[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Tue Jan 5 11:30:16 UTC 2016

>     I can't recall but are you able to get a packet trace? This may 
> help further troubleshoot.

I'll look into this. However, Rowland stated that bind9 will be the only 

> Just to recap you do you both servers listed as available DNS servers 
> on your workstations? As well as your member server? 

Yes, of course. For member servers, this is the content of /etc/resolv.conf:

search my.domain.tld
nameserver IP_of_1st_DC
nameserver IP_of_2nd_DC

> I made a small tweak but haven't fully tested is adding the following 
> options to my resolv.conf.
> cat /etc/resolvconf/resolv.conf.d/tail
> options timeout:1

Great, this sounds exactly as what I need! However, I tried this: no 
effect. I created this file and restarted the network service. But I 
still get long timeouts and can't login via ssh, when I suspend my 1st DC.

# cat /etc/resolvconf/resolv.conf.d/tail
options timeout:1
options edns0

Or do I need Network Manager for that?

> options edns0

What's that for, particularly?

> timeout:n
>                      sets the amount of time the resolver will wait 
> for a response from a remote name server before retrying  the query  
> via  a  different  name
>                      server.  Measured in seconds, the default is 
> RES_TIMEOUT (currently 5, see <resolv.h>).  The value for this option 
> is silently capped to 30.
> edns0 (since glibc 2.6)
>                      sets RES_USE_EDNSO in _res.options.  This enables 
> support for the DNS extensions described in RFC 2671.
> From what I researched, this is the intended behavior on a Microsoft 
> Server. Again I can disable my "PDC" and log in from a windows 
> workstation just fine. It appears for some users after a hour or so 
> they run into issues 

I thought this was only happening with roaming machines resulting in 
cached logins.

More information about the samba mailing list