Ole Traupe
2015-Dec-17 14:56 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Am 17.12.2015 um 15:33 schrieb Rowland penny:> On 17/12/15 13:54, Ole Traupe wrote: >> Rowland, thank you, but before we do that: >> >> - what now with the 'gc' record? 2nd DC yes or no? > > Which one ? I have these: > > dn: > DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com > > dn: > DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com > > dn: > DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com > > dn: > DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com > > dn: > DC=gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com > > They all contain two dnsrecords, one from each DC > >> - if you say that the internal DNS is not compatible with a multi-DC >> setting, than we can stop here, no? >> > > Please stop putting words in my mouth :-) > > All I said was that you will only get one NS record if you use the > internal DNS server,Ok. And do you *need* both?> everything else seems to work though, although I haven't tried turning > the first DC off yet.Why? I mean, could you perhaps? Please?> > Rowland > >> Ole >> >> >> Am 17.12.2015 um 14:32 schrieb Rowland penny: >>> On 17/12/15 12:50, Ole Traupe wrote: >>>> >>>> I somehow doubt that. Still it seems that no one here has an idea >>>> of why log-on from member servers isn't working properly (for me). >>>> However, in the meantime I have created all the necessary DNS >>>> records. This can't be the issue anymore. >>>> >>>> >>> >>> If you are sure that you now have all the dns records for both DCs >>> in AD, then I would agree that this is probably not the issue (there >>> is just the 0.1% chance you are still missing something) >>> >>> Can your domain members find the DCs ? >>> Do your domain members have a FQDN ? >>> Are they joined to the domain ? >>> What have got in smb.conf on the domain members ? >>> >>> You may have posted all or some of this before, but lets start again. >>> >>> Rowland >>> >> >> > >
Rowland penny
2015-Dec-17 15:10 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 17/12/15 14:56, Ole Traupe wrote:> > > Am 17.12.2015 um 15:33 schrieb Rowland penny: >> On 17/12/15 13:54, Ole Traupe wrote: >>> Rowland, thank you, but before we do that: >>> >>> - what now with the 'gc' record? 2nd DC yes or no? >> >> Which one ? I have these: >> >> dn: >> DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> They all contain two dnsrecords, one from each DC >> >>> - if you say that the internal DNS is not compatible with a multi-DC >>> setting, than we can stop here, no? >>> >> >> Please stop putting words in my mouth :-) >> >> All I said was that you will only get one NS record if you use the >> internal DNS server, > > Ok. And do you *need* both?Not sure , but microsoft says you should have a SOA record for each DC that runs DNS.> > > >> everything else seems to work though, although I haven't tried >> turning the first DC off yet. > > Why? I mean, could you perhaps? Please? >Probably, but not today, will do it as soon as possible. Rowland
Ole Traupe
2015-Dec-17 15:13 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Can *anyone* report that he/she has a fail-safe domain in the sense that the first DC (FSMO role holder) can be offline and login still works on Windows clients AND Linux member servers? Samba 4.2.5 (from source) Internal DNS Ole Am 17.12.2015 um 15:56 schrieb Ole Traupe:> > > Am 17.12.2015 um 15:33 schrieb Rowland penny: >> On 17/12/15 13:54, Ole Traupe wrote: >>> Rowland, thank you, but before we do that: >>> >>> - what now with the 'gc' record? 2nd DC yes or no? >> >> Which one ? I have these: >> >> dn: >> DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> They all contain two dnsrecords, one from each DC >> >>> - if you say that the internal DNS is not compatible with a multi-DC >>> setting, than we can stop here, no? >>> >> >> Please stop putting words in my mouth :-) >> >> All I said was that you will only get one NS record if you use the >> internal DNS server, > > Ok. And do you *need* both? > > >> everything else seems to work though, although I haven't tried >> turning the first DC off yet. > > Why? I mean, could you perhaps? Please? > >> >> Rowland >> >>> Ole >>> >>> >>> Am 17.12.2015 um 14:32 schrieb Rowland penny: >>>> On 17/12/15 12:50, Ole Traupe wrote: >>>>> >>>>> I somehow doubt that. Still it seems that no one here has an idea >>>>> of why log-on from member servers isn't working properly (for me). >>>>> However, in the meantime I have created all the necessary DNS >>>>> records. This can't be the issue anymore. >>>>> >>>>> >>>> >>>> If you are sure that you now have all the dns records for both DCs >>>> in AD, then I would agree that this is probably not the issue >>>> (there is just the 0.1% chance you are still missing something) >>>> >>>> Can your domain members find the DCs ? >>>> Do your domain members have a FQDN ? >>>> Are they joined to the domain ? >>>> What have got in smb.conf on the domain members ? >>>> >>>> You may have posted all or some of this before, but lets start again. >>>> >>>> Rowland >>>> >>> >>> >> >> > >
