thr3ads.net - samba - [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline [Dec 2015]

If this information is useful, please help other people find it:
Share via:

Rowland penny

2015-Dec-10 14:15 UTC

[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

On 10/12/15 14:00, Ole Traupe wrote:>
>
> Am 10.12.2015 um 14:38 schrieb Rowland penny:
>> On 10/12/15 13:25, Ole Traupe wrote:
>>> Is it possible that kdc server is always the SOA,  at least if 
>>> derived from DNS and not specified *explicitly* in the krb5.conf?
>>>
>>> In my DNS-Manager console I find that
>>>
>>> _tcp.dc._msdcs.bpn.tu-berlin.de
>>>
>>> contains only 1 "_kerberos" record, and that one points
to my First_DC.
>>>
>>> Ole
>>>
>>>
>>>
>>
>> Your problem doesn't seem to be a dns problem, you should have two 
>> 'kerberos' records and no matter how good your dns is, it
cannot
>> obtain something that isn't there :-)
>
> That's basically what I just wrote...
>
>>
>> See Louis's earlier post for how to attempt to fix this, but before
>> you do anything, restart samba on the second DC and then check the 
>> logs, samba_dnsupdate should add the records you are missing.
>>
>> Rowland
>>
>>
>
> However, my 2nd DC is not that new, I restarted it many times, just 
> again (samba service). No DNS records are created anywhere.
>
> If I go through the DNS console, in each and every container there is 
> some entry for the 1st DC, but none for the 2nd (except on the top 
> levels: FQDN and _msdcs.FQDN).
>
> Could this have to do with...
> a) I demoted my initial 1st DC (seized FSMO roles) and got rid of DNS 
> entries via this script on the wiki?
> b) set up the *new* 2nd DC on the hardware of the prior 1st DC (with 
> the same IP address)?
>
>
>
Possibly, but can you try this on your second DC, run 'samba_dnsupdate 
--verbose'

Rowland

Ole Traupe

2015-Dec-10 14:40 UTC

head link

[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

>> However, my 2nd DC is not that new, I restarted it many times, just 
>> again (samba service). No DNS records are created anywhere.
>>
>> If I go through the DNS console, in each and every container there is 
>> some entry for the 1st DC, but none for the 2nd (except on the top 
>> levels: FQDN and _msdcs.FQDN).
>>
>> Could this have to do with...
>> a) I demoted my initial 1st DC (seized FSMO roles) and got rid of DNS 
>> entries via this script on the wiki?
>> b) set up the *new* 2nd DC on the hardware of the prior 1st DC (with 
>> the same IP address)?
>>
>>
>>
>
> Possibly, but can you try this on your second DC, run 'samba_dnsupdate 
> --verbose'
>
> Rowland
>
Doesn't look too good to me:


[root at DC2 me]# samba_dnsupdate --verbose
IPs: ['IP_of_2nd_DC']
Looking for DNS entry A DC2.my.domain.tld IP_of_2nd_DC as DC2.my.domain.tld.
Looking for DNS entry A my.domain.tld IP_of_2nd_DC as my.domain.tld.
Failed to find matching DNS entry A my.domain.tld IP_of_2nd_DC
Looking for DNS entry SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld 389 
as _ldap._tcp.my.domain.tld.
Checking 0 100 389 DC1.my.domain.tld. against SRV 
_ldap._tcp.my.domain.tld DC2.my.domain.tld 389
Failed to find matching DNS entry SRV _ldap._tcp.my.domain.tld 
DC2.my.domain.tld 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.my.domain.tld 
DC2.my.domain.tld 389 as _ldap._tcp.dc._msdcs.my.domain.tld.
Checking 0 100 389 DC1.my.domain.tld. against SRV 
_ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389
Failed to find matching DNS entry SRV _ldap._tcp.dc._msdcs.my.domain.tld 
DC2.my.domain.tld 389
Looking for DNS entry SRV 
_ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld 
DC2.my.domain.tld 389 as 
_ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld.
Checking 0 100 389 DC1.my.domain.tld. against SRV 
_ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld 
DC2.my.domain.tld 389
Failed to find matching DNS entry SRV 
_ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld 
DC2.my.domain.tld 389
Looking for DNS entry SRV _kerberos._tcp.my.domain.tld DC2.my.domain.tld 
88 as _kerberos._tcp.my.domain.tld.
Checking 0 100 88 DC1.my.domain.tld. against SRV 
_kerberos._tcp.my.domain.tld DC2.my.domain.tld 88
Failed to find matching DNS entry SRV _kerberos._tcp.my.domain.tld 
DC2.my.domain.tld 88
Looking for DNS entry SRV _kerberos._udp.my.domain.tld DC2.my.domain.tld 
88 as _kerberos._udp.my.domain.tld.
Checking 0 100 88 DC1.my.domain.tld. against SRV 
_kerberos._udp.my.domain.tld DC2.my.domain.tld 88
Failed to find matching DNS entry SRV _kerberos._udp.my.domain.tld 
DC2.my.domain.tld 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.my.domain.tld 
DC2.my.domain.tld 88 as _kerberos._tcp.dc._msdcs.my.domain.tld.
Checking 0 100 88 DC1.my.domain.tld. against SRV 
_kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88
Failed to find matching DNS entry SRV 
_kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88
Looking for DNS entry SRV _kpasswd._tcp.my.domain.tld DC2.my.domain.tld 
464 as _kpasswd._tcp.my.domain.tld.
Checking 0 100 464 DC1.my.domain.tld. against SRV 
_kpasswd._tcp.my.domain.tld DC2.my.domain.tld 464
Failed to find matching DNS entry SRV _kpasswd._tcp.my.domain.tld 
DC2.my.domain.tld 464
Looking for DNS entry SRV _kpasswd._udp.my.domain.tld DC2.my.domain.tld 
464 as _kpasswd._udp.my.domain.tld.
Checking 0 100 464 DC1.my.domain.tld. against SRV 
_kpasswd._udp.my.domain.tld DC2.my.domain.tld 464
Failed to find matching DNS entry SRV _kpasswd._udp.my.domain.tld 
DC2.my.domain.tld 464
Looking for DNS entry CNAME 
d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld 
DC2.my.domain.tld as 
d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld.
Looking for DNS entry SRV 
_ldap._tcp.Default-First-Site-Name._sites.my.domain.tld 
DC2.my.domain.tld 389 as 
_ldap._tcp.Default-First-Site-Name._sites.my.domain.tld.
Checking 0 100 389 DC1.my.domain.tld. against SRV 
_ldap._tcp.Default-First-Site-Name._sites.my.domain.tld 
DC2.my.domain.tld 389
Failed to find matching DNS entry SRV 
_ldap._tcp.Default-First-Site-Name._sites.my.domain.tld 
DC2.my.domain.tld 389
Looking for DNS entry SRV 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld 
DC2.my.domain.tld 389 as 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld.
Checking 0 100 389 DC1.my.domain.tld. against SRV 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld 
DC2.my.domain.tld 389
Failed to find matching DNS entry SRV 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld 
DC2.my.domain.tld 389
Looking for DNS entry SRV 
_kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld 
DC2.my.domain.tld 88 as 
_kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld.
Checking 0 100 88 DC1.my.domain.tld. against SRV 
_kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld 
DC2.my.domain.tld 88
Failed to find matching DNS entry SRV 
_kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld 
DC2.my.domain.tld 88
Looking for DNS entry SRV 
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld 
DC2.my.domain.tld 88 as 
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld.
Checking 0 100 88 DC1.my.domain.tld. against SRV 
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld 
DC2.my.domain.tld 88
Failed to find matching DNS entry SRV 
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld 
DC2.my.domain.tld 88
Looking for DNS entry A gc._msdcs.my.domain.tld IP_of_2nd_DC as 
gc._msdcs.my.domain.tld.
Failed to find matching DNS entry A gc._msdcs.my.domain.tld IP_of_2nd_DC
Looking for DNS entry SRV _gc._tcp.my.domain.tld DC2.my.domain.tld 3268 
as _gc._tcp.my.domain.tld.
Checking 0 100 3268 DC1.my.domain.tld. against SRV 
_gc._tcp.my.domain.tld DC2.my.domain.tld 3268
Failed to find matching DNS entry SRV _gc._tcp.my.domain.tld 
DC2.my.domain.tld 3268
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.my.domain.tld 
DC2.my.domain.tld 3268 as _ldap._tcp.gc._msdcs.my.domain.tld.
Checking 0 100 3268 DC1.my.domain.tld. against SRV 
_ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268
Failed to find matching DNS entry SRV _ldap._tcp.gc._msdcs.my.domain.tld 
DC2.my.domain.tld 3268
Looking for DNS entry SRV 
_gc._tcp.Default-First-Site-Name._sites.my.domain.tld DC2.my.domain.tld 
3268 as _gc._tcp.Default-First-Site-Name._sites.my.domain.tld.
Checking 0 100 3268 DC1.my.domain.tld. against SRV 
_gc._tcp.Default-First-Site-Name._sites.my.domain.tld DC2.my.domain.tld 3268
Failed to find matching DNS entry SRV 
_gc._tcp.Default-First-Site-Name._sites.my.domain.tld DC2.my.domain.tld 3268
Looking for DNS entry SRV 
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld 
DC2.my.domain.tld 3268 as 
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld.
Checking 0 100 3268 DC1.my.domain.tld. against SRV 
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld 
DC2.my.domain.tld 3268
Failed to find matching DNS entry SRV 
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld 
DC2.my.domain.tld 3268
Looking for DNS entry A DomainDnsZones.my.domain.tld IP_of_2nd_DC as 
DomainDnsZones.my.domain.tld.
Failed to find matching DNS entry A DomainDnsZones.my.domain.tld 
IP_of_2nd_DC
Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.my.domain.tld 
DC2.my.domain.tld 389 as _ldap._tcp.DomainDnsZones.my.domain.tld.
Checking 0 100 389 DC1.my.domain.tld. against SRV 
_ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389
Failed to find matching DNS entry SRV 
_ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389
Looking for DNS entry SRV 
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld 
DC2.my.domain.tld 389 as 
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld.
Checking 0 100 389 DC1.my.domain.tld. against SRV 
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld 
DC2.my.domain.tld 389
Failed to find matching DNS entry SRV 
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld 
DC2.my.domain.tld 389
Looking for DNS entry A ForestDnsZones.my.domain.tld IP_of_2nd_DC as 
ForestDnsZones.my.domain.tld.
Failed to find matching DNS entry A ForestDnsZones.my.domain.tld 
IP_of_2nd_DC
Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.my.domain.tld 
DC2.my.domain.tld 389 as _ldap._tcp.ForestDnsZones.my.domain.tld.
Checking 0 100 389 DC1.my.domain.tld. against SRV 
_ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389
Failed to find matching DNS entry SRV 
_ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389
Looking for DNS entry SRV 
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld 
DC2.my.domain.tld 389 as 
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld.
Checking 0 100 389 DC1.my.domain.tld. against SRV 
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld 
DC2.my.domain.tld 389
Failed to find matching DNS entry SRV 
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld 
DC2.my.domain.tld 389
Calling nsupdate for A my.domain.tld IP_of_2nd_DC (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
my.domain.tld.       900     IN      A       IP_of_2nd_DC

