[Samba] Failover DC did not work when Main DC failed

Paul Littlefield info at paully.co.uk
Sun Feb 16 15:03:16 UTC 2020

Hello Kris,

On 13/02/2020 19:28, Kris Lou via samba wrote:
> My reverse zones have PTR records.  Though I don't have NS records for all
> of my DC's.  I guess that needs to be manually created.

I have NS records for all 2 of my DC's and I just followed the Installation page on the Wiki.

> Also, you don't have any CNAMES or domain overrides pointing to a single
> DC?  Perhaps Bind is pointing to another internal DNS server, and then to a
> public DNS?

I am not using BIND with Samba, just the Internal DNS which is the default.

What do you mean when you say "CNAMES or domain overrides pointing to a single DC"?

I have DHCP handing out both DNS servers as and and they both work as nameservers perfectly.

> Here's a way to test failover from a Windows client:
> You can switch logon servers with "nltest /server:<clientcomputer>
> /sc_reset:<domain\dc>"
> https://www.technipages.com/windows-how-to-switch-domain-controller
> So try this -- (I just did this on one of my DC's):
> * Switch a Windows Client to DC4
> * Verify with "nltest /dsgetdc:<domain>" and "nltest /sc_query:<domain>"
> C:\WINDOWS\system32>nltest /Server:<mycomputer> /sc_query:<shortdomainname>
>> Trusted DC Name \\<DC4>.<mydomain.com>
>> Trusted DC Connection Status Status = 0 0x0 NERR_Success
>> The command completed successfully
>> C:\WINDOWS\system32>nltest /dsgetdc:<shortdomainname>
>>             DC: \\<DC4>
>>        Address: \\ip.addr.ss.ss
>>       Dom Guid: <guid>
>>       Dom Name: <shortdomainname>
>>    Forest Name: mydomain.com
>>   Dc Site Name: <mysite>
>> Our Site Name: <mysite>
>> The command completed successfully
> * Then stop samba on DC4
> * "nltest /dclist:<domain>"  This should fail, as it's attempting to get
> lookups from the trusted DC (DC4)
> C:\WINDOWS\system32>nltest /dclist:<shortdomainname>
>> Get list of DCs in domain ' <shortdomainname> ' from '\\<DC4>'.
>> Cannot DsBind to <shortdomainname> (\\<DC4>).Status = 1722 0x6ba
>> List of DCs in Domain <shortdomainname>
>>      \\<DC3>(PDC)
>> The command completed successfully
> *  "nltest /sc_verify:<domain>" -- this should force a query and change the
> trusted DC to an available DC.
> (Don't forget to turn samba back on)

So, to "fix the QNAP problem" I changed the QNAP's /etc/config/smb.conf setting...

password server = DC3.mydomain.com DC4.mydomain.com

...and restarted Samba on the QNAP...

/etc/init.d/samba restart

I then started to run your Windows client commands to change the DC...

...well, this worked!

So, if I force switch a Windows client from DC3 to DC4 using the 'nltest' commands then log out and log back in, their Desktop icons appear and they can still access the QNAP shares.

If I stop Samba running on DC3, and then log in to the same Windows client (who now uses DC4) their Desktop icons appear and they can log in to the QNAP shares.


However, this is NOT true for the next different Windows client who has not gone through the "DC switching process". They are still on DC3, which is down... and Windows does not know what to do despite the results of...

C:> nltest /dclist:MYDOMAIN
     \\DC3  [PDC]

So... the next 2 tasks are:-

1) finding a way for ALL 70+ desktops to look up the DCs properly and switch to a running one if one is not available (otherwise what's the point right?)

2) asking QNAP to fix their web admin pages so that 2 x SAMBA4 DCs can be found and used.



More information about the samba mailing list