[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Thu Nov 26 16:24:13 UTC 2015

>> Then you re-run your test with only DC2 up and running.
>> Note DNS have need time to be updated if you are using others DNS 
>> servers between clients and AD DCs.
> The SOA RR identifies a primary DNS name server for the zone as the 
> best source of information for the data within that zone and as a 
> entity processing the updates for the zone.
> The NS resource record is used to notate which DNS servers are 
> designated as authoritative for the zone. Listing a server in the NS 
> RR, it becomes known to others as an authoritative server for the 
> zone. This means that any server specified in the NS RR is to be 
> considered an authoritative source by others, and is able to answer 
> with certainty any queries made for names included in the zone.
> Much of the above was taken almost verbatim from online Microsoft tech 
> documents.  I don't believe that DC's create NS records by default.

You mean Samba DCs or DCs in general?

I am not sure I understand the above. Do you suggest to create another 
NS record for the Second_DC, or not to?

In the resolv.conf on my member servers both DCs are listed as DNS 
servers. I like to think that the member servers eventually ask the 
second DNS server, if the first won't respond. This seems to be 
reflected by ping taking more than 5 s for the first packet to arrive.

BUT what does the second DNS server (Second_DC) reply? Which logon 
server does it announce?

More information about the samba mailing list