Rowland penny
2015-Dec-10 11:55 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 10/12/15 10:54, Rowland penny wrote:> On 10/12/15 10:44, L.P.H. van Belle wrote: >> Hai, >> >> Ah, ok, wel, yeah, i was missing the NS on the SOA. >> >> This is imo a bug, i dont know it this is by design for samba, >> so maybe a samba dev can answere this since every joined DC should >> have a NS record on the SOA as far as i know, but thats my opinion >> and i can be wrong here. >> >> >> Greetz, >> >> Louis >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny >>> Verzonden: donderdag 10 december 2015 10:41 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller >>> initially fails when PDC is offline >>> >>> On 10/12/15 09:23, L.P.H. van Belle wrote: >>>> I was wondering why because in a full windows domain, every DC has >>>> an NS >>> record. >>>> >>> When you join a DC, the basic info is added to AD and then when the >>> samba deamon is started, samba_dnsupdate is run, this uses the file >>> dns_update_list to add (if required) various dns records. Guess what >>> dns >>> records are not in that file? >>> >>> However, even if you add the missing NS records to the SOA records, if >>> you use the internal dns server, you will still only have one NS, this >>> appears to be your first DC. I am beginning to think that if you have >>> more than one DC, you should forget the internal DNS server and use >>> BIND_DLZ instead. >>> >>> Rowland >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> > > When I can figure how to get into the new GitHub setup, I will be > proposing a patch for this, it just needs three line adding to > dns_update_list. > > Rowland >If anybody is interested, this is the results of my testing, first here are the results of adding an NS record to the dns domain SOA record for the second DC on a domain using the internal dns server: root at testdc1:~# dig SOA +multiline home.lan ; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10153 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;home.lan. IN SOA ;; ANSWER SECTION: home.lan. 3600 IN SOA testdc1.home.lan. hostmaster.home.lan. ( 1 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) ;; Query time: 28 msec ;; SERVER: 192.168.0.241#53(192.168.0.241) ;; WHEN: Thu Dec 10 11:35:46 GMT 2015 ;; MSG SIZE rcvd: 81 root at testdc2:~# dig SOA +multiline home.lan ; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23755 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;home.lan. IN SOA ;; ANSWER SECTION: home.lan. 3600 IN SOA testdc1.home.lan. hostmaster.home.lan. ( 1 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) ;; Query time: 56 msec ;; SERVER: 192.168.0.240#53(192.168.0.240) ;; WHEN: Thu Dec 10 11:36:14 GMT 2015 ;; MSG SIZE rcvd: 81 As you can see, even though each DC is using the other DC as its nameserver in /etc/resolv.conf, they both return the same info, now compare that with the info from a domain that uses bind9 as the dns server: root at dc1:~# dig SOA +multiline samdom.example.com ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59426 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;samdom.example.com. IN SOA ;; ANSWER SECTION: samdom.example.com. 3600 IN SOA dc2.samdom.example.com. hostmaster.samdom.example.com. ( 101 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) ;; AUTHORITY SECTION: samdom.example.com. 900 IN NS dc1.samdom.example.com. samdom.example.com. 900 IN NS dc2.samdom.example.com. ;; ADDITIONAL SECTION: dc1.samdom.example.com. 900 IN A 192.168.0.5 dc2.samdom.example.com. 900 IN A 192.168.0.6 ;; Query time: 7 msec ;; SERVER: 192.168.0.6#53(192.168.0.6) ;; WHEN: Thu Dec 10 11:41:22 GMT 2015 ;; MSG SIZE rcvd: 162 root at dc2:~# dig SOA +multiline samdom.example.com ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16889 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;samdom.example.com. IN SOA ;; ANSWER SECTION: samdom.example.com. 3600 IN SOA dc1.samdom.example.com. hostmaster.samdom.example.com. ( 101 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) ;; AUTHORITY SECTION: samdom.example.com. 900 IN NS dc1.samdom.example.com. samdom.example.com. 900 IN NS dc2.samdom.example.com. ;; ADDITIONAL SECTION: dc1.samdom.example.com. 900 IN A 192.168.0.5 dc2.samdom.example.com. 900 IN A 192.168.0.6 ;; Query time: 2 msec ;; SERVER: 192.168.0.5#53(192.168.0.5) ;; WHEN: Thu Dec 10 11:41:29 GMT 2015 ;; MSG SIZE rcvd: 162 You get a lot more info and each DC is show as being authoritative for the dns domain Now, I am no expert when it comes to dns, but using bind9 looks a better idea to me :-) Rowland
