Rowland penny
2015-Dec-10 13:38 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 10/12/15 13:25, Ole Traupe wrote:> Is it possible that kdc server is always the SOA, at least if derived > from DNS and not specified *explicitly* in the krb5.conf? > > In my DNS-Manager console I find that > > _tcp.dc._msdcs.bpn.tu-berlin.de > > contains only 1 "_kerberos" record, and that one points to my First_DC. > > Ole > > >Your problem doesn't seem to be a dns problem, you should have two 'kerberos' records and no matter how good your dns is, it cannot obtain something that isn't there :-) See Louis's earlier post for how to attempt to fix this, but before you do anything, restart samba on the second DC and then check the logs, samba_dnsupdate should add the records you are missing. Rowland
Ole Traupe
2015-Dec-10 14:00 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Am 10.12.2015 um 14:38 schrieb Rowland penny:> On 10/12/15 13:25, Ole Traupe wrote: >> Is it possible that kdc server is always the SOA, at least if >> derived from DNS and not specified *explicitly* in the krb5.conf? >> >> In my DNS-Manager console I find that >> >> _tcp.dc._msdcs.bpn.tu-berlin.de >> >> contains only 1 "_kerberos" record, and that one points to my First_DC. >> >> Ole >> >> >> > > Your problem doesn't seem to be a dns problem, you should have two > 'kerberos' records and no matter how good your dns is, it cannot > obtain something that isn't there :-)That's basically what I just wrote...> > See Louis's earlier post for how to attempt to fix this, but before > you do anything, restart samba on the second DC and then check the > logs, samba_dnsupdate should add the records you are missing. > > Rowland > >However, my 2nd DC is not that new, I restarted it many times, just again (samba service). No DNS records are created anywhere. If I go through the DNS console, in each and every container there is some entry for the 1st DC, but none for the 2nd (except on the top levels: FQDN and _msdcs.FQDN). Could this have to do with... a) I demoted my initial 1st DC (seized FSMO roles) and got rid of DNS entries via this script on the wiki? b) set up the *new* 2nd DC on the hardware of the prior 1st DC (with the same IP address)?
Rowland penny
2015-Dec-10 14:15 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 10/12/15 14:00, Ole Traupe wrote:> > > Am 10.12.2015 um 14:38 schrieb Rowland penny: >> On 10/12/15 13:25, Ole Traupe wrote: >>> Is it possible that kdc server is always the SOA, at least if >>> derived from DNS and not specified *explicitly* in the krb5.conf? >>> >>> In my DNS-Manager console I find that >>> >>> _tcp.dc._msdcs.bpn.tu-berlin.de >>> >>> contains only 1 "_kerberos" record, and that one points to my First_DC. >>> >>> Ole >>> >>> >>> >> >> Your problem doesn't seem to be a dns problem, you should have two >> 'kerberos' records and no matter how good your dns is, it cannot >> obtain something that isn't there :-) > > That's basically what I just wrote... > >> >> See Louis's earlier post for how to attempt to fix this, but before >> you do anything, restart samba on the second DC and then check the >> logs, samba_dnsupdate should add the records you are missing. >> >> Rowland >> >> > > However, my 2nd DC is not that new, I restarted it many times, just > again (samba service). No DNS records are created anywhere. > > If I go through the DNS console, in each and every container there is > some entry for the 1st DC, but none for the 2nd (except on the top > levels: FQDN and _msdcs.FQDN). > > Could this have to do with... > a) I demoted my initial 1st DC (seized FSMO roles) and got rid of DNS > entries via this script on the wiki? > b) set up the *new* 2nd DC on the hardware of the prior 1st DC (with > the same IP address)? > > >Possibly, but can you try this on your second DC, run 'samba_dnsupdate --verbose' Rowland
Possibly Parallel Threads
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- The RPC server is unavailable on Samba 4 clients
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
- GPO issues - getting SYSVOL cleaned up again
- Authentication to Secondary Domain Controller initially fails when PDC is offline