James
2015-Dec-17 15:20 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 12/17/2015 9:56 AM, Ole Traupe wrote:> > > Am 17.12.2015 um 15:33 schrieb Rowland penny: >> On 17/12/15 13:54, Ole Traupe wrote: >>> Rowland, thank you, but before we do that: >>> >>> - what now with the 'gc' record? 2nd DC yes or no? >> >> Which one ? I have these: >> >> dn: >> DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> They all contain two dnsrecords, one from each DC >> >>> - if you say that the internal DNS is not compatible with a multi-DC >>> setting, than we can stop here, no? >>> >> >> Please stop putting words in my mouth :-) >> >> All I said was that you will only get one NS record if you use the >> internal DNS server, > > Ok. And do you *need* both? > > >> everything else seems to work though, although I haven't tried >> turning the first DC off yet. > > Why? I mean, could you perhaps? Please? > >> >> Rowland >> >>> Ole >>> >>> >>> Am 17.12.2015 um 14:32 schrieb Rowland penny: >>>> On 17/12/15 12:50, Ole Traupe wrote: >>>>> >>>>> I somehow doubt that. Still it seems that no one here has an idea >>>>> of why log-on from member servers isn't working properly (for me). >>>>> However, in the meantime I have created all the necessary DNS >>>>> records. This can't be the issue anymore. >>>>> >>>>> >>>> >>>> If you are sure that you now have all the dns records for both DCs >>>> in AD, then I would agree that this is probably not the issue >>>> (there is just the 0.1% chance you are still missing something) >>>> >>>> Can your domain members find the DCs ? >>>> Do your domain members have a FQDN ? >>>> Are they joined to the domain ? >>>> What have got in smb.conf on the domain members ? >>>> >>>> You may have posted all or some of this before, but lets start again. >>>> >>>> Rowland >>>> >>> >>> >> >> > >I just disabled my DC that is listed as SOA in a production environment. I'm using the internal DNS. I have 6 DC's in total across 3 sites. Around 200+ users and 140+ workstations. Everything appears to be working as normal aside from my monitoring tools going crazy. No issues so far. I am not authenticating local users to my member server however. I will monitor for a awhile and see if anything creeps up or I start to get phone calls.. -- -James
Ole Traupe
2015-Dec-17 15:37 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Am 17.12.2015 um 16:10 schrieb Rowland penny:> On 17/12/15 14:56, Ole Traupe wrote: >> >> >> Am 17.12.2015 um 15:33 schrieb Rowland penny: >>> On 17/12/15 13:54, Ole Traupe wrote: >>>> Rowland, thank you, but before we do that: >>>> >>>> - what now with the 'gc' record? 2nd DC yes or no? >>> >>> Which one ? I have these: >>> >>> dn: >>> DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>> >>> dn: >>> DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>> >>> dn: >>> DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>> >>> dn: >>> DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>> >>> dn: >>> DC=gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>> >>> They all contain two dnsrecords, one from each DC >>> >>>> - if you say that the internal DNS is not compatible with a >>>> multi-DC setting, than we can stop here, no? >>>> >>> >>> Please stop putting words in my mouth :-) >>> >>> All I said was that you will only get one NS record if you use the >>> internal DNS server, >> >> Ok. And do you *need* both? > > Not sure , but microsoft says you should have a SOA record for each DC > that runs DNS.SOA or NS? NS I have, SOA seems not possible.> >> >> >> >>> everything else seems to work though, although I haven't tried >>> turning the first DC off yet. >> >> Why? I mean, could you perhaps? Please? >> > > Probably, but not today, will do it as soon as possible.I would be more than happy about that!> > Rowland > > > > >
Ole Traupe
2015-Dec-17 15:40 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
>>> >> >> > I just disabled my DC that is listed as SOA in a production > environment. I'm using the internal DNS. I have 6 DC's in total > across 3 sites. Around 200+ users and 140+ workstations. Everything > appears to be working as normal aside from my monitoring tools going > crazy. No issues so far. I am not authenticating local users to my > member server however.What exactly do you mean by that last sentence?> I will monitor for a awhile and see if anything creeps up or I start > to get phone calls.. >Thanks for the feedback!