James
2015-Dec-10 12:58 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 12/10/2015 6:55 AM, Rowland penny wrote:> On 10/12/15 10:54, Rowland penny wrote: >> On 10/12/15 10:44, L.P.H. van Belle wrote: >>> Hai, >>> >>> Ah, ok, wel, yeah, i was missing the NS on the SOA. >>> >>> This is imo a bug, i dont know it this is by design for samba, >>> so maybe a samba dev can answere this since every joined DC should >>> have a NS record on the SOA as far as i know, but thats my opinion >>> and i can be wrong here. >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny >>>> Verzonden: donderdag 10 december 2015 10:41 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller >>>> initially fails when PDC is offline >>>> >>>> On 10/12/15 09:23, L.P.H. van Belle wrote: >>>>> I was wondering why because in a full windows domain, every DC has >>>>> an NS >>>> record. >>>>> >>>> When you join a DC, the basic info is added to AD and then when the >>>> samba deamon is started, samba_dnsupdate is run, this uses the file >>>> dns_update_list to add (if required) various dns records. Guess >>>> what dns >>>> records are not in that file? >>>> >>>> However, even if you add the missing NS records to the SOA records, if >>>> you use the internal dns server, you will still only have one NS, this >>>> appears to be your first DC. I am beginning to think that if you have >>>> more than one DC, you should forget the internal DNS server and use >>>> BIND_DLZ instead. >>>> >>>> Rowland >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> >> When I can figure how to get into the new GitHub setup, I will be >> proposing a patch for this, it just needs three line adding to >> dns_update_list. >> >> Rowland >> > > If anybody is interested, this is the results of my testing, first > here are the results of adding an NS record to the dns domain SOA > record for the second DC on a domain using the internal dns server: > > root at testdc1:~# dig SOA +multiline home.lan > > ; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10153 > ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, > ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;home.lan. IN SOA > > ;; ANSWER SECTION: > home.lan. 3600 IN SOA testdc1.home.lan. hostmaster.home.lan. ( > 1 ; serial > 900 ; refresh (15 minutes) > 600 ; retry (10 minutes) > 86400 ; expire (1 day) > 3600 ; minimum (1 hour) > ) > > ;; Query time: 28 msec > ;; SERVER: 192.168.0.241#53(192.168.0.241) > ;; WHEN: Thu Dec 10 11:35:46 GMT 2015 > ;; MSG SIZE rcvd: 81 > > root at testdc2:~# dig SOA +multiline home.lan > > ; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23755 > ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, > ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;home.lan. IN SOA > > ;; ANSWER SECTION: > home.lan. 3600 IN SOA testdc1.home.lan. hostmaster.home.lan. ( > 1 ; serial > 900 ; refresh (15 minutes) > 600 ; retry (10 minutes) > 86400 ; expire (1 day) > 3600 ; minimum (1 hour) > ) > > ;; Query time: 56 msec > ;; SERVER: 192.168.0.240#53(192.168.0.240) > ;; WHEN: Thu Dec 10 11:36:14 GMT 2015 > ;; MSG SIZE rcvd: 81 > > As you can see, even though each DC is using the other DC as its > nameserver in /etc/resolv.conf, they both return the same info, now > compare that with the info from a domain that uses bind9 as the dns > server: > > root at dc1:~# dig SOA +multiline samdom.example.com > > ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59426 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;samdom.example.com. IN SOA > > ;; ANSWER SECTION: > samdom.example.com. 3600 IN SOA dc2.samdom.example.com. > hostmaster.samdom.example.com. ( > 101 ; serial > 900 ; refresh (15 minutes) > 600 ; retry (10 minutes) > 86400 ; expire (1 day) > 3600 ; minimum (1 hour) > ) > > ;; AUTHORITY SECTION: > samdom.example.com. 900 IN NS dc1.samdom.example.com. > samdom.example.com. 900 IN NS dc2.samdom.example.com. > > ;; ADDITIONAL SECTION: > dc1.samdom.example.com. 900 IN A 192.168.0.5 > dc2.samdom.example.com. 900 IN A 192.168.0.6 > > ;; Query time: 7 msec > ;; SERVER: 192.168.0.6#53(192.168.0.6) > ;; WHEN: Thu Dec 10 11:41:22 GMT 2015 > ;; MSG SIZE rcvd: 162 > > root at dc2:~# dig SOA +multiline samdom.example.com > > ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16889 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;samdom.example.com. IN SOA > > ;; ANSWER SECTION: > samdom.example.com. 3600 IN SOA dc1.samdom.example.com. > hostmaster.samdom.example.com. ( > 101 ; serial > 900 ; refresh (15 minutes) > 600 ; retry (10 minutes) > 86400 ; expire (1 day) > 3600 ; minimum (1 hour) > ) > > ;; AUTHORITY SECTION: > samdom.example.com. 900 IN NS dc1.samdom.example.com. > samdom.example.com. 900 IN NS dc2.samdom.example.com. > > ;; ADDITIONAL SECTION: > dc1.samdom.example.com. 900 IN A 192.168.0.5 > dc2.samdom.example.com. 900 IN A 192.168.0.6 > > ;; Query time: 2 msec > ;; SERVER: 192.168.0.5#53(192.168.0.5) > ;; WHEN: Thu Dec 10 11:41:29 GMT 2015 > ;; MSG SIZE rcvd: 162 > > You get a lot more info and each DC is show as being authoritative for > the dns domain > > Now, I am no expert when it comes to dns, but using bind9 looks a > better idea to me :-) > > Rowland >Rowland, If I remember correctly you swapped the order of the DC's in your resolv.conf to get these results? Can you see what happens if you were to leave the resolv.conf order alone and temporally bring one of the DC's down? -- -James
Rowland penny
2015-Dec-10 13:11 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 10/12/15 12:58, James wrote:> On 12/10/2015 6:55 AM, Rowland penny wrote: >> On 10/12/15 10:54, Rowland penny wrote: >>> On 10/12/15 10:44, L.P.H. van Belle wrote: >>>> Hai, >>>> >>>> Ah, ok, wel, yeah, i was missing the NS on the SOA. >>>> >>>> This is imo a bug, i dont know it this is by design for samba, >>>> so maybe a samba dev can answere this since every joined DC should >>>> have a NS record on the SOA as far as i know, but thats my opinion >>>> and i can be wrong here. >>>> >>>> >>>> Greetz, >>>> >>>> Louis >>>> >>>> >>>>> -----Oorspronkelijk bericht----- >>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland >>>>> penny >>>>> Verzonden: donderdag 10 december 2015 10:41 >>>>> Aan: samba at lists.samba.org >>>>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller >>>>> initially fails when PDC is offline >>>>> >>>>> On 10/12/15 09:23, L.P.H. van Belle wrote: >>>>>> I was wondering why because in a full windows domain, every DC >>>>>> has an NS >>>>> record. >>>>>> >>>>> When you join a DC, the basic info is added to AD and then when the >>>>> samba deamon is started, samba_dnsupdate is run, this uses the file >>>>> dns_update_list to add (if required) various dns records. Guess >>>>> what dns >>>>> records are not in that file? >>>>> >>>>> However, even if you add the missing NS records to the SOA >>>>> records, if >>>>> you use the internal dns server, you will still only have one NS, >>>>> this >>>>> appears to be your first DC. I am beginning to think that if you have >>>>> more than one DC, you should forget the internal DNS server and use >>>>> BIND_DLZ instead. >>>>> >>>>> Rowland >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>> >>> When I can figure how to get into the new GitHub setup, I will be >>> proposing a patch for this, it just needs three line adding to >>> dns_update_list. >>> >>> Rowland >>> >> >> If anybody is interested, this is the results of my testing, first >> here are the results of adding an NS record to the dns domain SOA >> record for the second DC on a domain using the internal dns server: >> >> root at testdc1:~# dig SOA +multiline home.lan >> >> ; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10153 >> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, >> ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;home.lan. IN SOA >> >> ;; ANSWER SECTION: >> home.lan. 3600 IN SOA testdc1.home.lan. hostmaster.home.lan. ( >> 1 ; serial >> 900 ; refresh (15 minutes) >> 600 ; retry (10 minutes) >> 86400 ; expire (1 day) >> 3600 ; minimum (1 hour) >> ) >> >> ;; Query time: 28 msec >> ;; SERVER: 192.168.0.241#53(192.168.0.241) >> ;; WHEN: Thu Dec 10 11:35:46 GMT 2015 >> ;; MSG SIZE rcvd: 81 >> >> root at testdc2:~# dig SOA +multiline home.lan >> >> ; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23755 >> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, >> ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;home.lan. IN SOA >> >> ;; ANSWER SECTION: >> home.lan. 3600 IN SOA