samba - Dec 2015 - Authentication to Secondary Domain Controller initially fails when PDC is offline

> I have been doing some testing with dns and with the internal dns
> server, even if you add another NS to the SOA record, you only have one
> NS. It seems the only way to get each DC to think it is a NS, is to use
> bind9.
> 
Hai

A good to know, some versions of samba, i dont know which do have this problem
also if u use bind9_dlz.

So, my question to the readers, if you use samba4 DC with bind9_DLZ and you have
2 or more DC's, check all you zones of you have also the same number of  NS
servers.

I know from my install, i had only 1 DC as NS record, i manualy added the second
the zones.

Greetz, 

Louis

On 10/12/15 07:32, L.P.H. van Belle wrote:
>> I have been doing some testing with dns and with the internal dns
>> server, even if you add another NS to the SOA record, you only have one
>> NS. It seems the only way to get each DC to think it is a NS, is to use
>> bind9.
>>
> Hai
>
> A good to know, some versions of samba, i dont know which do have this
problem also if u use bind9_dlz.
>
> So, my question to the readers, if you use samba4 DC with bind9_DLZ and you
have 2 or more DC's, check all you zones of you have also the same number of
NS servers.
>
> I know from my install, i had only 1 DC as NS record, i manualy added the
second the zones.
>
> Greetz,
>
> Louis
>
>
>
>
You will only have 1 DC as NS, nothing adds the second (or any other 
subsequent DCs) NS record to the SOA records.

Rowland

I was wondering why because in a full windows domain, every DC has an NS record.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> Verzonden: donderdag 10 december 2015 10:10
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
> initially fails when PDC is offline
> 
> On 10/12/15 07:32, L.P.H. van Belle wrote:
> >> I have been doing some testing with dns and with the internal dns
> >> server, even if you add another NS to the SOA record, you only
have one
> >> NS. It seems the only way to get each DC to think it is a NS, is
to use
> >> bind9.
> >>
> > Hai
> >
> > A good to know, some versions of samba, i dont know which do have this
> problem also if u use bind9_dlz.
> >
> > So, my question to the readers, if you use samba4 DC with bind9_DLZ
and
> you have 2 or more DC's, check all you zones of you have also the same
> number of  NS servers.
> >
> > I know from my install, i had only 1 DC as NS record, i manualy added
> the second the zones.
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> 
> You will only have 1 DC as NS, nothing adds the second (or any other
> subsequent DCs) NS record to the SOA records.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 10/12/15 09:23, L.P.H. van Belle wrote:
> I was wondering why because in a full windows domain, every DC has an NS
record.
>
>
When you join a DC, the basic info is added to AD and then when the 
samba deamon is started, samba_dnsupdate is run, this uses the file 
dns_update_list to add (if required) various dns records. Guess what dns 
records are not in that file?

However, even if you add the missing NS records to the SOA records, if 
you use the internal dns server, you will still only have one NS, this 
appears to be your first DC. I am beginning to think that if you have 
more than one DC, you should forget the internal DNS server and use 
BIND_DLZ instead.

Rowland

Hai, 

Ah, ok, wel, yeah, i was missing the NS on the SOA. 

This is imo a bug, i dont know it this is by design for samba, 
so maybe a samba dev can answere this since every joined DC should have a NS
record on the SOA as far as i know, but thats my opinion and i can be wrong
here.


Greetz, 

Louis 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> Verzonden: donderdag 10 december 2015 10:41
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
> initially fails when PDC is offline
> 
> On 10/12/15 09:23, L.P.H. van Belle wrote:
> > I was wondering why because in a full windows domain, every DC has an
NS
> record.
> >
> >
> 
> When you join a DC, the basic info is added to AD and then when the
> samba deamon is started, samba_dnsupdate is run, this uses the file
> dns_update_list to add (if required) various dns records. Guess what dns
> records are not in that file?
> 
> However, even if you add the missing NS records to the SOA records, if
> you use the internal dns server, you will still only have one NS, this
> appears to be your first DC. I am beginning to think that if you have
> more than one DC, you should forget the internal DNS server and use
> BIND_DLZ instead.
> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba