[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Rowland Penny
rowlandpenny241155 at gmail.com
Fri Nov 27 14:49:32 UTC 2015
On 27/11/15 14:30, James wrote:
> On 11/27/2015 9:16 AM, Rowland Penny wrote:
>> On 27/11/15 13:23, James wrote:
>>> On 11/26/2015 11:12 AM, Ole Traupe wrote:
>>>>
>>>>>> Then you re-run your test with only DC2 up and running.
>>>>>> Note DNS have need time to be updated if you are using others DNS
>>>>>> servers between clients and AD DCs.
>>>>> The SOA RR identifies a primary DNS name server for the zone as
>>>>> the best source of information for the data within that zone and
>>>>> as a entity processing the updates for the zone.
>>>>>
>>>>> The NS resource record is used to notate which DNS servers are
>>>>> designated as authoritative for the zone. Listing a server in the
>>>>> NS RR, it becomes known to others as an authoritative server for
>>>>> the zone. This means that any server specified in the NS RR is to
>>>>> be considered an authoritative source by others, and is able to
>>>>> answer with certainty any queries made for names included in the
>>>>> zone.
>>>>>
>>>>> Much of the above was taken almost verbatim from online Microsoft
>>>>> tech documents. I don't believe that DC's create NS records by
>>>>> default.
>>>>
>>>> You mean Samba DCs or DCs in general?
>>>>
>>>> I am not sure I understand the above. Do you suggest to create
>>>> another NS record for the Second_DC, or not to?
>>>>
>>>> In the resolv.conf on my member servers both DCs are listed as DNS
>>>> servers. I like to think that the member servers eventually ask the
>>>> second DNS server, if the first won't respond. This seems to be
>>>> reflected by ping taking more than 5 s for the first packet to arrive.
>>>>
>>>> BUT what does the second DNS server (Second_DC) reply? Which logon
>>>> server does it announce?
>>>>
>>>>
>>> DNS can be very confusing. You do not need to create a NS record for
>>> your second DC if the zone is directory integrated. By default the
>>> DC is authoritative for that zone.
>>>
>>
>> Probably with windows it is, but not with Samba AD, you only get one
>> NS and one SOA. The only authoritative Samba AD DC is the first one,
>> when you join a second DC, it runs the same code that created the SOA
>> during the first DCs provision and because the SOA already exists, it
>> fails.
>>
>> Rowland
>>
>>
> Yikes! Are you saying DC's with directory integrated zones are not
> authoritative for them? That means a NS record needs to be created
> manually for each DC added.
>
Yes, that's about the size of it. no matter how many DCs you join, you
only have one NS, the original DC.
I have been trying to alter the code, but I am struggling to get another
NS record added during the join, it doesn't help that I have no idea
what a windows DC SOA record looks like, does each DC have a separate
SOA record? or is it like the Samba SOA record and there is only one
with multiple NS records?
Rowland
More information about the samba
mailing list