[Samba] Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server

Alex Crow acrow at integrafin.co.uk
Sun Aug 14 17:02:19 UTC 2016

On 12/08/16 18:00, Alex Crow via samba wrote:
> Hi List,
> We are running through testing our migration to Samba4/AD domain and
> hit an odd issue.
> We set up one new VM as a legacy PDC and performed a migration on this
> machine. All went fine. We added a second DC with no issues. We then
> simulated the first DC going away by unplugging the VM NIC and did an
> FSMO seize.
> The next step was to reinstall the original VM from scratch as a new
> DC on the same IP as the original, which also worked well. However
> there were many missing DNS records on this and the previous second
> DC, which we fixed by running "samba_dnsupdate --verbose".
> We then tried to use "samba-tool domain demote
> --remove-other-dead-server=<original DC name>" which seemed to run
> successfully. However the next time named was restarted it complained
> that the main forward zone had no records, on both new DCs, and could
> not complete the startup sequence:
> Aug 12 14:44:56 samba4-dc-1 named[2483]: samba_dlz: started for DN
> DC=samba,DC=ifa,DC=net
> Aug 12 14:44:56 samba4-dc-1 named[2483]: samba_dlz: starting configure
> Aug 12 14:44:56 samba4-dc-1 named[2483]: zone samba.ifa.net/NONE: has
> no NS records
> I've checked with ldbedit and there seems to be nothing corrupted or
> obviously wrong. There is a correct FSMO role for both DNS roles, but
> still no joy.
> Does anyone have any ideas or has anyone else experienced a similar
> issue?
> Best regards
> Alex
Hi List,

I have just reproduced this issue with Sernet Samba 4.4.5. I did a
migration from classic on a new VM, and this time created the next DC on
a new IP. As soon as I issued "samba-tool domain demote
--remove-other-dead-server=<original DC name>". I could no longer start
named/bind. It gave the same error as above.

It seems that this command corrupts the LDB in a way that Bind DLZ can't
see any valid records. Ideally we'd like to migrate from an NT-style
domain, add extra DCs, and get rid of the DC used for migration
afterwards, thereby making sure we don't have any traces of the old
setup remaining. It's also a worry that if a DC really did fail and we
had to remove it, that we'd still have various orphan records in the LDB.

I'd me most grateful for any pointers. If it's worth raising a BZ I will
do so, but as usual I'm not sure if I'm doing things correctly and I
don't want to pollute BZ...

Best regards


This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).

More information about the samba mailing list