Ole Traupe
2015-Nov-18 15:44 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
> It is DNS related. > >> What is the best way of dealing with this? > The *best way* is a HA solution for your DNS Servers, but its expensive. > > The DNS client (resolver) caches the srv records for 15 minutes aka 900 > seconds. > > ipconfig /flushdns drops the cache. Reboot does the same. > > On server side you may set shorter TTL for the server records, but then > you have more DNS traffic. On small netwoks (sites up to 20 clients, no > wifi) I have good experience with a TTL of 180.Harry, I tried this - unsuccessfully. I have TTL settings in a) the SOA and b) the NS record of the FQDN and the _msdcs.FQDN sections in my Windows RSAT DNS console. None of these 4 entries I can change: I get something like "The Source Of Authority (SOA) cannot be updated. The record already exists." Do you have an idea how to accomplish this? Currently the setting is 1h, which is pretty long. Ole
mathias dufresne
2015-Nov-19 10:19 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Hi Ole, You want to change SOA of your AD domain? Here some working command: samba-tool dns update <working DC> samba.domain.tld \ samba.domain.tld SOA \ 'oldSOA.samba.domain.tld. hostmaster.samba.domain.tld. 58 900 600 86400 3600' \ 'newSOA.samba.domain.tld. hostmaster.saba.domain.tld. 59 900 600 86400 3600' -k yes This needs you performed some kinit before using an account able to modify this entry (by default only administrator is able to that I expect). This must be done for the two DNS zones of your domain: samba.domain.tld + _msdcs.samba.domain.tld First number of replacement record (here "59") is serial number. Replication of change seemed to work without changing that serial number but as DNS love to rely on it, changing that serial should be a good idea. Hoping this helps... Cheers, mathias 2015-11-18 16:44 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:> > It is DNS related. >> >> What is the best way of dealing with this? >>> >> The *best way* is a HA solution for your DNS Servers, but its expensive. >> >> The DNS client (resolver) caches the srv records for 15 minutes aka 900 >> seconds. >> >> ipconfig /flushdns drops the cache. Reboot does the same. >> >> On server side you may set shorter TTL for the server records, but then >> you have more DNS traffic. On small netwoks (sites up to 20 clients, no >> wifi) I have good experience with a TTL of 180. >> > > Harry, I tried this - unsuccessfully. > > I have TTL settings in a) the SOA and b) the NS record of the FQDN and the > _msdcs.FQDN sections in my Windows RSAT DNS console. None of these 4 > entries I can change: I get something like "The Source Of Authority (SOA) > cannot be updated. The record already exists." > > Do you have an idea how to accomplish this? Currently the setting is 1h, > which is pretty long. > > Ole > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Ole Traupe
2015-Nov-19 12:43 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Mathias, thank you very much for your comprehensive instructions! Just one question: Harry suggested that, in order to overcome the below DNS related problems, the TTL would have to be adjusted (lowered). However, the TTL seems to be the only time value not covered by the command provided by you. Is it really the TTL that is the culprit or is it rather the first time value (something like "Refresh value" in english)? Do you know this? Ole Am 19.11.2015 um 11:19 schrieb mathias dufresne:> Hi Ole, > > You want to change SOA of your AD domain? > > Here some working command: > samba-tool dns update <working DC> samba.domain.tld \ > samba.domain.tld SOA \ > 'oldSOA.samba.domain.tld. hostmaster.samba.domain.tld. 58 900 600 > 86400 3600' \ > 'newSOA.samba.domain.tld. hostmaster.saba.domain.tld. 59 900 600 86400 > 3600' -k yes > > This needs you performed some kinit before using an account able to > modify this entry (by default only administrator is able to that I > expect). > > This must be done for the two DNS zones of your domain: > samba.domain.tld + _msdcs.samba.domain.tld > > First number of replacement record (here "59") is serial number. > Replication of change seemed to work without changing that serial > number but as DNS love to rely on it, changing that serial should be a > good idea. > > Hoping this helps... > > Cheers, > > mathias > > > 2015-11-18 16:44 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de > <mailto:ole.traupe at tu-berlin.de>>: > > > It is DNS related. > > What is the best way of dealing with this? > > The *best way* is a HA solution for your DNS Servers, but its > expensive. > > The DNS client (resolver) caches the srv records for 15 > minutes aka 900 > seconds. > > ipconfig /flushdns drops the cache. Reboot does the same. > > On server side you may set shorter TTL for the server records, > but then > you have more DNS traffic. On small netwoks (sites up to 20 > clients, no > wifi) I have good experience with a TTL of 180. > > > Harry, I tried this - unsuccessfully. > > I have TTL settings in a) the SOA and b) the NS record of the FQDN > and the _msdcs.FQDN sections in my Windows RSAT DNS console. None > of these 4 entries I can change: I get something like "The Source > Of Authority (SOA) cannot be updated. The record already exists." > > Do you have an idea how to accomplish this? Currently the setting > is 1h, which is pretty long. > > Ole > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Apparently Analagous Threads
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline