[Samba] DomainDnsZone Replication Shows 200,000 Objects

Achim Gottinger achim at ag-web.biz
Wed Jan 15 14:41:24 MST 2014

Am 15.01.2014 06:15, schrieb Günter Kukkukk:
> Am 14.01.2014 03:56, schrieb Günter Kukkukk:
>> Am 13.01.2014 23:47, schrieb Achim Gottinger:
>>> Am 13.01.2014 18:39, schrieb lp101:
>>>>      It looks like 15,000 records have been deleted over a period of 8 hours. This was after changing the attribute to 30 days. Do you know how to
>>>> force replication for the Domain DNS Deleted Objects? Replicating the DominDnsZones using Samba-tool drs replicate doesn't appear to replicate these
>>>> objects.
>>>>      I've attempted to join a DC again over a 1.5Mbit Wan link using Samba 4.1.4 on Ubuntu 12.04. At this moment I'm over 19hrs in with 312355/385196
>>>> replicated. I joined using "--domain-critical-only" thinking it may exclude these items but I was wrong.
>>> Thank you fro the update. Can it be you have an few sites whom are not directly connected? This does slow down replication. Hope it works for you this
>>> time, but didn't it fail at ~350000 objects last time?
>> FYI - the samba ISC bind DLZ plugin does a different approach.
>> When all child DNS entry are gone, it _leaves_ the directory storage as:
>> (sambatool dns query .... output)
>> Name=mytest, Records=0, Children=0
>> So the record is _not_ deleted - more or less "left as an unused entry".
>> Those entries can be re-used later, but can also accumulate when not
>> being re-used.
>> As i've seen with a windows7 client during normal operation, it deletes
>> its A and AAAA records and then registers one/both again in some interval
>> of about 5 to 10 minutes! (Could be due i was running the MS MMC DNS plugin).
>> This behavior is atm handled fine with the DLZ driver - but is somewhat FATAL
>> for the internal DNS server: It creates LOTS of deleted dns entries!
>> So i've reverted the patch
>>       8b24c43b382740106474e26dec59e1419ba77306
>> which was deleting the whole dns entry.
>> After this revert the internal dns server behaves the same as the DLZ driver and
>> leaves those
>>     Name=mytest, Records=0, Children=0
>> records around - BUT THEN the current implementation is NOT able to add
>> new incoming records!
>> https://bugzilla.samba.org/show_bug.cgi?id=9559
>> Atm i did a very first simple patch to the internal dns, which allows
>> to add new entries in that
>>    Name=mytest, Records=0, Children=0
>> formerly failing state.
>> Now the internal dns _seems_ to behave similar to the DLZ driver, but
>> more investigation is needed because dns entries can be "static" or
>> "time stamped" ....
>> So i'm still looking at all related infos ....
>> Btw - has someone seen "strange" behavior in this area when the
>> DLZ driver is used?
>> Cheers, Günter
> Atm i'm trying to collect as much info as possible.
> Can someone comment on this article/patch ?
>     http://support.microsoft.com/kb/2548145/en-us
> Cheers, Günter
Thank you for the info's Günter! Is your fix in 4.1.4 or in git at the 
moment? If in git i read it as moving to DLZ should fix the issue meanwhile.
The link you posted also suggests an workaround. "To work around the 
issue, change the value of *Security updates* to *None* or to *Nonsecure 
and secure* in the DNS server zones.". Does this work with samba also?

Guess it belongs to the issue described here 

*Note: The default behavior for Windows 2008 R2 was modified and will be 
acting as if the SID of the machine has changed regardless of whether 
it's true or not. Meaning when a record update is sent to a DNS server 
hosted on a Windows 2008 R2 Domain Controller and the record's 
dnsTombstone=True the record is deleted regardless of the permissions 
issue described earlier. This was to fix the issue described in 

*In certain cases (with many updates and low No-Refresh interval) this 
can cause issues. The resolution can be found in 

More information about the samba mailing list