Ole Traupe
2015-Dec-18 11:19 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Hi Rowland, I am very thankful, that you take the time and test all this! Before I go and check if this is the same with my setup and possibly the problem, could you perhaps try a logon to a member server, while the 1st DC is unavailable? From my understanding of your post I take it, you will have the same problem. But then, my understanding is limited. However, if you DO have the same problem, and my understanding is correct, then the internal DNS of Samba is clearly *broken* and needs fixing! Also I would like to state then, that I am somewhat disappointed. I have spent weeks (if not months) to get my domain running as it is now, only to find out that I will have no good sleep with it. Sorry to be so blunt. Ole Am 18.12.2015 um 10:44 schrieb Rowland penny:> On 17/12/15 15:37, Ole Traupe wrote: >> >> >> >>> >>>> >>>> >>>> >>>>> everything else seems to work though, although I haven't tried >>>>> turning the first DC off yet. >>>> >>>> Why? I mean, could you perhaps? Please? >>>> >>> >>> Probably, but not today, will do it as soon as possible. >> >> I would be more than happy about that! >> >> > > OK, before I did anything else this morning, I started up my test > domain. Note that this domain only existed to try and find out why the > second DC didn't have a NS record in the SOA and uses the internal dns. > > Both of the DCs have the relevant line in the hosts file: > > root at testdc1:~# nano /etc/hosts > > 127.0.0.1 localhost > 192.168.0.240 testdc1.home.lan testdc1 > > root at testdc2:~# nano /etc/hosts > > 127.0.0.1 localhost > 192.168.0.241 testdc2.home.lan testdc2 > > > Both of the DCs point to each other as their nameserver: > > root at testdc1:~# nano /etc/resolv.conf > > search home.lan > nameserver 192.168.0.241 > nameserver 192.168.0.240 > > root at testdc2:~# nano /etc/resolv.conf > > search home.lan > nameserver 192.168.0.240 > nameserver 192.168.0.241 > > If I examine the SOA record in AD I find this: > > dn: DC=@,DC=home.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=home,DC=lan > ..................... > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x003f (63) > wType : DNS_TYPE_SOA (6) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x0000006e (110) > dwTtlSeconds : 0x00000e10 (3600) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 6) > soa: struct dnsp_soa > serial : 0x00000001 (1) > refresh : 0x00000384 (900) > retry : 0x00000258 (600) > expire : 0x00015180 (86400) > minimum : 0x00000e10 (3600) > mname : testdc1.home.lan > rname : hostmaster.home.lan > > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x0014 (20) > wType : DNS_TYPE_NS (2) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x0000006e (110) > dwTtlSeconds : 0x00000384 (900) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 2) > ns : testdc1.home.lan > > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x0014 (20) > wType : DNS_TYPE_NS (2) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x0000006e (110) > dwTtlSeconds : 0x00000384 (900) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 2) > ns : testdc2.home.lan > > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x0004 (4) > wType : DNS_TYPE_A (1) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x0000006e (110) > dwTtlSeconds : 0x00000384 (900) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 1) > ipv4 : 192.168.0.240 > > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x0004 (4) > wType : DNS_TYPE_A (1) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x0000006e (110) > dwTtlSeconds : 0x00000384 (900) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 1) > ipv4 : 192.168.0.241 > > So, as you can see both the DCs have their NS & A records in the SOA > > If I then run nslookup on both machines, I get this: > > root at testdc1:~# nslookup > > set querytype=soa > > home.lan > Server: 192.168.0.241 > Address: 192.168.0.241#53 > > home.lan > origin = testdc1.home.lan > mail addr = hostmaster.home.lan > serial = 1 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > exit > > root at testdc2:~# nslookup > > set querytype=soa > > home.lan > Server: 192.168.0.240 > Address: 192.168.0.240#53 > > home.lan > origin = testdc1.home.lan > mail addr = hostmaster.home.lan > serial = 1 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > exit > > As you can see, only the first DC is show as the NS for the SOA, what > happens if we turn off the first DC? > > We get this: > > root at testdc2:~# nslookup > > set querytype=soa > > home.lan > Server: 192.168.0.241 > Address: 192.168.0.241#53 > > home.lan > origin = testdc1.home.lan > mail addr = hostmaster.home.lan > serial = 1 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > exit > > The second DC is now using itself as its nameserver, but still gives > the first DC as the NS > > This is totally different from what is returned if you use Bind9: > > Similar setup, only the names & ipaddresses have changed: > > root at dc1:~# nslookup > > set querytype=soa > > samdom.example.com > Server: 192.168.0.6 > Address: 192.168.0.6#53 > > samdom.example.com > origin = dc2.samdom.example.com > mail addr = hostmaster.samdom.example.com > serial = 101 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > exit > > root at dc2:~# nslookup > > set querytype=soa > > samdom.example.com > Server: 192.168.0.5 > Address: 192.168.0.5#53 > > samdom.example.com > origin = dc1.samdom.example.com > mail addr = hostmaster.samdom.example.com > serial = 101 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > exit > > Here, each DC shows the other as being the NS, so what happens if we > turn off the first DC? > > root at dc2:~# nslookup > > set querytype=soa > > samdom.example.com > Server: 192.168.0.6 > Address: 192.168.0.6#53 > > samdom.example.com > origin = dc2.samdom.example.com > mail addr = hostmaster.samdom.example.com > serial = 101 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > exit > > Now the second DC shows itself as being the NS. > > It seems that the internal dns server works very different from Bind9. > > Conclusions? From my very limited testing, it would seem that, whilst > it will work if you use multiple DCs running the internal dns servers, > it would probably be better to use Bind9 instead. > > Rowland > > >
