[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

James lingpanda101 at gmail.com
Fri Nov 20 14:11:29 UTC 2015

On 11/20/2015 7:40 AM, Ole Traupe wrote:
> Am 20.11.2015 um 11:54 schrieb mathias dufresne:
>> Hi Ole,
>> I'm still not answering your issue but I come back to speak about 
>> TTL. Perhaps someone would be able to bring us some light on that.
>> This morning I'm trying to reproduce the way I do broke my test AD 
>> domain. This leads me to deal with SOA record (I broke my test AD 
>> seizing FSMO roles before removing old FSMO owner, SOA was not 
>> changed during that process and I suspect this was one of the point 
>> leading to all issues this test domain has)
>> Anyway:
>> samba-tool dns query m700 samba.domain.tld samba.domain.tld SOA -k yes
>>   Name=, Records=1, Children=0
>>     SOA: serial=1, refresh=900, retry=600, expire=86400, 
>> *minttl=3600*, ns=m700.samba.domain.tld., 
>> email=hostmaster.samba.domain.tld. (flags=600000f0, serial=1, 
>> *ttl=3600*)
>>   Name=_msdcs, Records=0, Children=0
>>   Name=_sites, Records=0, Children=1
>>   Name=_tcp, Records=0, Children=4
>>   Name=_udp, Records=0, Children=2
>>   Name=DomainDnsZones, Records=0, Children=2
>>   Name=ForestDnsZones, Records=0, Children=2
>>   Name=m700, Records=0, Children=0
>> This shows us TTL is in fact equal to minimumttl inside AD DB.
> Not for me:
> SOA: serial=29, refresh=180, retry=600, expire=86400, minttl=180, 
> ns=DC2.my.domain.tld., email=hostmaster.my.domain.tld. 
> (flags=600000f0, serial=0, ttl=3600)
>> According to 
>> http://stackoverflow.com/questions/20297531/meaning-of-the-five-fields-of-the-answer-section-in-dig-query 
>> the second member of dig's answer section is TTL.
>> dig -t soa samba.domain.tld
>> ...
>> samba.domain.tld. *3593* IN      SOA m700.samba.domain.tld. 
>> hostmaster.samba.domain.tld. 1 900 600 86400 3600
>> ...
>>  When yesterday the same request gave the following answer:
>> ...
>> samba.domain.tld. *1715* IN      SOA DC1.samba.domain.tld. 62 900 600 
>> 86400 3600
>> ...
>> So I ran several that same command and each the value displayed as 
>> second member (here 1715 or 3593) was descreased by the same amount 
>> of second as the time between my command launchs.
>> It seems this shown TTL is declared TTL (or minttl) minus the amount 
>> of seconds since last renewal of this TTL. No idae why this 
>> behaviour. If someone knows, I would be pleased to learn :)
> Yes, I thought so. This is "remaining TTL" for you.
> Interestingly, for me this value is always constant and equals 1h, no 
> matter what.
> ANYWAYS, I would like to approach from a different direction:
> If my first DC is offline, a ping on any of my domain machines takes 
> 5+ seconds to resolve. I figure that my logon problems reflect 
> multiple such timeouts during the logon process accumulating to a 
> total duration not accepted by the unix logon mechanism.
> If there would be ANY way to reduce the time (to 1 s or something) a 
> machines waits until it finally accepts that a DNS server just won't 
> respond and goes over to the next one... - that actually might solve 
> the issue.
> Is there an option for this on unix machines?
> Ole
You can add your DC's to your hosts file. Usually your hosts file is 
queried first, prior to DNS for resolve.

One thing I notice a bit odd is this

SOA: serial=29, refresh=180, retry=600, expire=86400, minttl=180, 
*ns=DC2.my.domain.tld.*, email=hostmaster.my.domain.tld. 
(flags=600000f0, serial=0, ttl=3600)

Normally your name server would be the same as your DC who is SOA. Did 
you manually change this from DC1 to DC2? What DC is your SOA?


More information about the samba mailing list