My reverse zones have PTR records. Though I don't have NS records for all of my DC's. I guess that needs to be manually created. Also, you don't have any CNAMES or domain overrides pointing to a single DC? Perhaps Bind is pointing to another internal DNS server, and then to a public DNS? ---- Here's a way to test failover from a Windows client: You can switch logon servers with "nltest /server:<clientcomputer> /sc_reset:<domain\dc>" https://www.technipages.com/windows-how-to-switch-domain-controller So try this -- (I just did this on one of my DC's): * Switch a Windows Client to DC4 * Verify with "nltest /dsgetdc:<domain>" and "nltest /sc_query:<domain>" C:\WINDOWS\system32>nltest /Server:<mycomputer> /sc_query:<shortdomainname>> Flags: 30 HAS_IP HAS_TIMESERV > Trusted DC Name \\<DC4>.<mydomain.com> > Trusted DC Connection Status Status = 0 0x0 NERR_Success > The command completed successfully > C:\WINDOWS\system32>nltest /dsgetdc:<shortdomainname> > DC: \\<DC4> > Address: \\ip.addr.ss.ss > Dom Guid: <guid> > Dom Name: <shortdomainname> > Forest Name: mydomain.com > Dc Site Name: <mysite> > Our Site Name: <mysite> > Flags: GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST > CLOSE_SITE > The command completed successfully* Then stop samba on DC4 * "nltest /dclist:<domain>" This should fail, as it's attempting to get lookups from the trusted DC (DC4) C:\WINDOWS\system32>nltest /dclist:<shortdomainname>> Get list of DCs in domain ' <shortdomainname> ' from '\\<DC4>'. > Cannot DsBind to <shortdomainname> (\\<DC4>).Status = 1722 0x6ba > RPC_S_SERVER_UNAVAILABLE > List of DCs in Domain <shortdomainname> > \\<DC3>(PDC) > The command completed successfully >* "nltest /sc_verify:<domain>" -- this should force a query and change the trusted DC to an available DC. (Don't forget to turn samba back on) Kris Lou klou at themusiclink.net>
Paul Littlefield
2020-Feb-14 11:26 UTC
[Samba] Failover DC did not work when Main DC failed
On 13/02/2020 19:28, Kris Lou via samba wrote:> Here's a way to test failover from a Windows client:Kris, This is EXACTLY the sort of thing I needed for Sunday and why I ask the mailing list for help. You are an absolute star and a gentleman. I shall run everything and report back on my findings and (hopeful!) solution. Kind regards, :) Paully
Paul Littlefield
2020-Feb-16 15:03 UTC
[Samba] Failover DC did not work when Main DC failed
Hello Kris, On 13/02/2020 19:28, Kris Lou via samba wrote:> My reverse zones have PTR records. Though I don't have NS records for all > of my DC's. I guess that needs to be manually created.I have NS records for all 2 of my DC's and I just followed the Installation page on the Wiki.> Also, you don't have any CNAMES or domain overrides pointing to a single > DC? Perhaps Bind is pointing to another internal DNS server, and then to a > public DNS?I am not using BIND with Samba, just the Internal DNS which is the default. What do you mean when you say "CNAMES or domain overrides pointing to a single DC"? I have DHCP handing out both DNS servers as 192.168.0.218 and 192.168.0.219 and they both work as nameservers perfectly.> Here's a way to test failover from a Windows client: > > You can switch logon servers with "nltest /server:<clientcomputer> > /sc_reset:<domain\dc>" > https://www.technipages.com/windows-how-to-switch-domain-controller > > So try this -- (I just did this on one of my DC's): > * Switch a Windows Client to DC4 > * Verify with "nltest /dsgetdc:<domain>" and "nltest /sc_query:<domain>" > > C:\WINDOWS\system32>nltest /Server:<mycomputer> /sc_query:<shortdomainname> >> Flags: 30 HAS_IP HAS_TIMESERV >> Trusted DC Name \\<DC4>.<mydomain.com> >> Trusted DC Connection Status Status = 0 0x0 NERR_Success >> The command completed successfully >> C:\WINDOWS\system32>nltest /dsgetdc:<shortdomainname> >> DC: \\<DC4> >> Address: \\ip.addr.ss.ss >> Dom Guid: <guid> >> Dom Name: <shortdomainname> >> Forest Name: mydomain.com >> Dc Site Name: <mysite> >> Our Site Name: <mysite> >> Flags: GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST >> CLOSE_SITE >> The command completed successfully > > > * Then stop samba on DC4 > * "nltest /dclist:<domain>" This should fail, as it's attempting to get > lookups from the trusted DC (DC4) > > C:\WINDOWS\system32>nltest /dclist:<shortdomainname> >> Get list of DCs in domain ' <shortdomainname> ' from '\\<DC4>'. >> Cannot DsBind to <shortdomainname> (\\<DC4>).Status = 1722 0x6ba >> RPC_S_SERVER_UNAVAILABLE >> List of DCs in Domain <shortdomainname> >> \\<DC3>(PDC) >> The command completed successfully >> > > * "nltest /sc_verify:<domain>" -- this should force a query and change the > trusted DC to an available DC. > > (Don't forget to turn samba back on) >So, to "fix the QNAP problem" I changed the QNAP's /etc/config/smb.conf setting... password server = DC3.mydomain.com DC4.mydomain.com ...and restarted Samba on the QNAP... /etc/init.d/samba restart I then started to run your Windows client commands to change the DC... ...well, this worked! So, if I force switch a Windows client from DC3 to DC4 using the 'nltest' commands then log out and log back in, their Desktop icons appear and they can still access the QNAP shares. If I stop Samba running on DC3, and then log in to the same Windows client (who now uses DC4) their Desktop icons appear and they can log in to the QNAP shares. Great! However, this is NOT true for the next different Windows client who has not gone through the "DC switching process". They are still on DC3, which is down... and Windows does not know what to do despite the results of... C:> nltest /dclist:MYDOMAIN \\DC3 [PDC] \\DC4 So... the next 2 tasks are:- 1) finding a way for ALL 70+ desktops to look up the DCs properly and switch to a running one if one is not available (otherwise what's the point right?) 2) asking QNAP to fix their web admin pages so that 2 x SAMBA4 DCs can be found and used. Regards, Paully
Paul Littlefield
2020-Feb-17 12:45 UTC
[Samba] Failover DC did not work when Main DC failed
On 16/02/2020 15:03, Paul Littlefield via samba wrote:> 1) finding a way for ALL 70+ desktops to look up the DCs properly and switch to a running one if one is not available (otherwise what's the point right?)Hello Samba Mailing List, Just to be clear, I am using Ubuntu Server 18.04.4 LTS running Samba 4.7.6 on both DCs. Is this the Samba version I should be using for this 'multiple DCs' option or is there a known bug with anything less than the latest Samba 4.11.6? Yours, ever hopeful. Paully