samba - Nov 2015 - Authentication to Secondary Domain Controller initially fails when PDC is offline

On 27/11/15 13:23, James wrote:
> On 11/26/2015 11:12 AM, Ole Traupe wrote:
>>
>>>> Then you re-run your test with only DC2 up and running.
>>>> Note DNS have need time to be updated if you are using others
DNS
>>>> servers between clients and AD DCs.
>>> The SOA RR identifies a primary DNS name server for the zone as the
>>> best source of information for the data within that zone and as a 
>>> entity processing the updates for the zone.
>>>
>>> The NS resource record is used to notate which DNS servers are 
>>> designated as authoritative for the zone. Listing a server in the
NS
>>> RR, it becomes known to others as an authoritative server for the 
>>> zone. This means that any server specified in the NS RR is to be 
>>> considered an authoritative source by others, and is able to answer
>>> with certainty any queries made for names included in the zone.
>>>
>>> Much of the above was taken almost verbatim from online Microsoft 
>>> tech documents.  I don't believe that DC's create NS
records by
>>> default.
>>
>> You mean Samba DCs or DCs in general?
>>
>> I am not sure I understand the above. Do you suggest to create 
>> another NS record for the Second_DC, or not to?
>>
>> In the resolv.conf on my member servers both DCs are listed as DNS 
>> servers. I like to think that the member servers eventually ask the 
>> second DNS server, if the first won't respond. This seems to be 
>> reflected by ping taking more than 5 s for the first packet to arrive.
>>
>> BUT what does the second DNS server (Second_DC) reply? Which logon 
>> server does it announce?
>>
>>
> DNS can be very confusing. You do not need to create a NS record for 
> your second DC if the zone is directory integrated. By default the DC 
> is authoritative for that zone.
>
Probably with windows it is, but not with Samba AD, you only get one NS 
and one SOA. The only authoritative Samba AD DC is the first one, when 
you join a second DC, it runs the same code that created the SOA during 
the first DCs provision and because the SOA already exists, it fails.

Rowland

On 11/27/2015 9:16 AM, Rowland Penny wrote:
> On 27/11/15 13:23, James wrote:
>> On 11/26/2015 11:12 AM, Ole Traupe wrote:
>>>
>>>>> Then you re-run your test with only DC2 up and running.
>>>>> Note DNS have need time to be updated if you are using
others DNS
>>>>> servers between clients and AD DCs.
>>>> The SOA RR identifies a primary DNS name server for the zone as
the
>>>> best source of information for the data within that zone and as
a
>>>> entity processing the updates for the zone.
>>>>
>>>> The NS resource record is used to notate which DNS servers are 
>>>> designated as authoritative for the zone. Listing a server in
the
>>>> NS RR, it becomes known to others as an authoritative server
for
>>>> the zone. This means that any server specified in the NS RR is
to
>>>> be considered an authoritative source by others, and is able to
>>>> answer with certainty any queries made for names included in
the zone.
>>>>
>>>> Much of the above was taken almost verbatim from online
Microsoft
>>>> tech documents.  I don't believe that DC's create NS
records by
>>>> default.
>>>
>>> You mean Samba DCs or DCs in general?
>>>
>>> I am not sure I understand the above. Do you suggest to create 
>>> another NS record for the Second_DC, or not to?
>>>
>>> In the resolv.conf on my member servers both DCs are listed as DNS 
>>> servers. I like to think that the member servers eventually ask the
>>> second DNS server, if the first won't respond. This seems to be
>>> reflected by ping taking more than 5 s for the first packet to
arrive.
>>>
>>> BUT what does the second DNS server (Second_DC) reply? Which logon 
>>> server does it announce?
>>>
>>>
>> DNS can be very confusing. You do not need to create a NS record for 
>> your second DC if the zone is directory integrated. By default the DC 
>> is authoritative for that zone.
>>
>
> Probably with windows it is, but not with Samba AD, you only get one 
> NS and one SOA. The only authoritative Samba AD DC is the first one, 
> when you join a second DC, it runs the same code that created the SOA 
> during the first DCs provision and because the SOA already exists, it 
> fails.
>
> Rowland
>
>
Yikes! Are you saying DC's with directory integrated zones are not 
authoritative for them? That means a NS record needs to be created 
manually for each DC added.

-- 
-James

On 27/11/15 14:30, James wrote:
> On 11/27/2015 9:16 AM, Rowland Penny wrote:
>> On 27/11/15 13:23, James wrote:
>>> On 11/26/2015 11:12 AM, Ole Traupe wrote:
>>>>
>>>>>> Then you re-run your test with only DC2 up and running.
>>>>>> Note DNS have need time to be updated if you are using
others DNS
>>>>>> servers between clients and AD DCs.
>>>>> The SOA RR identifies a primary DNS name server for the
zone as
>>>>> the best source of information for the data within that
zone and
>>>>> as a entity processing the updates for the zone.
>>>>>
>>>>> The NS resource record is used to notate which DNS servers
are
>>>>> designated as authoritative for the zone. Listing a server
in the
>>>>> NS RR, it becomes known to others as an authoritative
server for
>>>>> the zone. This means that any server specified in the NS RR
is to
>>>>> be considered an authoritative source by others, and is
able to
>>>>> answer with certainty any queries made for names included
in the
>>>>> zone.
>>>>>
>>>>> Much of the above was taken almost verbatim from online
Microsoft
>>>>> tech documents.  I don't believe that DC's create
NS records by
>>>>> default.
>>>>
>>>> You mean Samba DCs or DCs in general?
>>>>
>>>> I am not sure I understand the above. Do you suggest to create 
>>>> another NS record for the Second_DC, or not to?
>>>>
>>>> In the resolv.conf on my member servers both DCs are listed as
DNS
>>>> servers. I like to think that the member servers eventually ask
the
>>>> second DNS server, if the first won't respond. This seems
to be
>>>> reflected by ping taking more than 5 s for the first packet to
arrive.
>>>>
>>>> BUT what does the second DNS server (Second_DC) reply? Which
logon
>>>> server does it announce?
>>>>
>>>>
>>> DNS can be very confusing. You do not need to create a NS record
for
>>> your second DC if the zone is directory integrated. By default the 
>>> DC is authoritative for that zone.
>>>
>>
>> Probably with windows it is, but not with Samba AD, you only get one 
>> NS and one SOA. The only authoritative Samba AD DC is the first one, 
>> when you join a second DC, it runs the same code that created the SOA 
>> during the first DCs provision and because the SOA already exists, it 
>> fails.
>>
>> Rowland
>>
>>
> Yikes! Are you saying DC's with directory integrated zones are not 
> authoritative for them? That means a NS record needs to be created 
> manually for each DC added.
>
Yes, that's about the size of it. no matter how many DCs you join, you 
only have one NS, the original DC.

I have been trying to alter the code, but I am struggling to get another 
NS record added during the join, it doesn't help that I have no idea 
what a windows DC SOA record looks like, does each DC have a separate 
SOA record? or is it like the Samba SOA record and there is only one 
with multiple NS records?

Rowland