Rowland penny
2015-Dec-18 11:30 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 18/12/15 11:19, Ole Traupe wrote:> Hi Rowland, > > I am very thankful, that you take the time and test all this!No problem.> > Before I go and check if this is the same with my setup and possibly > the problem, could you perhaps try a logon to a member server, while > the 1st DC is unavailable?Ah, slight problem there, as I said, this is just a couple of test DCs and there are no test domain members, you will have to bear with me whilst I create one. Rowland> > From my understanding of your post I take it, you will have the same > problem. But then, my understanding is limited. > > However, if you DO have the same problem, and my understanding is > correct, then the internal DNS of Samba is clearly *broken* and needs > fixing! > > Also I would like to state then, that I am somewhat disappointed. I > have spent weeks (if not months) to get my domain running as it is > now, only to find out that I will have no good sleep with it. Sorry to > be so blunt. > > Ole > > >
Ole Traupe
2015-Dec-18 12:07 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Am 18.12.2015 um 12:30 schrieb Rowland penny:> On 18/12/15 11:19, Ole Traupe wrote: >> Hi Rowland, >> >> I am very thankful, that you take the time and test all this! > > No problem. > >> >> Before I go and check if this is the same with my setup and possibly >> the problem, could you perhaps try a logon to a member server, while >> the 1st DC is unavailable? > > Ah, slight problem there, as I said, this is just a couple of test DCs > and there are no test domain members, you will have to bear with me > whilst I create one.I would be very greatful, and I guess many others too. I heard from many sides that you should really only use bind9 in case you plan a more complicated setup. Until now I thought that having 2 DCs wasn't considered as such.> > Rowland > >> >> From my understanding of your post I take it, you will have the same >> problem. But then, my understanding is limited. >> >> However, if you DO have the same problem, and my understanding is >> correct, then the internal DNS of Samba is clearly *broken* and needs >> fixing! >> >> Also I would like to state then, that I am somewhat disappointed. I >> have spent weeks (if not months) to get my domain running as it is >> now, only to find out that I will have no good sleep with it. Sorry >> to be so blunt. >> >> Ole >> >> >> > >
L.P.H. van Belle
2015-Dec-18 12:50 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Ole,> >> Also I would like to state then, that I am somewhat disappointed. I > >> have spent weeks (if not months) to get my domain running as it is > >> now, only to find out that I will have no good sleep with it. Sorry > >> to be so blunt.Just months.. my testing periode was about 1 year! ok i have a complex network and extra things to account for and this was all done, while doing my normal work... Really try this. Go here : https://secure.bazuin.nl/scripts Install a clean debian jessie. select only ssh server at package selection, (optional base packages wont have negative inpact on the scripts, just your server performance. Get these (wget --no-check-certificate .. ) https://secure.bazuin.nl/scripts/0-setup-apt-debian.sh https://secure.bazuin.nl/scripts/1-tools.sh https://secure.bazuin.nl/scripts/2-setup-network-hostname.sh https://secure.bazuin.nl/scripts/3-setup-ssh-debian.sh https://secure.bazuin.nl/scripts/4-jessie-samba-DC.sh Configure the scripts and run them order. In the end you have a good working samba ad dc. You can use it also to join a Samba AD. Give it a try, most problems you have are from a ; wrong change/broken DC/installed new DC with old ip/ etc. Many things here can be a case of your problems. You spent weeks,months on a problem, and you learn from it, so now your production ready. ;-) And if you server is in production, use the script to join a DC. Sieze the FMSO roles, and remove the old. And NEVER!!! Use the samba server name/IP when you change a DC. And if you really need the old name, which for a DC should not be needed. Add a CNAME in the dns with the oldname. And dont confure things base on ip adres and always based on names, keeps you flexible to change things without damaging other things. .. yes... i learned the hardway also. ;-) know what your talking about.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > Verzonden: vrijdag 18 december 2015 13:07 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > > > Am 18.12.2015 um 12:30 schrieb Rowland penny: > > On 18/12/15 11:19, Ole Traupe wrote: > >> Hi Rowland, > >> > >> I am very thankful, that you take the time and test all this! > > > > No problem. > > > >> > >> Before I go and check if this is the same with my setup and possibly > >> the problem, could you perhaps try a logon to a member server, while > >> the 1st DC is unavailable? > > > > Ah, slight problem there, as I said, this is just a couple of test DCs > > and there are no test domain members, you will have to bear with me > > whilst I create one. > > I would be very greatful, and I guess many others too. > > I heard from many sides that you should really only use bind9 in case > you plan a more complicated setup. Until now I thought that having 2 DCs > wasn't considered as such. > > > > > > > Rowland > > > >> > >> From my understanding of your post I take it, you will have the same > >> problem. But then, my understanding is limited. > >> > >> However, if you DO have the same problem, and my understanding is > >> correct, then the internal DNS of Samba is clearly *broken* and needs > >> fixing! > >> > >> Also I would like to state then, that I am somewhat disappointed. I > >> have spent weeks (if not months) to get my domain running as it is > >> now, only to find out that I will have no good sleep with it. Sorry > >> to be so blunt. > >> > >> Ole > >> > >> > >> > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Seemingly Similar Threads
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline