[Samba] Undestructible DNS entry

Wed Dec 2 17:31:26 UTC 2015

Thank you James for your reply. Unfortunately using ADSI did not shown any
entry related to that demoted DC.

Anyway, once more, my bad : )

The undeletable DNS entry was not some pointing to "m701" but some IP
pointing to "m701.".

Then there was an LDAP entry for cn=m701.,,DC=_msdcs.....

And using the right DN the LDAP entry was removed and the DNS entry
disappeared.

To finally see my error I used the following piece of awk:
ldbsearch -H $sam -b 'DC=FORESTDNSZONES,DC=AD,DC=DOMAIN,DC=TLD' dnsRecord=*
| awk '{ if($1 == "dnsRecord::") { res = $2; if ($2 !~ /==$/) { getline ;
if($1 !~ /:$/) res = res $1 } if($1 !~ /:$/) {while($1 !~ /==$/) { getline
; res = res $1 } } } system("echo " res " | base64 -d && echo "); if ($1 ==
"dn:") print $0 }'

The awk itself is not nice to read, awk as one-liner... It prints DN and
decode (and print) dnsRecord.
The ldbsearch was performed on
-b 'DC=FORESTDNSZONES,DC=AD,DC=DOMAIN,DC=TLD'

This last point is important as it seems _msdcs zone is stored there when
standard DNS zone seems stored in "DC=DomainDnsZones".

Then I must say if I understood that earlier I would certainly have been
able to delete this entry using ADSI tool.

Thanks again James : )

Sorry for noise all!

2015-12-02 17:34 GMT+01:00 James <lingpanda101 at gmail.com>:

> On 12/2/2015 11:25 AM, mathias dufresne wrote:
>
>> Hi all,
>>
>> I'm unable to delete a DNS entry, this entry does not exist.
>>
>> The entry is A record in _msdcs zone for an old DC which was demoted.
>>
>> I tried to use samba-tool dns to delete it but without success:
>> samba-tool dns delete m703 _msdcs.ad.domain.tld \
>>    m701._msdcs.ad.domain.tld A 10.16.28.27 -k yes
>> ERROR: Record does not exist
>>
>> I found undeleted entry in LDAP, removed it without success:
>> the entry:
>> ldbsearch -H $sam -b 'DC=DOMAINDNSZONES,DC=AD,DC=DOMAIN,DC=TLD'
>> objectclass=* | grep 701
>> dn:
>>
>> DC=m701,DC=ad.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ad,DC=domain,DC=tld
>> name: m701
>> dc: m701
>> distinguishedName: DC=m701,DC=ad.domain.tld,CN=MicrosoftDNS,DC=Dom
>>
>> Of course I can't delete this entry from RSAT DNS tool, the error is:
>> The record cannot be deleted.
>> The record does not exist.
>>
>> The question is simple: how to get rid of that entry?
>> If I was gambler I would bet on some data, possibly base64 encrypted,
>> remaining on some other LDAP entry. I mostly lose my bets.
>>
>> Thank you for your time, best regards,
>>
>> mathias
>>
> I've had similar issues. I had to use ADSI to delete the entry.
>
> Open ADSI and under Connection point choose "Select or type a
> Distinguished Name or Naming Contest:"
>
> Map the following to your domain. You should see the entry. Right click
> and delete.
>
>  DC=domain.local,cn=MicrosoftDns,dc=DomainDnsZones,dc=domain,dc=local
>
> --
> -James
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>