[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

mathias dufresne infractory at gmail.com
Fri Nov 27 15:38:27 UTC 2015

Something important I forget in my last mail is the person I mentioned has
configured is samba with "allow dns updates = nonsecure" for nsupdate works.

2015-11-27 16:24 GMT+01:00 mathias dufresne <infractory at gmail.com>:

> 2015-11-27 15:49 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
>> On 27/11/15 14:30, James wrote:
>>> On 11/27/2015 9:16 AM, Rowland Penny wrote:
>>>> On 27/11/15 13:23, James wrote:
>>>>> On 11/26/2015 11:12 AM, Ole Traupe wrote:
>>>>>> Then you re-run your test with only DC2 up and running.
>>>>>>>> Note DNS have need time to be updated if you are using others DNS
>>>>>>>> servers between clients and AD DCs.
>>>>>>> The SOA RR identifies a primary DNS name server for the zone as the
>>>>>>> best source of information for the data within that zone and as a entity
>>>>>>> processing the updates for the zone.
>>>>>>> The NS resource record is used to notate which DNS servers are
>>>>>>> designated as authoritative for the zone. Listing a server in the NS RR, it
>>>>>>> becomes known to others as an authoritative server for the zone. This means
>>>>>>> that any server specified in the NS RR is to be considered an authoritative
>>>>>>> source by others, and is able to answer with certainty any queries made for
>>>>>>> names included in the zone.
>>>>>>> Much of the above was taken almost verbatim from online Microsoft
>>>>>>> tech documents.  I don't believe that DC's create NS records by default.
>>>>>> You mean Samba DCs or DCs in general?
>>>>>> I am not sure I understand the above. Do you suggest to create
>>>>>> another NS record for the Second_DC, or not to?
>>>>>> In the resolv.conf on my member servers both DCs are listed as DNS
>>>>>> servers. I like to think that the member servers eventually ask the second
>>>>>> DNS server, if the first won't respond. This seems to be reflected by ping
>>>>>> taking more than 5 s for the first packet to arrive.
>>>>>> BUT what does the second DNS server (Second_DC) reply? Which logon
>>>>>> server does it announce?
>>>>>> DNS can be very confusing. You do not need to create a NS record for
>>>>> your second DC if the zone is directory integrated. By default the DC is
>>>>> authoritative for that zone.
>>>> Probably with windows it is, but not with Samba AD, you only get one NS
>>>> and one SOA. The only authoritative Samba AD DC is the first one, when you
>>>> join a second DC, it runs the same code that created the SOA during the
>>>> first DCs provision and because the SOA already exists, it fails.
>>>> Rowland
>>>> Yikes! Are you saying DC's with directory integrated zones are not
>>> authoritative for them? That means a NS record needs to be created manually
>>> for each DC added.
>> Yes, that's about the size of it. no matter how many DCs you join, you
>> only have one NS, the original DC.
>> I have been trying to alter the code, but I am struggling to get another
>> NS record added during the join, it doesn't help that I have no idea what a
>> windows DC SOA record looks like, does each DC have a separate SOA record?
>> or is it like the Samba SOA record and there is only one with multiple NS
>> records?
> Yes each Windows has SOA record. In fact I expect there is no SOA record
> really on MS AD. I expect SOA management is something like when a DC
> receive request for SOA it replies "I am SOA".
> On MS AD all DC have a NS record. My second mail about that thread from
> Sunday the 22nd of November is showing different DNS queries I did on MS AD
> domain (a 2008 r2 domain with only 2 DC, Microsoft DC).
> Finally I would look into samba_dnsupdate to add creation of NS record. I
> expect this tool is run when samba starts.
> Unfortunately I did not find the right option to add to samba_dnsupdate
> for it really creates DNS entries. Even with kerberos ticket already
> created before running that command. I received a mail recently about
> another Samba user using internal DNS for his AD hosted by Samba. This
> person was facing same issue has me (missing DNS entries, samba_dnsupdate
> not adding entries). To workaround that issue he modified samba_dnsupdate
> and he commented that line (line 413):
> os.unlink(tmpfile)
> Doing that samba_dnsupdate does not remove tmp file. This tmp file
> contains nsupdate commands which are launched by samba_dnsupdate.
> Finally he uses these nsupdate commands from tmp files without -g option
> and he's DNS entries are now created.
> I must say I did yet try that process.

More information about the samba mailing list