Ole Traupe
2015-Dec-17 16:18 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Am 17.12.2015 um 16:13 schrieb Ole Traupe:> Can *anyone* report that he/she has a fail-safe domain in the sense > that the first DC (FSMO role holder) can be offline and login still > works on Windows clients AND Linux member servers? > > Samba 4.2.5 (from source) > Internal DNSPS: No changes to the default site structure.> > Ole > > > Am 17.12.2015 um 15:56 schrieb Ole Traupe: >> >> >> Am 17.12.2015 um 15:33 schrieb Rowland penny: >>> On 17/12/15 13:54, Ole Traupe wrote: >>>> Rowland, thank you, but before we do that: >>>> >>>> - what now with the 'gc' record? 2nd DC yes or no? >>> >>> Which one ? I have these: >>> >>> dn: >>> DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>> >>> dn: >>> DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>> >>> dn: >>> DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>> >>> dn: >>> DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>> >>> dn: >>> DC=gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>> >>> They all contain two dnsrecords, one from each DC >>> >>>> - if you say that the internal DNS is not compatible with a >>>> multi-DC setting, than we can stop here, no? >>>> >>> >>> Please stop putting words in my mouth :-) >>> >>> All I said was that you will only get one NS record if you use the >>> internal DNS server, >> >> Ok. And do you *need* both? >> >> >>> everything else seems to work though, although I haven't tried >>> turning the first DC off yet. >> >> Why? I mean, could you perhaps? Please? >> >>> >>> Rowland >>> >>>> Ole >>>> >>>> >>>> Am 17.12.2015 um 14:32 schrieb Rowland penny: >>>>> On 17/12/15 12:50, Ole Traupe wrote: >>>>>> >>>>>> I somehow doubt that. Still it seems that no one here has an idea >>>>>> of why log-on from member servers isn't working properly (for >>>>>> me). However, in the meantime I have created all the necessary >>>>>> DNS records. This can't be the issue anymore. >>>>>> >>>>>> >>>>> >>>>> If you are sure that you now have all the dns records for both DCs >>>>> in AD, then I would agree that this is probably not the issue >>>>> (there is just the 0.1% chance you are still missing something) >>>>> >>>>> Can your domain members find the DCs ? >>>>> Do your domain members have a FQDN ? >>>>> Are they joined to the domain ? >>>>> What have got in smb.conf on the domain members ? >>>>> >>>>> You may have posted all or some of this before, but lets start again. >>>>> >>>>> Rowland >>>>> >>>> >>>> >>> >>> >> >> > >
Apparently Analagous Threads
- Phantom DNS records visible with dig, but not samba-tool dns
- which DNS backend ?
- Samba + BIND9 DLZ. DNS dosen't resolve FQDN, only short hostname
- bind-dns Folder Missing for Samba4 Setup in Ubuntu
- Authentication to Secondary Domain Controller initially fails when PDC is offline