[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Thu Nov 26 15:35:22 UTC 2015

>> ANYWAYS, I would like to approach from a different direction:
>> If my first DC is offline, a ping on any of my domain machines takes 
>> 5+ seconds to resolve. I figure that my logon problems reflect 
>> multiple such timeouts during the logon process accumulating to a 
>> total duration not accepted by the unix logon mechanism.
>> If there would be ANY way to reduce the time (to 1 s or something) a 
>> machines waits until it finally accepts that a DNS server just won't 
>> respond and goes over to the next one... - that actually might solve 
>> the issue.
>> Is there an option for this on unix machines?
>> Ole
> You can add your DC's to your hosts file. Usually your hosts file is 
> queried first, prior to DNS for resolve.

And this would speed up the whole process? Is this a guess or your 

> One thing I notice a bit odd is this
> SOA: serial=29, refresh=180, retry=600, expire=86400, minttl=180, 
> *ns=DC2.my.domain.tld.*, email=hostmaster.my.domain.tld. 
> (flags=600000f0, serial=0, ttl=3600)
> Normally your name server would be the same as your DC who is SOA. Did 
> you manually change this from DC1 to DC2? What DC is your SOA?

I am sorry about the confusion. I demoted my DC1 a while ago due to 
hardware problems. I mean to replace it, because currently my First_DC 
(FSMO role holder and SOA) is a virtual machine on a storage server 
which isn't ideal for many reasons.

Currently I have DC2 (First_DC) and DC3 (Second_DC). Had I paid 
attention to this, I would have changed the names in the text and output 
snippets I posted.

Again: I apologize.


More information about the samba mailing list