Ole Traupe
2015-Nov-19 15:25 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Ok, I see. Nevertheless, thank you very much for your effort! I must say that I can't actually believe that no one knows an answer to this problem. It must affect MANY people using Samba DCs. According to all the tests on the wiki, everything is working fine. Then I pull the plug on my first DC and no one can log on. And this time I waited far longer than the suggested "refresh interval" of 15 min - even longer than the value called "TTL" in the GUI of 1h. I also tried "ipconfig /flushdns" on my windows client. Does not improve the situation. Only a reboot solves the issue. But that would be no acceptable practice for Linux member servers. And it doesn't seem to help, anyway (just tried this). It is one of the first and most important tests for a domain to see what happens if the first DC is down. Without a working take-over, other DCs are nothing more than backup (replication) targets, and the domain is not fail-safe. This can't be the end of the story, right? Ole Am 19.11.2015 um 14:04 schrieb mathias dufresne:> No idea about your main issue, I was merely answering to your last > question about changing SOA record. > > Here is another view of that command: > samba-tool dns update <server> <zone> <name> SOA \ > 'OLDnameserver email serial refresh retry expire minimumttl' \ > 'NEWnameserver email serial refresh retry expire minimumttl' > > I'm not too confident with DNS internals so I'm not sure if the TTL > you mentioned is or isn't "expire" or "minimumttl". > > After digging a little bit it seems previous line is completely wrong, > neither "expire" nor "minimumttl" are "TTL". > This because : > dig -t SOA SAMBADOMAIN.TLD > ... > samba.domain.tld. 1715 IN SOA DC1.samba.domain.tld. 62 900 600 > 86400 3600 > ... > > And from what I just read in dig "ANSWER SECTION" the second field is > the TTL, so 1715 in my case, which as nothing to do with "expire" > (86400) or "minimumtll" (3600). > > And that makes me wondering how TTL can be less than "minimumttl"... > > So, the short way: the command I gave do not seem to be designed to > help you changing TTL. Sorry : ) > > Cheers, > > mathias > > 2015-11-19 13:43 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de > <mailto:ole.traupe at tu-berlin.de>>: > > Mathias, thank you very much for your comprehensive instructions! > > Just one question: Harry suggested that, in order to overcome the > below DNS related problems, the TTL would have to be adjusted > (lowered). However, the TTL seems to be the only time value not > covered by the command provided by you. > > Is it really the TTL that is the culprit or is it rather the first > time value (something like "Refresh value" in english)? > > Do you know this? > > Ole > > > > Am 19.11.2015 um 11:19 schrieb mathias dufresne: >> Hi Ole, >> >> You want to change SOA of your AD domain? >> >> Here some working command: >> samba-tool dns update <working DC> samba.domain.tld \ >> samba.domain.tld SOA \ >> 'oldSOA.samba.domain.tld. hostmaster.samba.domain.tld. 58 900 600 >> 86400 3600' \ >> 'newSOA.samba.domain.tld. hostmaster.saba.domain.tld. 59 900 600 >> 86400 3600' -k yes >> >> This needs you performed some kinit before using an account able >> to modify this entry (by default only administrator is able to >> that I expect). >> >> This must be done for the two DNS zones of your domain: >> samba.domain.tld + _msdcs.samba.domain.tld >> >> First number of replacement record (here "59") is serial number. >> Replication of change seemed to work without changing that serial >> number but as DNS love to rely on it, changing that serial should >> be a good idea. >> >> Hoping this helps... >> >> Cheers, >> >> mathias >> >> >> 2015-11-18 16:44 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de >> <mailto:ole.traupe at tu-berlin.de>>: >> >> >> It is DNS related. >> >> What is the best way of dealing with this? >> >> The *best way* is a HA solution for your DNS Servers, but >> its expensive. >> >> The DNS client (resolver) caches the srv records for 15 >> minutes aka 900 >> seconds. >> >> ipconfig /flushdns drops the cache. Reboot does the same. >> >> On server side you may set shorter TTL for the server >> records, but then >> you have more