client. Does not improve the situation. Only a reboot solves the issue. But that would be no acceptable practice for Linux member servers. And it doesn't seem to help, anyway (just tried this).

It is one of the first and most important tests for a domain to see what happens if the first DC is down. Without a working take-over, other DCs are nothing more than backup (replication) targets, and the domain is not fail-safe.

This can't be the end of the story, right?


Am 19.11.2015 um 14:04 schrieb mathias dufresne:
> No idea about your main issue, I was merely answering to your last 
> question about changing SOA record.
> Here is another view of that command:
> samba-tool dns update <server> <zone> <name> SOA \ 'OLDnameserver 
> email serial refresh retry expire minimumttl' \ 'NEWnameserver email 
> serial refresh retry expire minimumttl'
> I'm not too confident with DNS internals so I'm not sure if the TTL 
> you mentioned is or isn't "expire" or "minimumttl".
> After digging a little bit it seems previous line is completely wrong, 
> neither "expire" nor "minimumttl" are "TTL".
> This because :
> ...
> samba.domain.tld. 1715 IN      SOA DC1.samba.domain.tld. 62 900 600 
> 86400 3600
> ...
> And from what I just read in dig "ANSWER SECTION" the second field is 
> the TTL, so 1715 in my case, which as nothing to do with "expire"
> (86400) or "minimumtll" (3600).
> And that makes me wondering how TTL can be less than "minimumttl"...
> So, the short way: the command I gave do not seem to be designed to 
> help you changing TTL. Sorry : )
> Cheers,
> mathias
> 2015-11-19 13:43 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de
> <mailto:ole.traupe at tu-berlin.de>>:
>     Mathias, thank you very much for your comprehensive instructions!
>     Just one question: Harry suggested that, in order to overcome the
>     below DNS related problems, the TTL would have to be adjusted
>     (lowered). However, the TTL seems to be the only time value not
>     covered by the command provided by you.
>     Is it really the TTL that is the culprit or is it rather the first
>     time value (something like "Refresh value" in english)?
>     Do you know this?
>     Ole
>     Am 19.11.2015 um 11:19 schrieb mathias dufresne:
>>     Hi Ole,
>>     You want to change SOA of your AD domain?
>>     Here some working command:
>>     samba-tool dns update <working DC> samba.domain.tld \
>>     samba.domain.tld SOA \
>>     'oldSOA.samba.domain.tld. hostmaster.samba.domain.tld. 58 900 600
>>     86400 3600' \
>>     'newSOA.samba.domain.tld. hostmaster.saba.domain.tld. 59 900 600
>>     86400 3600' -k yes
>>     This needs you performed some kinit before using an account able
>>     to modify this entry (by default only administrator is able to
>>     that I expect).
>>     This must be done for the two DNS zones of your domain:
>>     samba.domain.tld + _msdcs.samba.domain.tld
>>     First number of replacement record (here "59") is serial number.
>>     Replication of change seemed to work without changing that serial
>>     number but as DNS love to rely on it, changing that serial should
>>     be a good idea.
>>     Hoping this helps...
>>     Cheers,
>>     mathias
>>     2015-11-18 16:44 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de
>>     <mailto:ole.traupe at tu-berlin.de>>:
>>             It is DNS related.
>>                 What is the best way of dealing with this?
>>             The *best way* is a HA solution for your DNS Servers, but
>>             its expensive.
>>             The DNS client (resolver) caches the srv records for 15
>>             minutes aka 900
>>             seconds.
>>             ipconfig /flushdns drops the cache. Reboot does the same.
>>             On server side you may set shorter TTL for the server
>>             records, but then
>>             you have more DNS traffic. On small netwoks (sites up to
>>             20 clients, no
>>             wifi) I have good experience with a TTL of 180.
>>         Harry, I tried this - unsuccessfully.
>>         I have TTL settings in a) the SOA and b) the NS record of the
>>         FQDN and the _msdcs.FQDN sections in my Windows RSAT DNS
>>         console. None of these 4 entries I can change: I get
>>         something like "The Source Of Authority (SOA) cannot be
>>         updated. The record already exists."
>>         Do you have an idea how to accomplish this? Currently the
>>         setting is 1h, which is pretty long.
>>         Ole
>>         -- 
>>         To unsubscribe from this list go to the following URL and
>>         read the
>>         instructions: https://lists.samba.org/mailman/options/samba

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list