testdc1.home.lan. hostmaster.home.lan. ( >> 1 ; serial >> 900 ; refresh (15 minutes) >> 600 ; retry (10 minutes) >> 86400 ; expire (1 day) >> 3600 ; minimum (1 hour) >> ) >> >> ;; Query time: 56 msec >> ;; SERVER: 192.168.0.240#53(192.168.0.240) >> ;; WHEN: Thu Dec 10 11:36:14 GMT 2015 >> ;; MSG SIZE rcvd: 81 >> >> As you can see, even though each DC is using the other DC as its >> nameserver in /etc/resolv.conf, they both return the same info, now >> compare that with the info from a domain that uses bind9 as the dns >> server: >> >> root at dc1:~# dig SOA +multiline samdom.example.com >> >> ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59426 >> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;samdom.example.com. IN SOA >> >> ;; ANSWER SECTION: >> samdom.example.com. 3600 IN SOA dc2.samdom.example.com. >> hostmaster.samdom.example.com. ( >> 101 ; serial >> 900 ; refresh (15 minutes) >> 600 ; retry (10 minutes) >> 86400 ; expire (1 day) >> 3600 ; minimum (1 hour) >> ) >> >> ;; AUTHORITY SECTION: >> samdom.example.com. 900 IN NS dc1.samdom.example.com. >> samdom.example.com. 900 IN NS dc2.samdom.example.com. >> >> ;; ADDITIONAL SECTION: >> dc1.samdom.example.com. 900 IN A 192.168.0.5 >> dc2.samdom.example.com. 900 IN A 192.168.0.6 >> >> ;; Query time: 7 msec >> ;; SERVER: 192.168.0.6#53(192.168.0.6) >> ;; WHEN: Thu Dec 10 11:41:22 GMT 2015 >> ;; MSG SIZE rcvd: 162 >> >> root at dc2:~# dig SOA +multiline samdom.example.com >> >> ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16889 >> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;samdom.example.com. IN SOA >> >> ;; ANSWER SECTION: >> samdom.example.com. 3600 IN SOA dc1.samdom.example.com. >> hostmaster.samdom.example.com. ( >> 101 ; serial >> 900 ; refresh (15 minutes) >> 600 ; retry (10 minutes) >> 86400 ; expire (1 day) >> 3600 ; minimum (1 hour) >> ) >> >> ;; AUTHORITY SECTION: >> samdom.example.com. 900 IN NS dc1.samdom.example.com. >> samdom.example.com. 900 IN NS dc2.samdom.example.com. >> >> ;; ADDITIONAL SECTION: >> dc1.samdom.example.com. 900 IN A 192.168.0.5 >> dc2.samdom.example.com. 900 IN A 192.168.0.6 >> >> ;; Query time: 2 msec >> ;; SERVER: 192.168.0.5#53(192.168.0.5) >> ;; WHEN: Thu Dec 10 11:41:29 GMT 2015 >> ;; MSG SIZE rcvd: 162 >> >> You get a lot more info and each DC is show as being authoritative >> for the dns domain >> >> Now, I am no expert when it comes to dns, but using bind9 looks a >> better idea to me :-) >> >> Rowland >> > Rowland, > > If I remember correctly you swapped the order of the DC's in your > resolv.conf to get these results? Can you see what happens if you were > to leave the resolv.conf order alone and temporally bring one of the > DC's down? >OK, stopped samba on dc1 root at dc2:~# dig SOA +multiline samdom.example.com ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7191 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;samdom.example.com. IN SOA ;; ANSWER SECTION: samdom.example.com. 3600 IN SOA dc1.samdom.example.com. hostmaster.samdom.example.com. ( 101 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) ;; AUTHORITY SECTION: samdom.example.com. 900 IN NS dc2.samdom.example.com. samdom.example.com. 900 IN NS dc1.samdom.example.com. ;; ADDITIONAL SECTION: dc1.samdom.example.com. 900 IN A 192.168.0.5 dc2.samdom.example.com. 900 IN A 192.168.0.6 ;; Query time: 2 msec ;; SERVER: 192.168.0.5#53(192.168.0.5) ;; WHEN: Thu Dec 10 13:05:20 GMT 2015 ;; MSG SIZE rcvd: 162 Hmm, still using bind on dc1, back to dc1 and stopped bind9: root at dc2:~# dig SOA +multiline samdom.example.com ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60862 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;samdom.example.com. IN SOA ;; ANSWER SECTION: samdom.example.com. 3600 IN SOA dc2.samdom.example.com. hostmaster.samdom.example.com. ( 101 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) ;; AUTHORITY SECTION: samdom.example.com. 900 IN NS dc2.samdom.example.com. samdom.example.com. 900 IN NS dc1.samdom.example.com. ;; ADDITIONAL SECTION: dc1.samdom.example.com. 900 IN A 192.168.0.5 dc2.samdom.example.com. 900 IN A 192.168.0.6 ;; Query time: 7 msec ;; SERVER: 192.168.0.6#53(192.168.0.6) ;; WHEN: Thu Dec 10 13:06:24 GMT 2015 ;; MSG SIZE rcvd: 162 It is now using itself as the NS Rowland
Apparently Analagous Threads
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- which DNS backend ?