DNS traffic. On small netwoks (sites up to >> 20 clients, no >> wifi) I have good experience with a TTL of 180. >> >> >> Harry, I tried this - unsuccessfully. >> >> I have TTL settings in a) the SOA and b) the NS record of the >> FQDN and the _msdcs.FQDN sections in my Windows RSAT DNS >> console. None of these 4 entries I can change: I get >> something like "The Source Of Authority (SOA) cannot be >> updated. The record already exists." >> >> Do you have an idea how to accomplish this? Currently the >> setting is 1h, which is pretty long. >> >> Ole >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and >> read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >
mathias dufresne
2015-Nov-19 17:22 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Here to avoid issue when some DC is down I rely on MS Windows client behaviour. Windows clients are asking DNS for list of all DC (according to their sites, relying on client IP to define on which AD site this client is). Once the client has this list of all DC it launch some LDAP requests (I believe) and will use as its own DC for that session one of the first DCs which were able to reply the LDAP request. If your client is not in default-site this chosen DC will stay in cache as default DC during 24h if I'm not wrong. If your client is in default-site I believe the cache is 15min, so after 15min it will relaunch the whole discovery process. At least, from that, sites are important : ) Now to be back on resilience question, *you must always have several DCs* to be sure at any moment your client will always find at least one DC available. Use VMs to lower cost, but still, build several DCs. I have also added two DNS servers which forward all DNS queries to AD when the requeset is about AD and if the request is not about AD zone, this request is sent to normal DNS (those internal of the company I work for). These two DNS share a virtual IP and I have an awful hand-writed-script to move that VIP from on DNS to the other. Why these two DNS? I don't want to change clients configuration, they will continue to use main DNS servers (those from the company I work for). These main DNS servers will forward all requeset for AD zone to AD DNS servers (in fact to my two little DNS servers and these little DNS servers will forward request to AD DNS servers) I don't want (and I won't be able) to change the list of DC up and running on main DNS servers. And that list is bound to change, so I need a way to change it. This is a bit heavy and I'm not yet sure to keep on the long run. But for now it seems to work... Cheers, mathias 2015-11-19 16:25 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:> Ok, I see. Nevertheless, thank you very much for your effort! > > I must say that I can't actually believe that no one knows an answer to > this problem. It must affect MANY people using Samba DCs. According to all > the tests on the wiki, everything is working fine. Then I pull the plug on > my first DC and no one can log on. And this time I waited far longer than > the suggested "refresh interval" of 15 min - even longer than the value > called "TTL" in the GUI of 1h. I also tried "ipconfig /flushdns" on my > windows client. Does not improve the situation. Only a reboot solves the > issue. But that would be no acceptable practice for Linux member servers. > And it doesn't seem to help, anyway (just tried this). > > It is one of the first and most important tests for a domain to see what > happens if the first DC is down. Without a working take-over, other DCs are > nothing more than backup (replication) targets, and the domain is not > fail-safe. > > This can't be the end of the story, right? > > Ole > > > > > Am 19.11.2015 um 14:04 schrieb mathias dufresne: > > No idea about your main issue, I was merely answering to your last > question about changing SOA record. > > Here is another view of that command: > samba-tool dns update <server> <zone> <name> SOA \ > 'OLDnameserver email serial refresh retry expire minimumttl' \ > 'NEWnameserver email serial refresh retry expire minimumttl' > > I'm not too confident with DNS internals so I'm not sure if the TTL you > mentioned is or isn't "expire" or "minimumttl". > > After digging a little bit it seems previous line is completely wrong, > neither "expire" nor "minimumttl" are "TTL". > This because : > dig -t SOA SAMBADOMAIN.TLD > ... > samba.domain.tld. 1715 IN SOA DC1.samba.domain.tld. 62 900 600 > 86400 3600 > ... > > And from what I just read in dig "ANSWER SECTION" the second field is the > TTL, so 1715 in my case, which as nothing to do with "expire" (86400) or > "minimumtll" (3600). > > And that makes me wondering how TTL can be less than "minimumttl"... > > So, the short way: the command I gave do not seem to be designed to help > you changing TTL. Sorry : ) > > Cheers, > > mathias > > 2015-11-19 13:43 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>: > >> Mathias, thank you very much for your comprehensive instructions! >> >> Just one question: Harry suggested that, in order to overcome the below >> DNS related problems, the TTL would have to be adjusted (lowered). However, >> the TTL seems to be the only time value not covered by the command provided >> by you. >> >> Is it really the TTL that is the culprit or is it rather the first time >> value (something like "Refresh value" in english)? >> >> Do you know this? >> >> Ole >> >> >> >> Am 19.11.2015 um 11:19 schrieb mathias dufresne: >> >> Hi Ole, >> >> You want to change SOA of your AD domain? >> >> Here some working command: >> samba-tool dns update <working DC> samba.domain.tld \ >> samba.domain.tld SOA \ >> 'oldSOA.samba.domain.tld. hostmaster.samba.domain.tld. 58 900 600 86400 >> 3600' \ >> 'newSOA.samba.domain.tld. hostmaster.saba.domain.tld. 59 900 600 86400 >> 3600' -k yes >> >> This needs you performed some kinit before using an account able to >> modify this entry (by default only administrator is able to that I expect). >> >> This must be done for the two DNS zones of your domain: >> samba.domain.tld + _msdcs.samba.domain.tld >> >> First number of replacement record (here "59") is serial number. >> Replication of change seemed to work without changing that serial number >> but as DNS love to rely on it, changing that serial should be a good idea. >> >> Hoping this helps... >> >> Cheers, >> >> mathias >> >> >> 2015-11-18 16:44 GMT+01:00 Ole Traupe < <ole.traupe at tu-berlin.de> >> ole.traupe at tu-berlin.de>: >> >>> >>> It is DNS related. >>>> >>>> What is the best way of dealing with this? >>>>> >>>> The *best way* is a HA solution for your DNS Servers, but its expensive. >>>> >>>> The DNS client (resolver) caches the srv records for 15 minutes aka 900 >>>> seconds. >>>> >>>> ipconfig /flushdns drops the cache. Reboot does the same. >>>> >>>> On server side you may set shorter TTL for the server records, but then >>>> you have more DNS traffic. On small netwoks (sites up to 20 clients, no >>>> wifi) I have good experience with a TTL of 180. >>>> >>> >>> Harry, I tried this - unsuccessfully. >>> >>> I have TTL settings in a) the SOA and b) the NS record of the FQDN and >>> the _msdcs.FQDN sections in my Windows RSAT DNS console. None of these 4 >>> entries I can change: I get something like "The Source Of Authority (SOA) >>> cannot be updated. The record already exists." >>> >>> Do you have an idea how to accomplish this? Currently the setting is 1h, >>> which is pretty long. >>> >>> Ole >>> >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> >> > >
Mueller
2015-Nov-20 07:44 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Within a real windows 2008 Domain it ist he same behaviour. Even there you need the clients to reboot. This feature got lost after the beta status of samba 4. I had a test environment with the first betas and it worked there without any issue. Even mapping the shares by domain worked: \\my.domain\share. Test this with the new versions, it will fail. (only netlogon will do). Would be fine samba does it better. Samba 4 ist to close building windows AD server. It would be a great step it adds his own better features. Greetings Daniel EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: mueller at tropenklinik.de Internet: www.tropenklinik.de -----Ursprüngliche Nachricht----- Von: Ole Traupe [mailto:ole.traupe at tu-berlin.de] Gesendet: Donnerstag, 19. November 2015 16:26 An: mathias dufresne <infractory at gmail.com> Cc: samba <samba at lists.samba.org> Betreff: Re: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline Ok, I