Rowland penny
2015-Dec-11 14:24 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 11/12/15 13:59, Ole Traupe wrote:> Hi folks, > > a) thank you all for your help, I highly appreciate you time and > effort, and I am sure I can resolve this issue very soon! > b) I have to delay this until early next week, as I have to attend to > other matters for now. > > All I can say, Louis, is that I won't set up a new DC to resolve this > - at least not for now. This seems to be another problem of Samba4 not > being able to deal with multiple DCs properly. And this has to be able > to be resolved on an otherwise working domain without changing its > architecture or other more drastic measures. This is my point of view > at the moment. Your suggestion reminds me a bit of some typical forum > replies to "Reinstall the OS" in case of any problems that can't be > solved in an instant. > > If necessary, I will just create the missing DNS entries of my 2nd DC > by hand. Although I would prefer a working script supplied by a > professional (which I am not). At least I would like to know which DNS > entries for my 2nd DC are essential for logins to work. I wouldn't > very much like to try this out. However, I am aware that your time is > as limited as mine (of not even more so), and you are in no obligation > in any way. > > Besides, I didn't forget do delete anything. I used the script from > the wiki to get rid of old records pertaining to my former 1st DC > after I had created the records of my *new* 1st DC. I checked the > results: everything related to my former first DC was gone. Also I > documented/discussed this process here on the list. And nobody pointed > me to things I forgot or was leaving out. I know that use of this > script was totally "on my own risk". But the results were as they > should have been, at least as far I am able to tell. > > That said, I will go through your responses and get back to you with > results. > > Best, have a good weekend! > Ole > >Ole, when you provision a domain, all the required records are created, but when you join another DC, most of the dns records are not created until the samba deamon is started and samba_dnsupdate is run automatically, see 'dns_update_list' for what is added (this is in /usr/share/samba/setup & /var/lib/samba/private on debian) If you want to add the missing NS records, add these lines to 'dns_update_list' : # RW DNS servers ${IF_RWDNS_DOMAIN}A ${DNSDOMAIN} $IP ${IF_RWDNS_DOMAIN}NS ${DNSDOMAIN} ${HOSTNAME} # RW DNS servers ${IF_RWDNS_FOREST}NS _msdcs.${DNSFOREST} ${HOSTNAME} You should be aware that even if you add these lines, they will not do you any good at the moment if you use the internal dns server. There is a problem, it looks like the records do not get added when samba_dnsupdate is first run, but they are. What you could do is this, copy the 'dns_update_list', replace all the variables with your info (${DNSDOMAIN} etc), then use this to check what you are missing and then add what isn't there. Rowland
Ole Traupe
2015-Dec-17 12:44 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Am 11.12.2015 um 15:24 schrieb Rowland penny:> On 11/12/15 13:59, Ole Traupe wrote: >> Hi folks, >> >> a) thank you all for your help, I highly appreciate you time and >> effort, and I am sure I can resolve this issue very soon! >> b) I have to delay this until early next week, as I have to attend to >> other matters for now. >> >> All I can say, Louis, is that I won't set up a new DC to resolve this >> - at least not for now. This seems to be another problem of Samba4 >> not being able to deal with multiple DCs properly. And this has to be >> able to be resolved on an otherwise working domain without changing >> its architecture or other more drastic measures. This is my point of >> view at the moment. Your suggestion reminds me a bit of some typical >> forum replies to "Reinstall the OS" in case of any problems that >> can't be solved in an instant. >> >> If necessary, I will just create the missing DNS entries of my 2nd DC >> by hand. Although I would prefer a working script supplied by a >> professional (which I am not). At least I would like to know which >> DNS entries for my 2nd DC are essential for logins to work. I >> wouldn't very much like to try this out. However, I am aware that >> your time is as limited as mine (of not even more so), and you are in >> no obligation in any way. >> >> Besides, I didn't forget do delete anything. I used the script from >> the wiki to get rid of old records pertaining to my former 1st DC >> after I had created the records of my *new* 1st DC. I checked the >> results: everything related to my former first DC was gone. Also I >> documented/discussed this process here on the list. And nobody >> pointed me to things I forgot or was leaving out. I know that use of >> this script was totally "on my own risk". But the results were as >> they should have been, at least as far I am able to tell. >> >> That said, I will go through your responses and get back to you with >> results. >> >> Best, have a good weekend! >> Ole >> >> > > Ole, when you provision a domain, all the required records are > created, but when you join another DC, most of the dns records are not > created until the samba deamon is started and samba_dnsupdate is run > automatically, see 'dns_update_list' for what is added (this is in > /usr/share/samba/setup & /var/lib/samba/private on debian) > > If you want to add the missing NS records, add these lines to > 'dns_update_list' : > > # RW DNS servers > ${IF_RWDNS_DOMAIN}A > ${DNSDOMAIN} $IP > ${IF_RWDNS_DOMAIN}NS > ${DNSDOMAIN} ${HOSTNAME} > > # RW DNS servers > ${IF_RWDNS_FOREST}NS > _msdcs.${DNSFOREST} ${HOSTNAME} > > You should be aware that even if you add these lines, they will not do > you any good at the moment if you use the internal dns server. > > There is a problem, it looks like the records do not get added when > samba_dnsupdate is first run, but they are.Rowland, I do not understand you in this point. Does or doesn't this help me with the internal DNS?> > What you could do is this, copy the 'dns_update_list', replace all the > variables with your info (${DNSDOMAIN} etc), then use this to check > what you are missing and then add what isn't there. > > Rowland >
Rowland penny
2015-Dec-17 13:11 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 17/12/15 12:44, Ole Traupe wrote:> > > Am 11.12.2015 um 15:24 schrieb Rowland penny: >> On 11/12/15 13:59, Ole Traupe wrote: >>> Hi folks, >>> >>> a) thank you all for your help, I highly appreciate you time and >>> effort, and I am sure I can resolve this issue very soon! >>> b) I have to delay this until early next week, as I have to attend >>> to other matters for now. >>> >>> All I can say, Louis, is that I won't set up a new DC to resolve >>> this - at least not for now. This seems to be another problem of >>> Samba4 not being able to deal with multiple DCs properly. And this >>> has to be able to be resolved on an otherwise working domain without >>> changing its architecture or other more drastic measures. This is my >>> point of view at the moment. Your suggestion reminds me a bit of >>> some typical forum replies to "Reinstall the OS" in case of any >>> problems that can't be solved in an instant. >>> >>> If necessary, I will just create the missing DNS entries of my 2nd >>> DC by hand. Although I would prefer a working script supplied by a >>> professional (which I am not). At least I would like to know which >>> DNS entries for my 2nd DC are essential for logins to work. I >>> wouldn't very much like to try this out. However, I am aware that >>> your time is as limited as mine (of not even more so), and you are >>> in no obligation in any way. >>> >>> Besides, I didn't forget do delete anything. I used the script from >>> the wiki to get rid of old records pertaining to my former 1st DC >>> after I had created the records of my *new* 1st DC. I checked the >>> results: everything related to my former first DC was gone. Also I >>> documented/discussed this process here on the list. And nobody >>> pointed me to things I forgot or was leaving out. I know that use of >>> this script was totally "on my own risk". But the results were as >>> they should have been, at least as far I am able to tell. >>> >>> That said, I will go through your responses and get back to you with >>> results. >>> >>> Best, have a good weekend! >>> Ole >>> >>> >> >> Ole, when you provision a domain, all the required records are >> created, but when you join another DC, most of the dns records are >> not created until the samba deamon is started and samba_dnsupdate is >> run automatically, see 'dns_update_list' for what is added (this is >> in /usr/share/samba/setup & /var/lib/samba/private on debian) >> >> If you want to add the missing NS records, add these lines to >> 'dns_update_list' : >> >> # RW DNS servers >> ${IF_RWDNS_DOMAIN}A >> ${DNSDOMAIN} $IP >> ${IF_RWDNS_DOMAIN}NS ${DNSDOMAIN} ${HOSTNAME} >> >> # RW DNS servers >> ${IF_RWDNS_FOREST}NS _msdcs.${DNSFOREST} ${HOSTNAME} >> >> You should be aware that even if you add these lines, they will not >> do you any good at the moment if you use the internal dns server. >> >> There is a problem, it looks like the records do not get added when >> samba_dnsupdate is first run, but they are. > > Rowland, I do not understand you in this point. Does or doesn't this > help me with the internal DNS?Hi Ole, from my testing, if you are using the Samba internal DNS server, you only have the one NS record pointing to your first DC, even if you do add the NS record for the second DC. If you use Bind9 instead, you do get two NS records. Rowland
L.P.H. van Belle
2015-Dec-17 13:25 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
> Hi Ole, from my testing, if you are using the Samba internal DNS server, > you only have the one NS record pointing to your first DC, even if you > do add the NS record for the second DC. If you use Bind9 instead, you do > get two NS records. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba[L.P.H. van Belle] Good info.. So one thing for the wiki... internal dns => 1 NS record. Bind9 dns => 2 NS records. so single DC, internal DNS is sufficient. Multiple DC,s always go for bind9 dns. Greetz, Louis
Maybe Matching Threads
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- missing dns records? _ldaps._tcp ?
- missing dns records? _ldaps._tcp ?
- missing dns records? _ldaps._tcp ?
- Authentication to Secondary Domain Controller initially fails when PDC is offline