[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Fri Nov 20 12:40:43 UTC 2015

Am 20.11.2015 um 11:54 schrieb mathias dufresne:
> Hi Ole,
> I'm still not answering your issue but I come back to speak about TTL. 
> Perhaps someone would be able to bring us some light on that.
> This morning I'm trying to reproduce the way I do broke my test AD 
> domain. This leads me to deal with SOA record (I broke my test AD 
> seizing FSMO roles before removing old FSMO owner, SOA was not changed 
> during that process and I suspect this was one of the point leading to 
> all issues this test domain has)
> Anyway:
> samba-tool dns query m700 samba.domain.tld samba.domain.tld SOA -k yes
>   Name=, Records=1, Children=0
>     SOA: serial=1, refresh=900, retry=600, expire=86400, 
> *minttl=3600*, ns=m700.samba.domain.tld., 
> email=hostmaster.samba.domain.tld. (flags=600000f0, serial=1, *ttl=3600*)
>   Name=_msdcs, Records=0, Children=0
>   Name=_sites, Records=0, Children=1
>   Name=_tcp, Records=0, Children=4
>   Name=_udp, Records=0, Children=2
>   Name=DomainDnsZones, Records=0, Children=2
>   Name=ForestDnsZones, Records=0, Children=2
>   Name=m700, Records=0, Children=0
> This shows us TTL is in fact equal to minimumttl inside AD DB.

Not for me:

SOA: serial=29, refresh=180, retry=600, expire=86400, minttl=180, 
ns=DC2.my.domain.tld., email=hostmaster.my.domain.tld. (flags=600000f0, 
serial=0, ttl=3600)

> According to 
> http://stackoverflow.com/questions/20297531/meaning-of-the-five-fields-of-the-answer-section-in-dig-query 
> the second member of dig's answer section is TTL.
> dig -t soa samba.domain.tld
> ...
> samba.domain.tld. *3593* IN      SOA m700.samba.domain.tld. 
> hostmaster.samba.domain.tld. 1 900 600 86400 3600
> ...
>  When yesterday the same request gave the following answer:
> ...
> samba.domain.tld. *1715* IN      SOA DC1.samba.domain.tld. 62 900 600 
> 86400 3600
> ...
> So I ran several that same command and each the value displayed as 
> second member (here 1715 or 3593) was descreased by the same amount of 
> second as the time between my command launchs.
> It seems this shown TTL is declared TTL (or minttl) minus the amount 
> of seconds since last renewal of this TTL. No idae why this behaviour. 
> If someone knows, I would be pleased to learn :)

Yes, I thought so. This is "remaining TTL" for you.

Interestingly, for me this value is always constant and equals 1h, no 
matter what.

ANYWAYS, I would like to approach from a different direction:

If my first DC is offline, a ping on any of my domain machines takes 5+ 
seconds to resolve. I figure that my logon problems reflect multiple 
such timeouts during the logon process accumulating to a total duration 
not accepted by the unix logon mechanism.

If there would be ANY way to reduce the time (to 1 s or something) a 
machines waits until it finally accepts that a DNS server just won't 
respond and goes over to the next one... - that actually might solve the 

Is there an option for this on unix machines?


More information about the samba mailing list