see. Nevertheless, thank you very much for your effort! I must say that I can't actually believe that no one knows an answer to this problem. It must affect MANY people using Samba DCs. According to all the tests on the wiki, everything is working fine. Then I pull the plug on my first DC and no one can log on. And this time I waited far longer than the suggested "refresh interval" of 15 min - even longer than the value called "TTL" in the GUI of 1h. I also tried "ipconfig /flushdns" on my windows client. Does not improve the situation. Only a reboot solves the issue. But that would be no acceptable practice for Linux member servers. And it doesn't seem to help, anyway (just tried this). It is one of the first and most important tests for a domain to see what happens if the first DC is down. Without a working take-over, other DCs are nothing more than backup (replication) targets, and the domain is not fail-safe. This can't be the end of the story, right? Ole Am 19.11.2015 um 14:04 schrieb mathias dufresne:> No idea about your main issue, I was merely answering to your last > question about changing SOA record. > > Here is another view of that command: > samba-tool dns update <server> <zone> <name> SOA \ 'OLDnameserver > email serial refresh retry expire minimumttl' \ 'NEWnameserver email > serial refresh retry expire minimumttl' > > I'm not too confident with DNS internals so I'm not sure if the TTL > you mentioned is or isn't "expire" or "minimumttl". > > After digging a little bit it seems previous line is completely wrong, > neither "expire" nor "minimumttl" are "TTL". > This because : > dig -t SOA SAMBADOMAIN.TLD > ... > samba.domain.tld. 1715 IN SOA DC1.samba.domain.tld. 62 900 600 > 86400 3600 > ... > > And from what I just read in dig "ANSWER SECTION" the second field is > the TTL, so 1715 in my case, which as nothing to do with "expire" > (86400) or "minimumtll" (3600). > > And that makes me wondering how TTL can be less than "minimumttl"... > > So, the short way: the command I gave do not seem to be designed to > help you changing TTL. Sorry : ) > > Cheers, > > mathias > > 2015-11-19 13:43 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de > <mailto:ole.traupe at tu-berlin.de>>: > > Mathias, thank you very much for your comprehensive instructions! > > Just one question: Harry suggested that, in order to overcome the > below DNS related problems, the TTL would have to be adjusted > (lowered). However, the TTL seems to be the only time value not > covered by the command provided by you. > > Is it really the TTL that is the culprit or is it rather the first > time value (something like "Refresh value" in english)? > > Do you know this? > > Ole > > > > Am 19.11.2015 um 11:19 schrieb mathias dufresne: >> Hi Ole, >> >> You want to change SOA of your AD domain? >> >> Here some working command: >> samba-tool dns update <working DC> samba.domain.tld \ >> samba.domain.tld SOA \ >> 'oldSOA.samba.domain.tld. hostmaster.samba.domain.tld. 58 900 600 >> 86400 3600' \ >> 'newSOA.samba.domain.tld. hostmaster.saba.domain.tld. 59 900 600 >> 86400 3600' -k yes >> >> This needs you performed some kinit before using an account able >> to modify this entry (by default only administrator is able to >> that I expect). >> >> This must be done for the two DNS zones of your domain: >> samba.domain.tld + _msdcs.samba.domain.tld >> >> First number of replacement record (here "59") is serial number. >> Replication of change seemed to work without changing that serial >> number but as DNS love to rely on it, changing that serial should >> be a good idea. >> >> Hoping this helps... >> >> Cheers, >> >> mathias >> >> >> 2015-11-18 16:44 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de >> <mailto:ole.traupe at tu-berlin.de>>: >> >> >> It is DNS related. >> >> What is the best way of dealing with this? >> >> The *best way* is a HA solution for your DNS Servers, but >> its expensive. >> >> The DNS client (resolver) caches the srv records for 15 >> minutes aka 900 >> seconds. >> >> ipconfig /flushdns drops the cache. Reboot does the same. >> >> On server side you may set shorter TTL for the server >> records, but then >> you have more DNS traffic. On small netwoks (sites up to >> 20 clients, no >> wifi) I have good experience with a TTL of 180. >> >> >> Harry, I tried this - unsuccessfully. >> >> I have TTL settings in a) the SOA and b) the NS record of the >> FQDN and the _msdcs.FQDN sections in my Windows RSAT DNS >> console. None of these 4 entries I can change: I get >> something like "The Source Of Authority (SOA) cannot be >> updated. The record already exists." >> >> Do you have an idea how to accomplish this? Currently the >> setting is 1h, which is pretty long. >> >> Ole >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and >> read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2015-Nov-20 10:54 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Hi Ole, I'm still not answering your issue but I come back to speak about TTL. Perhaps someone would be able to bring us some light on that. This morning I'm trying to reproduce the way I do broke my test AD domain. This leads me to deal with SOA record (I broke my test AD seizing FSMO roles before removing old FSMO owner, SOA was not changed during that process and I suspect this was one of the point leading to all issues this test domain has) Anyway: samba-tool dns query m700 samba.domain.tld samba.domain.tld SOA -k yes Name=, Records=1, Children=0 SOA: serial=1, refresh=900, retry=600, expire=86400, *minttl=3600*, ns=m700.samba.domain.tld., email=hostmaster.samba.domain.tld. (flags=600000f0, serial=1, *ttl=3600*) Name=_msdcs, Records=0, Children=0 Name=_sites, Records=0, Children=1 Name=_tcp, Records=0, Children=4 Name=_udp, Records=0, Children=2 Name=DomainDnsZones, Records=0, Children=2 Name=ForestDnsZones, Records=0, Children=2 Name=m700, Records=0, Children=0 This shows us TTL is in fact equal to minimumttl inside AD DB. According to http://stackoverflow.com/questions/20297531/meaning-of-the-five-fields-of-the-answer-section-in-dig-query the second member of dig's answer section is TTL. dig -t soa samba.domain.tld ... samba.domain.tld. *3593* IN SOA m700.samba.domain.tld. hostmaster.samba.domain.tld. 1 900 600 86400 3600 ... When yesterday the same request gave the following answer: ... samba.domain.tld. *1715* IN SOA DC1.samba.domain.tld. 62 900 600 86400 3600 ... So I ran several that same command and each the value displayed as second member (here 1715 or 3593) was descreased by the same amount of second as the time between my command launchs. It seems this shown TTL is declared TTL (or minttl) minus the amount of seconds since last renewal of this TTL. No idae why this behaviour. If someone knows, I would be pleased to learn :) Cheers, mathias 2015-11-20 8:44 GMT+01:00 Mueller <mueller at tropenklinik.de>:> Within a real windows 2008 Domain it ist he same behaviour. Even there you > need the clients to reboot. > This feature got lost after the beta status of samba 4. I had a test > environment with the first betas and it worked there without any issue. > Even mapping the shares by domain > worked: \\my.domain\share. Test this with the new versions, it will fail. > (only netlogon will do). > Would be fine samba does it better. Samba 4 ist to close building windows > AD server. It would be a great step it adds his own better features. > > Greetings > > Daniel > > > EDV Daniel Müller > > Leitung EDV > Tropenklinik Paul-Lechler-Krankenhaus > Paul-Lechler-Str. 24 > 72076 Tübingen > Tel.: 07071/206-463, Fax: 07071/206-499 > eMail: mueller at tropenklinik.de > Internet: www.tropenklinik.de > > > > > -----Ursprüngliche Nachricht----- > Von: Ole Traupe [mailto:ole.traupe at tu-berlin.de] > Gesendet: Donnerstag, 19. November 2015 16:26 > An: mathias dufresne <infractory at gmail.com> > Cc: samba <samba at lists.samba.org> > Betreff: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > Ok, I see. Nevertheless, thank you very much for your effort! > > I must say that I can't actually believe that no one knows an answer to > this problem. It must affect MANY people using Samba DCs. According to all > the tests on the wiki, everything is working fine. Then I pull the plug on > my first DC and no one can log on. And this time I waited far longer than > the suggested "refresh interval" of 15 min - even longer than the value > called "TTL" in the GUI of 1h. I also tried "ipconfig /flushdns" on my > windows client. Does not improve the situation. Only a reboot solves the > issue. But that would be no acceptable practice for Linux member servers. > And it doesn't seem to help, anyway (just tried this). > > It is one of the first and most important tests for a domain to see what > happens if the first DC is down. Without a working take-over, other DCs are > nothing more than backup (replication) targets, and the domain is not > fail-safe. > > This can't be the end of the story, right? > > Ole > > > > Am 19.11.2015 um 14:04 schrieb mathias dufresne: > > No idea about your main issue, I was merely answering to your last > > question about changing SOA record. > > > > Here is another view of that command: > > samba-tool dns update <server> <zone> <name> SOA \ 'OLDnameserver > > email serial refresh retry expire minimumttl' \ 'NEWnameserver email > > serial refresh retry expire minimumttl' > > > > I'm not too confident with DNS internals so I'm not sure if the TTL > > you mentioned is or isn't "expire" or "minimumttl". > > > > After digging a little bit it seems previous line is completely wrong, > > neither "expire" nor "minimumttl" are "TTL". > > This because : > > dig -t SOA SAMBADOMAIN.TLD > > ... > > samba.domain.tld. 1715 IN SOA DC1.samba.domain.tld. 62 900 600 > > 86400 3600 > > ... > > > > And from what I just read in dig "ANSWER SECTION" the second field is > > the TTL, so 1715 in my case, which as nothing to do with "expire" > > (86400) or "minimumtll" (3600). > > > > And that makes me wondering how TTL can be less than "minimumttl"... > > > > So, the short way: the command I gave do not seem to be designed to > > help you changing TTL. Sorry : ) > > > > Cheers, > > > > mathias > > > > 2015-11-19 13:43 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de > > <mailto:ole.traupe at tu-berlin.de>>: > > > > Mathias, thank you very much for your comprehensive instructions! > > > > Just one question: Harry suggested that, in order to overcome the > > below DNS related problems, the TTL would have to be adjusted > > (lowered). However, the TTL seems to be the only time value not > > covered by the command provided by you. > > > > Is it really the TTL that is the culprit or is it rather the first > > time value (something like "Refresh value" in english)? > > > > Do you know this? > > > > Ole > > > > > > > > Am 19.11.2015 um 11:19 schrieb mathias dufresne: > >> Hi Ole, > >> > >> You want to change SOA of your AD domain? > >> > >> Here some working command: > >> samba-tool dns update <working DC> samba.domain.tld \ > >> samba.domain.tld SOA \ > >> 'oldSOA.samba.domain.tld. hostmaster.samba.domain.tld. 58 900 600 > >> 86400 3600' \ > >> 'newSOA.samba.domain.tld. hostmaster.saba.domain.tld. 59 900 600 > >> 86400 3600' -k yes > >> > >> This needs you performed some kinit before using an account able > >> to modify this entry (by default only administrator is able to > >> that I expect). > >> > >> This must be done for the two DNS zones of your domain: > >> samba.domain.tld + _msdcs.samba.domain.tld > >> > >> First number of replacement record (here "59") is serial number. > >> Replication of change seemed to work without changing that serial > >> number but as DNS love to rely on it, changing that serial should > >> be a good idea. > >> > >> Hoping this helps... > >> > >> Cheers, > >> > >> mathias > >> > >> > >> 2015-11-18 16:44 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de > >> <mailto:ole.traupe at tu-berlin.de>>: > >> > >> > >> It is DNS related. > >> > >> What is the best way of dealing with this? > >> > >> The *best way* is a HA solution for your DNS Servers, but > >> its expensive. > >> > >> The DNS client (resolver) caches the srv records for 15 > >> minutes aka 900 > >> seconds. > >> > >> ipconfig /flushdns drops the cache. Reboot does the same. > >> > >> On server side you may set shorter TTL for the server > >> records, but then > >> you have more DNS traffic. On small netwoks (sites up to > >> 20 clients, no > >> wifi) I have good experience with a TTL of 180. > >> > >> > >> Harry, I tried this - unsuccessfully. > >> > >> I have TTL settings in a) the SOA and b) the NS record of the > >> FQDN and the _msdcs.FQDN sections in my Windows RSAT DNS > >> console. None of these 4 entries I can change: I get > >> something like "The Source Of Authority (SOA) cannot be > >> updated. The record already exists." > >> > >> Do you have an idea how to accomplish this? Currently the > >> setting is 1h, which is pretty long. > >> > >> Ole > >> > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and > >> read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Ole Traupe
2015-Nov-20 12:20 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Thanks for the clarification, Daniel. And I like to think my users are fast thinkers and might restart their machines eventually. But without file and compute (Samba 4 member) servers being accessible, my infrastructure virtually is down. Again I ask: am I the only one having this problem? It must affect many users of a basic Samba4 setup: two or more DCs, some Windows clients and the eventual Linux member server - and the wish to be able to go on holidays without worrying all the time that the I followed Rowlands advice to have the "default realm" as the only line in my krb5.conf. So kerberos related fails/timeouts can't be the issue any more. I followed another advice regarding the TTL for DNS info. I have found no way to reduce the TTL of my SOA record, so far (if that is even possible or helpful). So I just waited longer than the TTL of 1h, and it didn't help for logons on my member servers. There is one experimental hint from Rowland open to add one "NS" entry for my second DC. But as my domain has already gone productive, I don't feel so experimental right now. Also there is the advice from mathias to put the clients in the default-site, which might or might not reduce their cache hold time to 15 min (otherwise 24h) and might or might not help the issue on Win clients. Again, this won't help on member servers, though. Mathias, is this confirmed? Plus: Apparently, I have no "default-site" in my DNS. I have something called "Default-First-Site-Name._sites.my.domain.tld". Is that what you mean? Also from Mathias, there is a - seemingly very profound - setup for variable DNS servers (thank you for outlining this!), which is - I am afraid - beyond my scope at the moment. I don't want to seem unappreciative of your attempts to help. I just can't believe that this important issue is not already taken care of. Ole Am 20.11.2015 um 08:44 schrieb Mueller:> Within a real windows 2008 Domain it ist he same behaviour. Even there you need the clients to reboot. > This feature got lost after the beta status of samba 4. I had a test environment with the first betas and it worked there without any issue. Even mapping the shares by domain > worked: \\my.domain\share. Test this with the new versions, it will fail. (only netlogon will do). > Would be fine samba does it better. Samba 4 ist to close building windows AD server. It would be a great step it adds his own better features. > > Greetings > > Daniel > > > EDV Daniel Müller > > Leitung EDV > Tropenklinik Paul-Lechler-Krankenhaus > Paul-Lechler-Str. 24 > 72076 Tübingen > Tel.: 07071/206-463, Fax: 07071/206-499 > eMail: mueller at tropenklinik.de > Internet: www.tropenklinik.de > > > > > -----Ursprüngliche Nachricht----- > Von: Ole Traupe [mailto:ole.traupe at tu-berlin.de] > Gesendet: Donnerstag, 19. November 2015 16:26 > An: mathias dufresne <infractory at gmail.com> > Cc: samba <samba at lists.samba.org> > Betreff: Re: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline > > Ok, I see. Nevertheless, thank you very much for your effort! > > I must say that I can't actually believe that no one knows an answer to this problem. It must affect MANY people using Samba DCs. According to all the tests on the wiki, everything is working fine. Then I pull the plug on my first DC and no one can log on. And this time I waited far longer than the suggested "refresh interval" of 15 min - even longer than the value called "TTL" in the GUI of 1h. I also tried "ipconfig /flushdns" on my windows client. Does not improve the situation. Only a reboot solves the issue. But that would be no acceptable practice for Linux member servers. And it doesn't seem to help, anyway (just tried this). > > It is one of the first and most important tests for a domain to see what happens if the first DC is down. Without a working take-over, other DCs are nothing more than backup (replication) targets, and the domain is not