[Samba] How to delete a corrupt record from internal DNS

Ole Traupe ole.traupe at tu-berlin.de
Tue Feb 9 17:34:11 UTC 2016 

Excellent! It seems I was just able to solve this issue by applying 
James' instructions from 2nd of December for a similar case:

"I've had similar issues. I had to use ADSI to delete the entry.
Open ADSI and under Connection point choose "Select or type a 
Distinguished Name or Naming Contest:"
Map the following to your domain. You should see the entry. Right click 
and delete.
  DC=domain.local,cn=MicrosoftDns,dc=DomainDnsZones,dc=domain,dc=local "

I just wanted to add that "seeing" the entry means opening the 
properties of the respective "dnsNode" object and editing an "Attribute" 
called "dnsRecord" (containing cryptic hex lines each representing an 
actual DNS record).

Ole


On 08.01.2016 12:05, Ole Traupe wrote:
>
>
> Am 08.01.2016 um 12:03 schrieb Ole Traupe:
>>
>>
>> Am 08.01.2016 um 11:47 schrieb Rowland penny:
>>> On 08/01/16 10:31, Ole Traupe wrote:
>>>>
>>>>
>>>> Am 04.01.2016 um 19:24 schrieb Rowland penny:
>>>>> On 04/01/16 17:23, Ole Traupe wrote:
>>>>>> No ideas on that?
>>>>>>
>>>>>> Ole
>>>>>>
>>>>>>
>>>>>>
>>>>>> Am 18.12.2015 um 13:44 schrieb Ole Traupe:
>>>>>>> I accidentally created a SRV record with a false port. I then 
>>>>>>> updated the port but was afraid of any consequences. So I 
>>>>>>> deleted that record again and wanted to re-create it. But now I 
>>>>>>> can't: "The record already exists."
>>>>>>>
>>>>>>> Observations:
>>>>>>>
>>>>>>>
>>>>>>> 1) I can't see it in the RSAT DNS gui, so I can't delete it there.
>>>>>>>
>>>>>>>
>>>>>>> 2) I also can't delete it via samba-tool (although I could 
>>>>>>> delete it's counter part for the other DC; so the command is ok):
>>>>>>>
>>>>>>> # samba-tool dns delete DC1 _msdcs.my.domain.tld 
>>>>>>> _ldap._tcp.gc._msdcs.my.domain.tld SRV "dc2.my.domain.tld 3268 0 
>>>>>>> 100"
>>>>>>> ERROR: Record does not exist
>>>>>>>
>>>>>>>
>>>>>>> 3) However, it can be found with dig:
>>>>>>>
>>>>>>> # dig @DC1 _ldap._tcp.gc._msdcs.my.domain.tld SRV
>>>>>>>
>>>>>>> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> @DC1 
>>>>>>> _ldap._tcp.gc._msdcs.my.domain.tld SRV
>>>>>>> ; (1 server found)
>>>>>>> ;; global options: +cmd
>>>>>>> ;; Got answer:
>>>>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28612
>>>>>>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, 
>>>>>>> ADDITIONAL: 0
>>>>>>>
>>>>>>> ;; QUESTION SECTION:
>>>>>>> ;_ldap._tcp.gc._msdcs.my.domain.tld. IN SRV
>>>>>>>
>>>>>>> ;; ANSWER SECTION:
>>>>>>> _ldap._tcp.gc._msdcs.my.domain.tld. 180 IN SRV 0 100 3268 
>>>>>>> dc1.my.domain.tld.
>>>>>>> _ldap._tcp.gc._msdcs.my.domain.tld. 180 IN SRV 0 100 3268 
>>>>>>> dc2.my.domain.tld.
>>>>>>>
>>>>>>> ;; Query time: 1 msec
>>>>>>> ;; SERVER: IP_of_1stDC#53(IP_of_1stDC)
>>>>>>> ;; WHEN: Thu Dec 17 13:28:06 2015
>>>>>>> ;; MSG SIZE  rcvd: 103
>>>>>>>
>>>>>>>
>>>>>>> So, how do I get rid of this problematic record for my DC2?
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Hi Ole, can you identify the DN of the record you want to remove?
>>>>> One way would be with ldbedit:
>>>>> ldbedit -e nano -H /path/to/private/sam.ldb --cross-ncs --show-binary
>>>>>
>>>>> and then searching for the record.
>>>>>
>>>>> Once you have the DN, you may be able to delete the entire record 
>>>>> with ldbdel:
>>>>>
>>>>> ldbdel -H /path/to/private/sam.ldb --cross-ncs <the object DN 
>>>>> (without the 'dn: ')>
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>
>>>>
>>>> Sorry, totally overlooked you posting. Thanks for the suggestion!
>>>>
>>>> with "dn: " you mean this?
>>>>
>>>> "DC=_ldap._tcp.gc,DC=_msdcs.my.domain.tld,CN=MicrosoftDNS,DC=ForestDnsZones,DC=my,DC=domain,DC=tld" 
>>>>
>>>>
