Ole Traupe
2015-Dec-17 15:37 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Am 17.12.2015 um 16:10 schrieb Rowland penny:> On 17/12/15 14:56, Ole Traupe wrote: >> >> >> Am 17.12.2015 um 15:33 schrieb Rowland penny: >>> On 17/12/15 13:54, Ole Traupe wrote: >>>> Rowland, thank you, but before we do that: >>>> >>>> - what now with the 'gc' record? 2nd DC yes or no? >>> >>> Which one ? I have these: >>> >>> dn: >>> DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>> >>> dn: >>> DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>> >>> dn: >>> DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>> >>> dn: >>> DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>> >>> dn: >>> DC=gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>> >>> They all contain two dnsrecords, one from each DC >>> >>>> - if you say that the internal DNS is not compatible with a >>>> multi-DC setting, than we can stop here, no? >>>> >>> >>> Please stop putting words in my mouth :-) >>> >>> All I said was that you will only get one NS record if you use the >>> internal DNS server, >> >> Ok. And do you *need* both? > > Not sure , but microsoft says you should have a SOA record for each DC > that runs DNS.SOA or NS? NS I have, SOA seems not possible.> >> >> >> >>> everything else seems to work though, although I haven't tried >>> turning the first DC off yet. >> >> Why? I mean, could you perhaps? Please? >> > > Probably, but not today, will do it as soon as possible.I would be more than happy about that!> > Rowland > > > > >
Rowland penny
2015-Dec-17 15:48 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 17/12/15 15:37, Ole Traupe wrote:> > > Am 17.12.2015 um 16:10 schrieb Rowland penny: >> On 17/12/15 14:56, Ole Traupe wrote: >>> >>> >>> Am 17.12.2015 um 15:33 schrieb Rowland penny: >>>> On 17/12/15 13:54, Ole Traupe wrote: >>>>> Rowland, thank you, but before we do that: >>>>> >>>>> - what now with the 'gc' record? 2nd DC yes or no? >>>> >>>> Which one ? I have these: >>>> >>>> dn: >>>> DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>>> >>>> dn: >>>> DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>>> >>>> dn: >>>> DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>>> >>>> dn: >>>> DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>>> >>>> dn: >>>> DC=gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>>> >>>> They all contain two dnsrecords, one from each DC >>>> >>>>> - if you say that the internal DNS is not compatible with a >>>>> multi-DC setting, than we can stop here, no? >>>>> >>>> >>>> Please stop putting words in my mouth :-) >>>> >>>> All I said was that you will only get one NS record if you use the >>>> internal DNS server, >>> >>> Ok. And do you *need* both? >> >> Not sure , but microsoft says you should have a SOA record for each >> DC that runs DNS. > > SOA or NS? > > NS I have, SOA seems not possible.There is one SOA record in Samba AD, but it can hold the NS & A records for each DC (not sure about AAAA, I don't use ipv6). If you use the internal dns server, you only get one NS record returned and this is for the first DC. If you use Bind9, you get a different NS record from each DC i.e. each DC acts as if it is authoritative for the domain.> >> >>> >>> >>> >>>> everything else seems to work though, although I haven't tried >>>> turning the first DC off yet. >>> >>> Why? I mean, could you perhaps? Please? >>> >> >> Probably, but not today, will do it as soon as possible. > > I would be more than happy about that! > >Will try it asap Rowland
Rowland penny
2015-Dec-18 09:44 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 17/12/15 15:37, Ole Traupe wrote:> > > >> >>> >>> >>> >>>> everything else seems to work though, although I haven't tried >>>> turning the first DC off yet. >>> >>> Why? I mean, could you perhaps? Please? >>> >> >> Probably, but not today, will do it as soon as possible. > > I would be more than happy about that! > >OK, before I did anything else this morning, I started up my test domain. Note that this domain only existed to try and find out why the second DC didn't have a NS record in the SOA and uses the internal dns. Both of the DCs have the relevant line in the hosts file: root at testdc1:~# nano /etc/hosts 127.0.0.1 localhost 192.168.0.240 testdc1.home.lan testdc1 root at testdc2:~# nano /etc/hosts 127.0.0.1 localhost 192.168.0.241 testdc2.home.lan testdc2 Both of the DCs point to each other as their nameserver: root at testdc1:~# nano /etc/resolv.conf search home.lan nameserver 192.168.0.241 nameserver 192.168.0.240 root at testdc2:~# nano /etc/resolv.conf search home.lan nameserver 192.168.0.240 nameserver 192.168.0.241 If I examine the SOA record in AD I find this: dn: DC=@,DC=home.