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld 389 
(add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.my.domain.tld. 900 IN     SRV     0 100 389 DC2.my.domain.tld.

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.my.domain.tld 
DC2.my.domain.tld 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 389 DC2.my.domain.tld.

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for SRV 
_ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld 
DC2.my.domain.tld 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld. 
900 IN SRV 0 100 389 DC2.my.domain.tld.

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.my.domain.tld DC2.my.domain.tld 
88 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.my.domain.tld. 900 IN SRV     0 100 88 DC2.my.domain.tld.

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._udp.my.domain.tld DC2.my.domain.tld 
88 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._udp.my.domain.tld. 900 IN SRV     0 100 88 DC2.my.domain.tld.

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.my.domain.tld 
DC2.my.domain.tld 88 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 88 
DC2.my.domain.tld.

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for SRV _kpasswd._tcp.my.domain.tld DC2.my.domain.tld 
464 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._tcp.my.domain.tld. 900 IN  SRV     0 100 464 DC2.my.domain.tld.

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for SRV _kpasswd._udp.my.domain.tld DC2.my.domain.tld 
464 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._udp.my.domain.tld. 900 IN  SRV     0 100 464 DC2.my.domain.tld.

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for SRV 
_ldap._tcp.Default-First-Site-Name._sites.my.domain.tld 
DC2.my.domain.tld 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0 
100 389 DC2.my.domain.tld.

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for SRV 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld 
DC2.my.domain.tld 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. 900 
IN SRV 0 100 389 DC2.my.domain.tld.

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for SRV 
_kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld 
DC2.my.domain.tld 88 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 
0 100 88 DC2.my.domain.tld.

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for SRV 
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld 
DC2.my.domain.tld 88 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. 
900 IN SRV 0 100 88 DC2.my.domain.tld.

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for A gc._msdcs.my.domain.tld IP_of_2nd_DC (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.my.domain.tld. 900 IN      A       IP_of_2nd_DC

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.my.domain.tld DC2.my.domain.tld 3268 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.my.domain.tld. 900  IN      SRV     0 100 3268 DC2.my.domain.tld.

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.gc._msdcs.my.domain.tld 
DC2.my.domain.tld 3268 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.gc._msdcs.my.domain.tld. 900 IN SRV 0 100 3268 DC2.my.domain.tld.

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for SRV 
_gc._tcp.Default-First-Site-Name._sites.my.domain.tld DC2.my.domain.tld 
3268 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0 100 
3268 DC2.my.domain.tld.

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for SRV 
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld 
DC2.my.domain.tld 3268 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld. 900 
IN SRV 0 100 3268 DC2.my.domain.tld.

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for A DomainDnsZones.my.domain.tld IP_of_2nd_DC (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
DomainDnsZones.my.domain.tld. 900 IN A       IP_of_2nd_DC

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.my.domain.tld 
DC2.my.domain.tld 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.DomainDnsZones.my.domain.tld. 900 IN SRV 0 100 389 
DC2.my.domain.tld.

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for SRV 
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld 
DC2.my.domain.tld 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld. 
900 IN SRV 0 100 389 DC2.my.domain.tld.

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for A ForestDnsZones.my.domain.tld IP_of_2nd_DC (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ForestDnsZones.my.domain.tld. 900 IN A       IP_of_2nd_DC

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.my.domain.tld 
DC2.my.domain.tld 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.ForestDnsZones.my.domain.tld. 900 IN SRV 0 100 389 
DC2.my.domain.tld.

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Calling nsupdate for SRV 
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld 
DC2.my.domain.tld 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld. 
900 IN SRV 0 100 389 DC2.my.domain.tld.

; TSIG error with server: tsig verify failure
update failed: FORMERR
Failed nsupdate: 2
Failed update of 24 entries

