[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
James
lingpanda101 at gmail.com
Fri Nov 20 14:11:29 UTC 2015
On 11/20/2015 7:40 AM, Ole Traupe wrote:
>
>
> Am 20.11.2015 um 11:54 schrieb mathias dufresne:
>> Hi Ole,
>>
>> I'm still not answering your issue but I come back to speak about
>> TTL. Perhaps someone would be able to bring us some light on that.
>>
>> This morning I'm trying to reproduce the way I do broke my test AD
>> domain. This leads me to deal with SOA record (I broke my test AD
>> seizing FSMO roles before removing old FSMO owner, SOA was not
>> changed during that process and I suspect this was one of the point
>> leading to all issues this test domain has)
>>
>> Anyway:
>> samba-tool dns query m700 samba.domain.tld samba.domain.tld SOA -k yes
>> Name=, Records=1, Children=0
>> SOA: serial=1, refresh=900, retry=600, expire=86400,
>> *minttl=3600*, ns=m700.samba.domain.tld.,
>> email=hostmaster.samba.domain.tld. (flags=600000f0, serial=1,
>> *ttl=3600*)
>> Name=_msdcs, Records=0, Children=0
>> Name=_sites, Records=0, Children=1
>> Name=_tcp, Records=0, Children=4
>> Name=_udp, Records=0, Children=2
>> Name=DomainDnsZones, Records=0, Children=2
>> Name=ForestDnsZones, Records=0, Children=2
>> Name=m700, Records=0, Children=0
>>
>> This shows us TTL is in fact equal to minimumttl inside AD DB.
>
> Not for me:
>
> SOA: serial=29, refresh=180, retry=600, expire=86400, minttl=180,
> ns=DC2.my.domain.tld., email=hostmaster.my.domain.tld.
> (flags=600000f0, serial=0, ttl=3600)
>
>
>>
>> According to
>> http://stackoverflow.com/questions/20297531/meaning-of-the-five-fields-of-the-answer-section-in-dig-query
>> the second member of dig's answer section is TTL.
>>
>> dig -t soa samba.domain.tld
>> ...
>> samba.domain.tld. *3593* IN SOA m700.samba.domain.tld.
>> hostmaster.samba.domain.tld. 1 900 600 86400 3600
>> ...
>> When yesterday the same request gave the following answer:
>>
>> ...
>> samba.domain.tld. *1715* IN SOA DC1.samba.domain.tld. 62 900 600
>> 86400 3600
>> ...
>>
>> So I ran several that same command and each the value displayed as
>> second member (here 1715 or 3593) was descreased by the same amount
>> of second as the time between my command launchs.
>>
>> It seems this shown TTL is declared TTL (or minttl) minus the amount
>> of seconds since last renewal of this TTL. No idae why this
>> behaviour. If someone knows, I would be pleased to learn :)
>
> Yes, I thought so. This is "remaining TTL" for you.
>
> Interestingly, for me this value is always constant and equals 1h, no
> matter what.
>
>
> ANYWAYS, I would like to approach from a different direction:
>
> If my first DC is offline, a ping on any of my domain machines takes
> 5+ seconds to resolve. I figure that my logon problems reflect
> multiple such timeouts during the logon process accumulating to a
> total duration not accepted by the unix logon mechanism.
>
> If there would be ANY way to reduce the time (to 1 s or something) a
> machines waits until it finally accepts that a DNS server just won't
> respond and goes over to the next one... - that actually might solve
> the issue.
>
> Is there an option for this on unix machines?
>
> Ole
You can add your DC's to your hosts file. Usually your hosts file is
queried first, prior to DNS for resolve.
One thing I notice a bit odd is this
SOA: serial=29, refresh=180, retry=600, expire=86400, minttl=180,
*ns=DC2.my.domain.tld.*, email=hostmaster.my.domain.tld.
(flags=600000f0, serial=0, ttl=3600)
Normally your name server would be the same as your DC who is SOA. Did
you manually change this from DC1 to DC2? What DC is your SOA?
--
-James
More information about the samba
mailing list