fail-safe. > > This can't be the end of the story, right? > > Ole > > > > Am 19.11.2015 um 14:04 schrieb mathias dufresne: >> No idea about your main issue, I was merely answering to your last >> question about changing SOA record. >> >> Here is another view of that command: >> samba-tool dns update <server> <zone> <name> SOA \ 'OLDnameserver >> email serial refresh retry expire minimumttl' \ 'NEWnameserver email >> serial refresh retry expire minimumttl' >> >> I'm not too confident with DNS internals so I'm not sure if the TTL >> you mentioned is or isn't "expire" or "minimumttl". >> >> After digging a little bit it seems previous line is completely wrong, >> neither "expire" nor "minimumttl" are "TTL". >> This because : >> dig -t SOA SAMBADOMAIN.TLD >> ... >> samba.domain.tld. 1715 IN SOA DC1.samba.domain.tld. 62 900 600 >> 86400 3600 >> ... >> >> And from what I just read in dig "ANSWER SECTION" the second field is >> the TTL, so 1715 in my case, which as nothing to do with "expire" >> (86400) or "minimumtll" (3600). >> >> And that makes me wondering how TTL can be less than "minimumttl"... >> >> So, the short way: the command I gave do not seem to be designed to >> help you changing TTL. Sorry : ) >> >> Cheers, >> >> mathias >> >> 2015-11-19 13:43 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de >> <mailto:ole.traupe at tu-berlin.de>>: >> >> Mathias, thank you very much for your comprehensive instructions! >> >> Just one question: Harry suggested that, in order to overcome the >> below DNS related problems, the TTL would have to be adjusted >> (lowered). However, the TTL seems to be the only time value not >> covered by the command provided by you. >> >> Is it really the TTL that is the culprit or is it rather the first >> time value (something like "Refresh value" in english)? >> >> Do you know this? >> >> Ole >> >> >> >> Am 19.11.2015 um 11:19 schrieb mathias dufresne: >>> Hi Ole, >>> >>> You want to change SOA of your AD domain? >>> >>> Here some working command: >>> samba-tool dns update <working DC> samba.domain.tld \ >>> samba.domain.tld SOA \ >>> 'oldSOA.samba.domain.tld. hostmaster.samba.domain.tld. 58 900 600 >>> 86400 3600' \ >>> 'newSOA.samba.domain.tld. hostmaster.saba.domain.tld. 59 900 600 >>> 86400 3600' -k yes >>> >>> This needs you performed some kinit before using an account able >>> to modify this entry (by default only administrator is able to >>> that I expect). >>> >>> This must be done for the two DNS zones of your domain: >>> samba.domain.tld + _msdcs.samba.domain.tld >>> >>> First number of replacement record (here "59") is serial number. >>> Replication of change seemed to work without changing that serial >>> number but as DNS love to rely on it, changing that serial should >>> be a good idea. >>> >>> Hoping this helps... >>> >>> Cheers, >>> >>> mathias >>> >>> >>> 2015-11-18 16:44 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de >>> <mailto:ole.traupe at tu-berlin.de>>: >>> >>> >>> It is DNS related. >>> >>> What is the best way of dealing with this? >>> >>> The *best way* is a HA solution for your DNS Servers, but >>> its expensive. >>> >>> The DNS client (resolver) caches the srv records for 15 >>> minutes aka 900 >>> seconds. >>> >>> ipconfig /flushdns drops the cache. Reboot does the same. >>> >>> On server side you may set shorter TTL for the server >>> records, but then >>> you have more DNS traffic. On small netwoks (sites up to >>> 20 clients, no >>> wifi) I have good experience with a TTL of 180. >>> >>> >>> Harry, I tried this - unsuccessfully. >>> >>> I have TTL settings in a) the SOA and b) the NS record of the >>> FQDN and the _msdcs.FQDN sections in my Windows RSAT DNS >>> console. None of these 4 entries I can change: I get >>> something like "The Source Of Authority (SOA) cannot be >>> updated. The record already exists." >>> >>> Do you have an idea how to accomplish this? Currently the >>> setting is 1h, which is pretty long. >>> >>> Ole >>> >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and >>> read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Reasonably Related Threads
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- DC replacement and DNS issue
- Authentication to Secondary Domain Controller initially fails when PDC is offline