search for: first_dc

...>> Normally your name server would be the same as your DC who is SOA. >> Did you manually change this from DC1 to DC2? What DC is your SOA? > > I am sorry about the confusion. I demoted my DC1 a while ago due to > hardware problems. I mean to replace it, because currently my First_DC > (FSMO role holder and SOA) is a virtual machine on a storage server > which isn't ideal for many reasons. > > Currently I have DC2 (First_DC) and DC3 (Second_DC). Had I paid > attention to this, I would have changed the names in the text and > output snippets I posted. &...

...ossible that kdc server is always the SOA, at least if derived > from DNS and not specified *explicitly* in the krb5.conf? > > In my DNS-Manager console I find that > > _tcp.dc._msdcs.bpn.tu-berlin.de > > contains only 1 "_kerberos" record, and that one points to my First_DC. > > Ole > > > Your problem doesn't seem to be a dns problem, you should have two 'kerberos' records and no matter how good your dns is, it cannot obtain something that isn't there :-) See Louis's earlier post for how to attempt to fix this, but before you do...

...rial=0, ttl=3600) > > Normally your name server would be the same as your DC who is SOA. Did > you manually change this from DC1 to DC2? What DC is your SOA? I am sorry about the confusion. I demoted my DC1 a while ago due to hardware problems. I mean to replace it, because currently my First_DC (FSMO role holder and SOA) is a virtual machine on a storage server which isn't ideal for many reasons. Currently I have DC2 (First_DC) and DC3 (Second_DC). Had I paid attention to this, I would have changed the names in the text and output snippets I posted. Again: I apologize. > &g...

...me server would be the same as your DC who is SOA. >>> Did you manually change this from DC1 to DC2? What DC is your SOA? >> >> I am sorry about the confusion. I demoted my DC1 a while ago due to >> hardware problems. I mean to replace it, because currently my >> First_DC (FSMO role holder and SOA) is a virtual machine on a storage >> server which isn't ideal for many reasons. >> >> Currently I have DC2 (First_DC) and DC3 (Second_DC). Had I paid >> attention to this, I would have changed the names in the text and >> output snippe...

...he same as your DC who is SOA. >>>> Did you manually change this from DC1 to DC2? What DC is your SOA? >>> >>> I am sorry about the confusion. I demoted my DC1 a while ago due to >>> hardware problems. I mean to replace it, because currently my >>> First_DC (FSMO role holder and SOA) is a virtual machine on a >>> storage server which isn't ideal for many reasons. >>> >>> Currently I have DC2 (First_DC) and DC3 (Second_DC). Had I paid >>> attention to this, I would have changed the names in the text and >&g...

Hi, I tested the AD (Samba4) domain log-in on Windows 7 clients and Linux member servers with my PDC being offline (plugged the cable). It is not working so well. On Windows it initially takes forever. It works again after rebooting the client, which seems to be the easiest solution (can be performed by the user). On Linux member servers, ssh log-in eventually times out. It works again,

...e true for all current windows versions. > > > > Sorry that I ask again, I have little experience with DNS. > > I have A records for all my DCs in "my.domain.com" and > "_msdcs.my.domain.com". I have SOA and NS records in both places, but > only for the First_DC (FSMO role holder). Is that ok? > > Only SOA and NS records have TTL settings. Do I have to change both? > From your above comment I take that you would advise it. Otherwise, > trying to resolve a host wouldn't be diagnostic of the DNS request > during the logon process. >...

Am 12.11.2015 um 11:22 schrieb Harry Jede: > On 11:06:29 wrote Ole Traupe: >> Hi, >> >> I tested the AD (Samba4) domain log-in on Windows 7 clients and Linux >> member servers with my PDC being offline (plugged the cable). It is >> not working so well. >> >> On Windows it initially takes forever. It works again after rebooting >> the client, which

On 11/20/2015 7:40 AM, Ole Traupe wrote: > > > Am 20.11.2015 um 11:54 schrieb mathias dufresne: >> Hi Ole, >> >> I'm still not answering your issue but I come back to speak about >> TTL. Perhaps someone would be able to bring us some light on that. >> >> This morning I'm trying to reproduce the way I do broke my test AD >> domain. This

On 09/12/15 17:03, James wrote: > On 12/9/2015 11:33 AM, Ole Traupe wrote: >> >>> - But when I try to ssh to a member server, it still takes forever, >>> and a 'kinit' on a member server gives this: >>> "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>> getting initial credentials" >>> >>>

Is it possible that kdc server is always the SOA, at least if derived from DNS and not specified *explicitly* in the krb5.conf? In my DNS-Manager console I find that _tcp.dc._msdcs.bpn.tu-berlin.de contains only 1 "_kerberos" record, and that one points to my First_DC. Ole Am 09.12.2015 um 18:16 schrieb Rowland penny: > On 09/12/15 17:03, James wrote: >> On 12/9/2015 11:33 AM, Ole Traupe wrote: >>> >>>> - But when I try to ssh to a member server, it still takes forever, >>>> and a 'kinit' on a member server...

...lways the SOA, at least if >> derived from DNS and not specified *explicitly* in the krb5.conf? >> >> In my DNS-Manager console I find that >> >> _tcp.dc._msdcs.bpn.tu-berlin.de >> >> contains only 1 "_kerberos" record, and that one points to my First_DC. >> >> Ole >> >> >> > > Your problem doesn't seem to be a dns problem, you should have two > 'kerberos' records and no matter how good your dns is, it cannot > obtain something that isn't there :-) That's basically what I just wrote.....

> - But when I try to ssh to a member server, it still takes forever, > and a 'kinit' on a member server gives this: > "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while > getting initial credentials" > > > My /etc/krb5.conf looks like this (following your suggestions, > Rowland, as everything else are defaults): > >

Thanks for the clarification, Daniel. And I like to think my users are fast thinkers and might restart their machines eventually. But without file and compute (Samba 4 member) servers being accessible, my infrastructure virtually is down. Again I ask: am I the only one having this problem? It must affect many users of a basic Samba4 setup: two or more DCs, some Windows clients and the

...>>> derived from DNS and not specified *explicitly* in the krb5.conf? >>> >>> In my DNS-Manager console I find that >>> >>> _tcp.dc._msdcs.bpn.tu-berlin.de >>> >>> contains only 1 "_kerberos" record, and that one points to my First_DC. >>> >>> Ole >>> >>> >>> >> >> Your problem doesn't seem to be a dns problem, you should have two >> 'kerberos' records and no matter how good your dns is, it cannot >> obtain something that isn't there :-) >...