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=home,DC=lan ..................... dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x003f (63) wType : DNS_TYPE_SOA (6) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x0000006e (110) dwTtlSeconds : 0x00000e10 (3600) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00000000 (0) data : union dnsRecordData(case 6) soa: struct dnsp_soa serial : 0x00000001 (1) refresh : 0x00000384 (900) retry : 0x00000258 (600) expire : 0x00015180 (86400) minimum : 0x00000e10 (3600) mname : testdc1.home.lan rname : hostmaster.home.lan dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x0014 (20) wType : DNS_TYPE_NS (2) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x0000006e (110) dwTtlSeconds : 0x00000384 (900) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00000000 (0) data : union dnsRecordData(case 2) ns : testdc1.home.lan dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x0014 (20) wType : DNS_TYPE_NS (2) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x0000006e (110) dwTtlSeconds : 0x00000384 (900) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00000000 (0) data : union dnsRecordData(case 2) ns : testdc2.home.lan dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x0004 (4) wType : DNS_TYPE_A (1) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x0000006e (110) dwTtlSeconds : 0x00000384 (900) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00000000 (0) data : union dnsRecordData(case 1) ipv4 : 192.168.0.240 dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x0004 (4) wType : DNS_TYPE_A (1) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x0000006e (110) dwTtlSeconds : 0x00000384 (900) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00000000 (0) data : union dnsRecordData(case 1) ipv4 : 192.168.0.241 So, as you can see both the DCs have their NS & A records in the SOA If I then run nslookup on both machines, I get this: root at testdc1:~# nslookup > set querytype=soa > home.lan Server: 192.168.0.241 Address: 192.168.0.241#53 home.lan origin = testdc1.home.lan mail addr = hostmaster.home.lan serial = 1 refresh = 900 retry = 600 expire = 86400 minimum = 3600 > exit root at testdc2:~# nslookup > set querytype=soa > home.lan Server: 192.168.0.240 Address: 192.168.0.240#53 home.lan origin = testdc1.home.lan mail addr = hostmaster.home.lan serial = 1 refresh = 900 retry = 600 expire = 86400 minimum = 3600 > exit As you can see, only the first DC is show as the NS for the SOA, what happens if we turn off the first DC? We get this: root at testdc2:~# nslookup > set querytype=soa > home.lan Server: 192.168.0.241 Address: 192.168.0.241#53 home.lan origin = testdc1.home.lan mail addr = hostmaster.home.lan serial = 1 refresh = 900 retry = 600 expire = 86400 minimum = 3600 > exit The second DC is now using itself as its nameserver, but still gives the first DC as the NS This is totally different from what is returned if you use Bind9: Similar setup, only the names & ipaddresses have changed: root at dc1:~# nslookup > set querytype=soa > samdom.example.com Server: 192.168.0.6 Address: 192.168.0.6#53 samdom.example.com origin = dc2.samdom.example.com mail addr = hostmaster.samdom.example.com serial = 101 refresh = 900 retry = 600 expire = 86400 minimum = 3600 > exit root at dc2:~# nslookup > set querytype=soa > samdom.example.com Server: 192.168.0.5 Address: 192.168.0.5#53 samdom.example.com origin = dc1.samdom.example.com mail addr = hostmaster.samdom.example.com serial = 101 refresh = 900 retry = 600 expire = 86400 minimum = 3600 > exit Here, each DC shows the other as being the NS, so what happens if we turn off the first DC? root at dc2:~# nslookup > set querytype=soa > samdom.example.com Server: 192.168.0.6 Address: 192.168.0.6#53 samdom.example.com origin = dc2.samdom.example.com mail addr = hostmaster.samdom.example.com serial = 101 refresh = 900 retry = 600 expire = 86400 minimum = 3600 > exit Now the second DC shows itself as being the NS. It seems that the internal dns server works very different from Bind9. Conclusions? From my very limited testing, it would seem that, whilst it will work if you use multiple DCs running the internal dns servers, it would probably be better to use Bind9 instead. Rowland
Ole Traupe
2015-Dec-18 11:19 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Hi Rowland, I am very thankful, that you take the time and test all this! Before I go and check if this is the same with my setup and possibly the problem, could you perhaps try a logon to a member server, while the 1st DC is unavailable? From my understanding of your post I take it, you will have the same problem. But then, my understanding is limited. However, if you DO have the same problem, and my understanding is correct, then the internal DNS of Samba is clearly *broken* and needs fixing! Also I would like to state then, that I am somewhat disappointed. I have spent weeks (if not months) to get my domain running as it is now, only to find out that I will have no good sleep with it. Sorry to be so blunt. Ole Am 18.12.2015 um 10:44 schrieb Rowland penny:> On 17/12/15 15:37, Ole Traupe wrote: >> >> >> >>> >>>> >>>> >>>> >>>>> everything else seems to work though, although I haven't tried >>>>> turning the first DC off yet. >>>> >>>> Why? I mean, could you perhaps? Please? >>>> >>> >>> Probably, but not today, will do it as soon as possible. >> >> I would be more than happy about that! >> >> > > OK, before I did anything else this morning, I started up my test > domain. Note that this domain only existed to try and find out why the > second DC didn't have a NS record in the SOA and uses the internal dns. > > Both of the DCs have the relevant line in the hosts file: > > root at testdc1:~# nano /etc/hosts > > 127.0.0.1 localhost > 192.168.0.240 testdc1.home.lan testdc1 > > root at testdc2:~# nano /etc/hosts > > 127.0.0.1 localhost > 192.168.0.241 testdc2.home.lan testdc2 > > > Both of the DCs point to each other as their nameserver: > > root at testdc1:~# nano /etc/resolv.conf > > search home.lan > nameserver 192.168.0.241 > nameserver 192.168.0.240 > > root at testdc2:~# nano /etc/resolv.conf > > search home.lan > nameserver 192.168.0.240 > nameserver 192.168.0.241 > > If I examine the SOA record in AD I find this: > > dn: DC=@,DC=home.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=home,DC=lan > ..................... > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x003f (63) > wType : DNS_TYPE_SOA (6) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x0000006e (110) > dwTtlSeconds : 0x00000e10 (3600) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 6) > soa: struct dnsp_soa > serial : 0x00000001 (1) > refresh : 0x00000384 (900) > retry : 0x00000258 (600) > expire : 0x00015180 (86400) > minimum : 0x00000e10 (3600) > mname : testdc1.home.lan > rname : hostmaster.home.lan > > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x0014 (20) > wType : DNS_TYPE_NS (2) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x0000006e (110) > dwTtlSeconds : 0x00000384 (900) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 2) > ns : testdc1.home.lan > > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x0014 (20) > wType : DNS_TYPE_NS (2) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x0000006e (110) > dwTtlSeconds : 0x00000384 (900) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 2) > ns : testdc2.home.lan > > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x0004 (4) > wType : DNS_TYPE_A (1) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x0000006e (110) > dwTtlSeconds : 0x00000384 (900) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 1) > ipv4 : 192.168.0.240 > > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x0004 (4) > wType : DNS_TYPE_A (1) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x0000006e (110) > dwTtlSeconds : 0x00000384 (900) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 1) > ipv4 : 192.168.0.241 > > So, as you can see both the DCs have their NS & A records in the SOA > > If I then run nslookup on both machines, I get this: > > root at testdc1:~# nslookup > > set querytype=soa > > home.lan > Server: 192.168.0.241 > Address: 192.168.0.241#53 > > home.lan > origin = testdc1.home.lan > mail addr = hostmaster.home.lan > serial = 1 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > exit > > root at testdc2:~# nslookup > > set querytype=soa > > home.lan > Server: 192.168.0.240 > Address: 192.168.0.240#53 > > home.lan > origin = testdc1.home.lan > mail addr = hostmaster.home.lan > serial = 1 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > exit > > As you can see, only the first DC is show as the NS for the SOA, what > happens if we turn off the first DC? > > We get this: > > root at testdc2:~# nslookup > > set querytype=soa > > home.lan > Server: 192.168.0.241 > Address: 192.168.0.241#53 > > home.lan > origin = testdc1.home.lan > mail addr = hostmaster.home.lan > serial = 1 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > exit > > The second DC is now using itself as its nameserver, but still gives > the first DC as the NS > > This is totally different from what is returned if you use Bind9: > > Similar setup, only the names & ipaddresses have changed: > > root at dc1:~# nslookup > > set querytype=soa > > samdom.example.com > Server: 192.168.0.6 > Address: 192.168.0.6#53 > > samdom.example.com > origin = dc2.samdom.example.com > mail addr = hostmaster.samdom.example.com > serial = 101 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > exit > > root at dc2:~# nslookup > > set querytype=soa > > samdom.example.com > Server: 192.168.0.5 > Address: 192.168.0.5#53 > > samdom.example.com > origin = dc1.samdom.example.com > mail addr = hostmaster.samdom.example.com > serial = 101 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > exit > > Here, each DC shows the other as being the NS, so what happens if we > turn off the first DC? > > root at dc2:~# nslookup > > set querytype=soa > > samdom.example.com > Server: 192.168.0.6 > Address: 192.168.0.6#53 > > samdom.example.com > origin = dc2.samdom.example.com > mail addr = hostmaster.samdom.example.com > serial = 101 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > exit > > Now the second DC shows itself as being the NS. > > It seems that the internal dns server works very different from Bind9. > > Conclusions? From my very limited testing, it would seem that, whilst > it will work if you use multiple DCs running the internal dns servers, > it would probably be better to use Bind9 instead. > > Rowland > > >
Possibly Parallel Threads
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Phantom DNS records visible with dig, but not samba-tool dns
- which DNS backend ?
- Phantom DNS records visible with dig, but not samba-tool dns
- Samba + BIND9 DLZ. DNS dosen't resolve FQDN, only short hostname