>>>> Deleting this would delete the record for the 1st_DC as well, 
>>>> right? The whole "container" (or what appears to be one in the MS 
>>>> DNS console).
>>>>
>>>> Could also try this from there, of course. I only don't want to 
>>>> mess up even more stuff. ;)
>>>>
>>>> What baffles me: the LDAP data base is the basis of Samba's 
>>>> internal DNS, as well, I guess. Shouldn't I at least see some 
>>>> significant difference between the correct record for 1st_DC and 
>>>> the faulty for 2nd_DC?
>>>>
>>>> # record 3236
>>>> dn: 
>>>> DC=_ldap._tcp.gc,DC=_msdcs.my.domain.tld,CN=MicrosoftDNS,DC=ForestDnsZones,DC=my,DC=domain,DC=tld
>>>> objectClass: top
>>>> objectClass: dnsNode
>>>> instanceType: 4
>>>> whenCreated: 20150616170609.0Z
>>>> uSNCreated: 3532
>>>> showInAdvancedViewOnly: TRUE
>>>> name: _ldap._tcp.gc
>>>> objectGUID: f72085bb-d317-4a22-82d3-760ab476b3db
>>>> objectCategory: 
>>>> CN=Dns-Node,CN=Schema,CN=Configuration,DC=my,DC=domain,DC=tld
>>>> dc: _ldap._tcp.gc
>>>> whenChanged: 20160108093106.0Z
>>>> uSNChanged: 8590
>>>> dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
>>>>         wDataLength              : 0x001e (30)
>>>>         wType                    : DNS_TYPE_SRV (33)
>>>>         version                  : 0x05 (5)
>>>>         rank                     : DNS_RANK_NONE (0)
>>>>         flags                    : 0x0000 (0)
>>>>         dwSerial                 : 0x00000023 (35)
>>>>         dwTtlSeconds             : 0x000000b4 (180)
>>>>         dwReserved               : 0x00000000 (0)
>>>>         dwTimeStamp              : 0x0c83234c (209920844)
>>>>         data                     : union dnsRecordData(case 33)
>>>>         srv: struct dnsp_srv
>>>>             wPriority                : 0x0000 (0)
>>>>             wWeight                  : 0x0064 (100)
>>>>             wPort                    : 0x0cc4 (3268)
>>>>             nameTarget               : dc2.my.domain.tld
>>>>
>>>> dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
>>>>         wDataLength              : 0x001e (30)
>>>>         wType                    : DNS_TYPE_SRV (33)
>>>>         version                  : 0x05 (5)
>>>>         rank                     : DNS_RANK_ZONE (240)
>>>>         flags                    : 0x0000 (0)
>>>>         dwSerial                 : 0x00000030 (48)
>>>>         dwTtlSeconds             : 0x000000b4 (180)
>>>>         dwReserved               : 0x00000000 (0)
>>>>         dwTimeStamp              : 0x0ca00cd2 (211815634)
>>>>         data                     : union dnsRecordData(case 33)
>>>>         srv: struct dnsp_srv
>>>>             wPriority                : 0x0000 (0)
>>>>             wWeight                  : 0x0064 (100)
>>>>             wPort                    : 0x0cc4 (3268)
>>>>             nameTarget               : dc1.my.domain.tld
>>>>
>>>> distinguishedName: 
>>>> DC=_ldap._tcp.gc,DC=_msdcs.my.domain.tld,CN=MicrosoftDNS,DC=ForestDnsZones,DC=my,DC=domain,DC=tld
>>>>
>>>> The only difference I see is the "DNS_RANK_NONE (0)". Couldn't I 
>>>> try to adjust this "manually" with ldbedit?
>>>>
>>>>
>>>> Ole
>>>>
>>>>
>>>>
>>>
>>> Don't think so, it was trying to change something with ldbedit that 
>>> corrupted my AD object, leading me to having to delete the entire 
>>> record and recreate it.
>>> Bear with me, I am trying to figure out how to alter "DNS_RANK_NONE"
>>>
>>> Rowland
>>>
>>>
>>
>> If you say it is safe to delete (and recreate) the entire container 
>> including the record for the 1st_DC... then I will just do that. From 
>> an earlier post (to me directly) I take it, you did it without any 
>> hassle.
>>
>>
>
> Because the RANK might or might not solve the problem.
>
>
>

More information about the samba mailing list