samba - Jun 2014 - Joining a domain - missing SRV records

I joined a second Samba 4 controller to an existing test Samba 4 domain 
by following
https://wiki.samba.org/index.php/Join_a_domain_as_a_DC

I found I had to create the A and GUID CNAME records for the second host 
by hand, as the instructions said I might.

However, there were also missing SRV records, in particular
_kerberos._udp.<domain>
_ldap._tcp.<domain>

(they list only the first server)

As I understand it, the client won't be able to find a domain controller 
if the primary fails and there's no SRV. Indeed, if I shut down the 
primary, kinit says it's unable to contact any KDC for the realm.

I was able to fix it like this, after I'd worked out the unusual 
ordering of the SRV record parameters that samba-tool expects:

# samba-tool dns add localhost example.com _kerberos._udp srv 
"pc2.example.com. 88 0 100" -U administrator
# samba-tool dns add localhost example.com _ldap._tcp srv 
"pc2.example.com. 389 0 100" -U administrator
# samba-tool dns add localhost example.com _kerberos._tcp srv 
"pc2.example.com. 88 0 100" -U administrator

(note: kinit didn't work until _kerberos._tcp was added; I used tcpdump 
to find out what queries it was doing)

Also I see there are about others like
_kpasswd._udp
_kpasswd._tcp
which presumably should be included as well.

Perhaps these steps should be added to the documentation too?

Regards,

Brian.

On 17/06/2014 12:32, Brian Candler wrote:
>
> As I understand it, the client won't be able to find a domain 
> controller if the primary fails and there's no SRV. Indeed, if I shut 
> down the primary, kinit says it's unable to contact any KDC for the 
> realm.
>
Note: after I got dynamic DNS updates working, all the records for the 
domain controllers were added to DNS automatically, so this is not an 
issue any more. Might still be worth a mention in the docs though, as 
this is an important reason for getting dynamic DNS to work.