Rowland penny

2015-Dec-10 14:49 UTC

head link

[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

On 10/12/15 14:40, Ole Traupe wrote:>
>>> However, my 2nd DC is not that new, I restarted it many times, just
>>> again (samba service). No DNS records are created anywhere.
>>>
>>> If I go through the DNS console, in each and every container there 
>>> is some entry for the 1st DC, but none for the 2nd (except on the 
>>> top levels: FQDN and _msdcs.FQDN).
>>>
>>> Could this have to do with...
>>> a) I demoted my initial 1st DC (seized FSMO roles) and got rid of 
>>> DNS entries via this script on the wiki?
>>> b) set up the *new* 2nd DC on the hardware of the prior 1st DC
(with
>>> the same IP address)?
>>>
>>>
>>>
>>
>> Possibly, but can you try this on your second DC, run 
>> 'samba_dnsupdate --verbose'
>>
>> Rowland
>>
>
> Doesn't look too good to me:
>
>
> [root at DC2 me]# samba_dnsupdate --verbose
> IPs: ['IP_of_2nd_DC']
> Looking for DNS entry A DC2.my.domain.tld IP_of_2nd_DC as 
> DC2.my.domain.tld.
> Looking for DNS entry A my.domain.tld IP_of_2nd_DC as my.domain.tld.
> Failed to find matching DNS entry A my.domain.tld IP_of_2nd_DC
> Looking for DNS entry SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld 
> 389 as _ldap._tcp.my.domain.tld.
> Checking 0 100 389 DC1.my.domain.tld. against SRV 
> _ldap._tcp.my.domain.tld DC2.my.domain.tld 389
> Failed to find matching DNS entry SRV _ldap._tcp.my.domain.tld 
> DC2.my.domain.tld 389
> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.my.domain.tld 
> DC2.my.domain.tld 389 as _ldap._tcp.dc._msdcs.my.domain.tld.
> Checking 0 100 389 DC1.my.domain.tld. against SRV 
> _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389
> Failed to find matching DNS entry SRV 
> _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389
> Looking for DNS entry SRV 
>
_ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld
> DC2.my.domain.tld 389 as 
>
_ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld.
> Checking 0 100 389 DC1.my.domain.tld. against SRV 
>
_ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld
> DC2.my.domain.tld 389
> Failed to find matching DNS entry SRV 
>
_ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld
> DC2.my.domain.tld 389
> Looking for DNS entry SRV _kerberos._tcp.my.domain.tld 
> DC2.my.domain.tld 88 as _kerberos._tcp.my.domain.tld.
> Checking 0 100 88 DC1.my.domain.tld. against SRV 
> _kerberos._tcp.my.domain.tld DC2.my.domain.tld 88
> Failed to find matching DNS entry SRV _kerberos._tcp.my.domain.tld 
> DC2.my.domain.tld 88
> Looking for DNS entry SRV _kerberos._udp.my.domain.tld 
> DC2.my.domain.tld 88 as _kerberos._udp.my.domain.tld.
> Checking 0 100 88 DC1.my.domain.tld. against SRV 
> _kerberos._udp.my.domain.tld DC2.my.domain.tld 88
> Failed to find matching DNS entry SRV _kerberos._udp.my.domain.tld 
> DC2.my.domain.tld 88
> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.my.domain.tld 
> DC2.my.domain.tld 88 as _kerberos._tcp.dc._msdcs.my.domain.tld.
> Checking 0 100 88 DC1.my.domain.tld. against SRV 
> _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88
> Failed to find matching DNS entry SRV 
> _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88
> Looking for DNS entry SRV _kpasswd._tcp.my.domain.tld 
> DC2.my.domain.tld 464 as _kpasswd._tcp.my.domain.tld.
> Checking 0 100 464 DC1.my.domain.tld. against SRV 
> _kpasswd._tcp.my.domain.tld DC2.my.domain.tld 464
> Failed to find matching DNS entry SRV _kpasswd._tcp.my.domain.tld 
> DC2.my.domain.tld 464
> Looking for DNS entry SRV _kpasswd._udp.my.domain.tld 
> DC2.my.domain.tld 464 as _kpasswd._udp.my.domain.tld.
> Checking 0 100 464 DC1.my.domain.tld. against SRV 
> _kpasswd._udp.my.domain.tld DC2.my.domain.tld 464
> Failed to find matching DNS entry SRV _kpasswd._udp.my.domain.tld 
> DC2.my.domain.tld 464
> Looking for DNS entry CNAME 
> d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld 
> DC2.my.domain.tld as 
> d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld.
> Looking for DNS entry SRV 
> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld 
> DC2.my.domain.tld 389 as 
> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld.
> Checking 0 100 389 DC1.my.domain.tld. against SRV 
> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld 
> DC2.my.domain.tld 389
> Failed to find matching DNS entry SRV 
> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld 
> DC2.my.domain.tld 389
> Looking for DNS entry SRV 
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld 
> DC2.my.domain.tld 389 as 
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld.
> Checking 0 100 389 DC1.my.domain.tld. against SRV 
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld 
> DC2.my.domain.tld 389
> Failed to find matching DNS entry SRV 
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld 
> DC2.my.domain.tld 389
> Looking for DNS entry SRV 
> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld 
> DC2.my.domain.tld 88 as 
> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld.
> Checking 0 100 88 DC1.my.domain.tld. against SRV 
> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld 
> DC2.my.domain.tld 88
> Failed to find matching DNS entry SRV 
> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld 
> DC2.my.domain.tld 88
> Looking for DNS entry SRV 
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld 
> DC2.my.domain.tld 88 as 
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld.
> Checking 0 100 88 DC1.my.domain.tld. against SRV 
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld 
> DC2.my.domain.tld 88
> Failed to find matching DNS entry SRV 
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld 
> DC2.my.domain.tld 88
> Looking for DNS entry A gc._msdcs.my.domain.tld IP_of_2nd_DC as 
> gc._msdcs.my.domain.tld.
> Failed to find matching DNS entry A gc._msdcs.my.domain.tld IP_of_2nd_DC
> Looking for DNS entry SRV _gc._tcp.my.domain.tld DC2.my.domain.tld 
> 3268 as _gc._tcp.my.domain.tld.
> Checking 0 100 3268 DC1.my.domain.tld. against SRV 
> _gc._tcp.my.domain.tld DC2.my.domain.tld 3268
> Failed to find matching DNS entry SRV _gc._tcp.my.domain.tld 
> DC2.my.domain.tld 3268
> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.my.domain.tld 
> DC2.my.domain.tld 3268 as _ldap._tcp.gc._msdcs.my.domain.tld.
> Checking 0 100 3268 DC1.my.domain.tld. against SRV 
> _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268
> Failed to find matching DNS entry SRV 
> _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268
> Looking for DNS entry SRV 
> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld 
> DC2.my.domain.tld 3268 as 
> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld.
> Checking 0 100 3268 DC1.my.domain.tld. against SRV 
> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld 
> DC2.my.domain.tld 3268
> Failed to find matching DNS entry SRV 
> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld 
> DC2.my.domain.tld 3268
> Looking for DNS entry SRV 
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld 
> DC2.my.domain.tld 3268 as 
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld.
> Checking 0 100 3268 DC1.my.domain.tld. against SRV 
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld 
> DC2.my.domain.tld 3268
> Failed to find matching DNS entry SRV 
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld 
> DC2.my.domain.tld 3268
> Looking for DNS entry A DomainDnsZones.my.domain.tld IP_of_2nd_DC as 
> DomainDnsZones.my.domain.tld.
> Failed to find matching DNS entry A DomainDnsZones.my.domain.tld 
> IP_of_2nd_DC
> Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.my.domain.tld 
> DC2.my.domain.tld 389 as _ldap._tcp.DomainDnsZones.my.domain.tld.
> Checking 0 100 389 DC1.my.domain.tld. against SRV 
> _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389
> Failed to find matching DNS entry SRV 
> _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389
> Looking for DNS entry SRV 
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld 
> DC2.my.domain.tld 389 as 
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld.
> Checking 0 100 389 DC1.my.domain.tld. against SRV 
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld 
> DC2.my.domain.tld 389
> Failed to find matching DNS entry SRV 
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld 
> DC2.my.domain.tld 389
> Looking for DNS entry A ForestDnsZones.my.domain.tld IP_of_2nd_DC as 
> ForestDnsZones.my.domain.tld.
> Failed to find matching DNS entry A ForestDnsZones.my.domain.tld 
> IP_of_2nd_DC
> Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.my.domain.tld 
> DC2.my.domain.tld 389 as _ldap._tcp.ForestDnsZones.my.domain.tld.
> Checking 0 100 389 DC1.my.domain.tld. against SRV 
> _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389
> Failed to find matching DNS entry SRV 
> _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389
> Looking for DNS entry SRV 
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld 
> DC2.my.domain.tld 389 as 
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld.
> Checking 0 100 389 DC1.my.domain.tld. against SRV 
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld 
> DC2.my.domain.tld 389
> Failed to find matching DNS entry SRV 
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld 
> DC2.my.domain.tld 389
> Calling nsupdate for A my.domain.tld IP_of_2nd_DC (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> my.domain.tld.       900     IN      A       IP_of_2nd_DC
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld 
> 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.my.domain.tld. 900 IN     SRV     0 100 389 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.dc._msdcs.my.domain.tld 
> DC2.my.domain.tld 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 389 
> DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV 
>
_ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld
> DC2.my.domain.tld 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
>
_ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld.
> 900 IN SRV 0 100 389 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _kerberos._tcp.my.domain.tld 
> DC2.my.domain.tld 88 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kerberos._tcp.my.domain.tld. 900 IN SRV     0 100 88 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _kerberos._udp.my.domain.tld 
> DC2.my.domain.tld 88 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kerberos._udp.my.domain.tld. 900 IN SRV     0 100 88 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.my.domain.tld 
> DC2.my.domain.tld 88 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kerberos._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 88 
> DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _kpasswd._tcp.my.domain.tld DC2.my.domain.tld 
> 464 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kpasswd._tcp.my.domain.tld. 900 IN  SRV     0 100 464 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _kpasswd._udp.my.domain.tld DC2.my.domain.tld 
> 464 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kpasswd._udp.my.domain.tld. 900 IN  SRV     0 100 464 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV 
> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld 
> DC2.my.domain.tld 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0 
> 100 389 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV 
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld 
> DC2.my.domain.tld 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. 900 
> IN SRV 0 100 389 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV 
> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld 
> DC2.my.domain.tld 88 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN 
> SRV 0 100 88 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV 
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld 
> DC2.my.domain.tld 88 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. 
> 900 IN SRV 0 100 88 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for A gc._msdcs.my.domain.tld IP_of_2nd_DC (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> gc._msdcs.my.domain.tld. 900 IN      A       IP_of_2nd_DC
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _gc._tcp.my.domain.tld DC2.my.domain.tld 3268 
> (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _gc._tcp.my.domain.tld. 900  IN      SRV     0 100 3268 
> DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.gc._msdcs.my.domain.tld 
> DC2.my.domain.tld 3268 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.gc._msdcs.my.domain.tld. 900 IN SRV 0 100 3268 
> DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV 
> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld 
> DC2.my.domain.tld 3268 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0 
> 100 3268 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV 
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld 
> DC2.my.domain.tld 3268 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld. 900 
> IN SRV 0 100 3268 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for A DomainDnsZones.my.domain.tld IP_of_2nd_DC (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> DomainDnsZones.my.domain.tld. 900 IN A       IP_of_2nd_DC
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.my.domain.tld 
> DC2.my.domain.tld 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.DomainDnsZones.my.domain.tld. 900 IN SRV 0 100 389 
> DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV 
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld 
> DC2.my.domain.tld 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld. 900
> IN SRV 0 100 389 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for A ForestDnsZones.my.domain.tld IP_of_2nd_DC (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> ForestDnsZones.my.domain.tld. 900 IN A       IP_of_2nd_DC
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.my.domain.tld 
> DC2.my.domain.tld 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.ForestDnsZones.my.domain.tld. 900 IN SRV 0 100 389 
> DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Calling nsupdate for SRV 
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld 
> DC2.my.domain.tld 389 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld. 900
> IN SRV 0 100 389 DC2.my.domain.tld.
>
> ; TSIG error with server: tsig verify failure
> update failed: FORMERR
> Failed nsupdate: 2
> Failed update of 24 entries
>
>
>
There is a known problem, even though the updates print '; TSIG error 
with server: tsig verify failure', it still works. Try running 'host -t 
SRV _kerberos._udp.my.domain.tld.' again.

Rowland

Possibly Parallel Threads

Search for more apparently analagous threads

samba - Dec 2015 - Authentication to Secondary Domain Controller initially fails when PDC is offline

[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Possibly Parallel Threads