[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

James lingpanda101 at gmail.com
Fri Nov 20 14:11:29 UTC 2015 

On 11/20/2015 7:40 AM, Ole Traupe wrote:
>
>
> Am 20.11.2015 um 11:54 schrieb mathias dufresne:
>> Hi Ole,
>>
>> I'm still not answering your issue but I come back to speak about 
>> TTL. Perhaps someone would be able to bring us some light on that.
>>
>> This morning I'm trying to reproduce the way I do broke my test AD 
>> domain. This leads me to deal with SOA record (I broke my test AD 
>> seizing FSMO roles before removing old FSMO owner, SOA was not 
>> changed during that process and I suspect this was one of the point 
>> leading to all issues this test domain has)
>>
>> Anyway:
>> samba-tool dns query m700 samba.domain.tld samba.domain.tld SOA -k yes
>>   Name=, Records=1, Children=0
>>     SOA: serial=1, refresh=900, retry=600, expire=86400, 
>> *minttl=3600*, ns=m700.samba.domain.tld., 
>> email=hostmaster.samba.domain.tld. (flags=600000f0, serial=1, 
>> *ttl=3600*)
>>   Name=_msdcs, Records=0, Children=0
>>   Name=_sites, Records=0, Children=1
>>   Name=_tcp, Records=0, Children=4
>>   Name=_udp, Records=0, Children=2
>>   Name=DomainDnsZones, Records=0, Children=2
>>   Name=ForestDnsZones, Records=0, Children=2
>>   Name=m700, Records=0, Children=0
>>
>> This shows us TTL is in fact equal to minimumttl inside AD DB.
>
> Not for me:
>
> SOA: serial=29, refresh=180, retry=600, expire=86400, minttl=180, 
> ns=DC2.my.domain.tld., email=hostmaster.my.domain.tld. 
> (flags=600000f0, serial=0, ttl=3600)
>
>
>>
>> According to 
>> http://stackoverflow.com/questions/20297531/meaning-of-the-five-fields-of-the-answer-section-in-dig-query 
>> the second member of dig's answer section is TTL.
>>
>> dig -t soa samba.domain.tld
>> ...
>> samba.domain.tld. *3593* IN      SOA m700.samba.domain.tld. 
>> hostmaster.samba.domain.tld. 1 900 600 86400 3600
>> ...
>>  When yesterday the same request gave the following answer:
>>
>> ...
>> samba.domain.tld. *1715* IN      SOA DC1.samba.domain.tld. 62 900 600 
>> 86400 3600
>> ...
>>
>> So I ran several that same command and each the value displayed as 
>> second member (here 1715 or 3593) was descreased by the same amount 
>> of second as the time between my command launchs.
>>
>> It seems this shown TTL is declared TTL (or minttl) minus the amount 
>> of seconds since last renewal of this TTL. No idae why this 
>> behaviour. If someone knows, I would be pleased to learn :)
>
> Yes, I thought so. This is "remaining TTL" for you.
>
> Interestingly, for me this value is always constant and equals 1h, no 
> matter what.
>
>
> ANYWAYS, I would like to approach from a different direction:
>
> If my first DC is offline, a ping on any of my domain machines takes 
> 5+ seconds to resolve. I figure that my logon problems reflect 
> multiple such timeouts during the logon process accumulating to a 
> total duration not accepted by the unix logon mechanism.
>
> If there would be ANY way to reduce the time (to 1 s or something) a 
> machines waits until it finally accepts that a DNS server just won't 
> respond and goes over to the next one... - that actually might solve 
> the issue.
>
> Is there an option for this on unix machines?
>
> Ole
You can add your DC's to your hosts file. Usually your hosts file is 
queried first, prior to DNS for resolve.

One thing I notice a bit odd is this

SOA: serial=29, refresh=180, retry=600, expire=86400, minttl=180, 
*ns=DC2.my.domain.tld.*, email=hostmaster.my.domain.tld. 
(flags=600000f0, serial=0, ttl=3600)

Normally your name server would be the same as your DC who is SOA. Did 
you manually change this from DC1 to DC2? What DC is your SOA?







-- 
-James

More information about the samba mailing list