samba - Nov 2015 - Authentication to Secondary Domain Controller initially fails when PDC is offline

Am 12.11.2015 um 11:22 schrieb Harry Jede:
> On 11:06:29 wrote Ole Traupe:
>> Hi,
>>
>> I tested the AD (Samba4) domain log-in on Windows 7 clients and Linux
>> member servers with my PDC being offline (plugged the cable). It is
>> not working so well.
>>
>> On Windows it initially takes forever. It works again after rebooting
>> the client, which seems to be the easiest solution (can be performed
>> by the user).
>>
>> On Linux member servers, ssh log-in eventually times out. It works
>> again, after I manually swap the DNS server order in the
>> /etc/resolv.conf and the KDC provider order in the /etc/krb5.conf.
>> But manual intervention is clearly not preferred here.
>>
>> According to the sanity checks for domain controllers and members
>> servers on the wiki setup and troubleshooting pages, my domain is
>> working at its best.
>>
>> Is this due to DNS and kerberos timeouts accumulating?
> It is DNS related.
>
>> What is the best way of dealing with this?
> The *best way* is a HA solution for your DNS Servers, but its expensive.
>
> The DNS client (resolver) caches the srv records for 15 minutes aka 900
> seconds.
>
> ipconfig /flushdns drops the cache. Reboot does the same.
Will try this, thank you!
>
> On server side you may set shorter TTL for the server records, but then
> you have more DNS traffic. On small netwoks (sites up to 20 clients, no
> wifi) I have good experience with a TTL of 180.
Ok. So I do this on my Samba DCs (my domain DNS servers), and this will 
affect Windows and Linux domain clients/member servers likewise?

On 12:55:46 wrote Ole Traupe:
> Am 12.11.2015 um 11:22 schrieb Harry Jede:
> > On 11:06:29 wrote Ole Traupe:
> >> Hi,
> >> 
> >> I tested the AD (Samba4) domain log-in on Windows 7 clients and
> >> Linux member servers with my PDC being offline (plugged the
> >> cable). It is not working so well.
> >> 
> >> On Windows it initially takes forever. It works again after
> >> rebooting the client, which seems to be the easiest solution (can
> >> be performed by the user).
> >> 
> >> On Linux member servers, ssh log-in eventually times out. It works
> >> again, after I manually swap the DNS server order in the
> >> /etc/resolv.conf and the KDC provider order in the /etc/krb5.conf.
> >> But manual intervention is clearly not preferred here.
> >> 
> >> According to the sanity checks for domain controllers and members
> >> servers on the wiki setup and troubleshooting pages, my domain is
> >> working at its best.
> >> 
> >> Is this due to DNS and kerberos timeouts accumulating?
> > 
> > It is DNS related.
> > 
> >> What is the best way of dealing with this?
> > 
> > The *best way* is a HA solution for your DNS Servers, but its
> > expensive.
> > 
> > The DNS client (resolver) caches the srv records for 15 minutes aka
> > 900 seconds.
> > 
> > ipconfig /flushdns drops the cache. Reboot does the same.
> 
> Will try this, thank you!
> 
> > On server side you may set shorter TTL for the server records, but
> > then you have more DNS traffic. On small netwoks (sites up to 20
> > clients, no wifi) I have good experience with a TTL of 180.
> 
> Ok. So I do this on my Samba DCs (my domain DNS servers), and this
> will affect Windows and Linux domain clients/member servers
> likewise?
Theoretically yes. Assume you have a imap or web server installed on 
your DC ( bad idea). I am pretty sure that some mail clients and 
browsers have their own cache for ip adressess. So the a records may be 
cached on application level. How do this caches works?

The soa record should only be used by the resolver libs.

The srv txt records are used by many apps. ie the netlogon process. 
Netlogon picks randomly one dc, if more than one record exist for a 
site. If this dc is down or unreachable, netlogon try this dc until ttl 
times out and then try the next one. This is at least true for windows 
xp, not for 2000. Should be true for all current windows versions.

-- 

Gruss
	Harry Jede

>>> On server side you may set shorter TTL for the server records, but
>>> then you have more DNS traffic. On small netwoks (sites up to 20
>>> clients, no wifi) I have good experience with a TTL of 180.
>> Ok. So I do this on my Samba DCs (my domain DNS servers), and this
>> will affect Windows and Linux domain clients/member servers
>> likewise?
> Theoretically yes. Assume you have a imap or web server installed on
> your DC ( bad idea). I am pretty sure that some mail clients and
> browsers have their own cache for ip adressess. So the a records may be
> cached on application level. How do this caches works?
>
> The soa record should only be used by the resolver libs.
>
> The srv txt records are used by many apps. ie the netlogon process.
> Netlogon picks randomly one dc, if more than one record exist for a
> site. If this dc is down or unreachable, netlogon try this dc until ttl
> times out and then try the next one. This is at least true for windows
> xp, not for 2000. Should be true for all current windows versions.
>
Sorry that I ask again, I have little experience with DNS.

I have A records for all my DCs in "my.domain.com" and 
"_msdcs.my.domain.com". I have SOA and NS records in both places, but 
only for the First_DC (FSMO role holder). Is that ok?

Only SOA and NS records have TTL settings. Do I have to change both? 
 From your above comment I take that you would advise it. Otherwise, 
trying to resolve a host wouldn't be diagnostic of the DNS request 
during the logon process.

To whom it may concern: TTL seems to be set to 1h, by default, with Samba4.

Ahi Ole, 

An hany site. 

http://blogs.msdn.com/b/servergeeks/archive/2014/07/12/dns-records-that-are-required-for-proper-functionality-of-active-directory.aspx

greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
> Verzonden: donderdag 12 november 2015 15:33
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
> initially fails when PDC is offline
> 
> 
> >>> On server side you may set shorter TTL for the server records,
but
> >>> then you have more DNS traffic. On small netwoks (sites up to
20
> >>> clients, no wifi) I have good experience with a TTL of 180.
> >> Ok. So I do this on my Samba DCs (my domain DNS servers), and this
> >> will affect Windows and Linux domain clients/member servers
> >> likewise?
> > Theoretically yes. Assume you have a imap or web server installed on
> > your DC ( bad idea). I am pretty sure that some mail clients and
> > browsers have their own cache for ip adressess. So the a records may
be
> > cached on application level. How do this caches works?
> >
> > The soa record should only be used by the resolver libs.
> >
> > The srv txt records are used by many apps. ie the netlogon process.
> > Netlogon picks randomly one dc, if more than one record exist for a
> > site. If this dc is down or unreachable, netlogon try this dc until
ttl
> > times out and then try the next one. This is at least true for windows
> > xp, not for 2000. Should be true for all current windows versions.
> >
> 
> Sorry that I ask again, I have little experience with DNS.
> 
> I have A records for all my DCs in "my.domain.com" and
> "_msdcs.my.domain.com". I have SOA and NS records in both places,
but
> only for the First_DC (FSMO role holder). Is that ok?
> 
> Only SOA and NS records have TTL settings. Do I have to change both?
>  From your above comment I take that you would advise it. Otherwise,
> trying to resolve a host wouldn't be diagnostic of the DNS request
> during the logon process.
> 
> To whom it may concern: TTL seems to be set to 1h, by default, with
> Samba4.
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba