[Samba] DomainDnsZone Replication Shows 200,000 Objects

Achim Gottinger achim at ag-web.biz
Thu Jan 2 20:36:53 MST 2014 

I use
ldbsearch -H 
/var/lib/samba/private/sam.ldb.d/DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb '(&(name=HOSTNAME)(isDeleted=TRUE))' 
dn
to search for specific hosts or
ldbsearch -H 
/var/lib/samba/private/sam.ldb.d/DC=DOMAINDNSZONES,DC=DOMAIN,DC=LOCAL.ldb 'isDeleted=TRUE' 
dn
to get an list of all deleted dn's.

To change the default lifetime of tombstones with ADSI navigate to 
CN=Directory Service,CN=Windows 
NT,CN=Services,CN=Configuration,DC=DOMAIN,DC=LOCAL open the properties 
of that folder and change the attribute called tombstoneLifetime to the 
desired value. I restarted samba afterwards and it took a few minutes 
till samba had deleted all the outdated objects.

Am 03.01.2014 15:04, schrieb lp101:
>     My domain now has just under 400,000 dns objects during join. I'm 
> unable to join a new server as the machine runs out of memory during 
> the replication process and kicks back to the command line. This is 
> with 6GB of memory. It failed with roughly 10,000 objects left to 
> replicate.  Can you provide me with the correct syntax to view these 
> objects in sam.ldb and I assume you used ADSI to edit the tombstone 
> attribute? Thanks.
>
> On 1/3/2014 5:39 AM, Achim Gottinger wrote:
>> Am 02.01.2014 20:35, schrieb lp101:
>>>
>>> Here are a couple articles that explain how these objects work that 
>>> may prove helpful.
>>>
>>> http://blogs.technet.com/b/networking/archive/2011/08/17/tracking-dns-record-deletion.aspx 
>>>
>>>
>>> http://technet.microsoft.com/en-us/library/cc759204%28WS.10%29.aspx
>> Thank you for the links.
>> So if an DNS record ist dnsTombstoned and older than seven days it 
>> gets AD tombstoned and lives in the database for an default of 180 
>> days. I thought it would be removed completely from the ad database 
>> in that case.
>> Since samba does not use dnsTombstone's any update to an dns record 
>> via sama-tool dns, nsupdate or an windows client results in an 
>> directly ad tombstoned record. So the only way to reduce the number 
>> of deleted dns records is at the moment to lower the ad tombstone 
>> lifetime atribute (CN=Directory Service,CN=Windows 
>> NT,CN=Services,CN=Configuration,CN={GUID}). I reduced it to 30 days 
>> for now. One has to be careful with that attribute if an ad domain 
>> server is down for an longer period it can cause problems with 
>> replication afterwards and the server must be rejoined.
>>
>> achim~
>>
>>
>>
>

More information about the samba mailing list