[Samba] AD + Bind DLZ + Site

mathias dufresne infractory at gmail.com
Wed Feb 10 14:36:01 UTC 2016

2016-02-10 14:39 GMT+01:00 Rowland penny <rpenny at samba.org>:

> On 10/02/16 11:20, mathias dufresne wrote:
>> Another question:
>> 6° In DNS zone _msdcs, at root, there is one DNS record per DC. These
>> records are those which have to create manually and are rlated to
>> objectGuid as explained there:
>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins#Resolve_the_objectGUID_CNAME_record_of_the_new_joined_Domain_Controller
>> I have for now 4 DC in my second site, two of them have 2 records when the
>> 2 others have only 1.
>> These additional records are <DC related objectGuid>CNF:<another uuid>
>> <another uuid> is not the same for these two records. These two records
>> are
>> related to 2 different DC.
>> Are they supposed to exist? If yes aren't they supposed to exist for all 4
>> DC in this second site?
> Every DC should have the record you refer to, so it looks like you need
> find the ones you do not have and add them.
> Rowland
I agree that every DC must have one record as shown in the link so a record
using the following syntax:

${objectGuid_of_dcXYZ}._msdcs.samba.domain.tld CNAME dcXYZ.samba.domain.tld

The point is I have ALSO records with the follwoing syntax:

${objectGuid_of_dcXYZ}CNF:<some_uuid>._msdcs.samba.domain.tld CNAME

And in main zone (the one without _msdcs):

dcXYZCNF:<some other uuid> A

What are these records suffixed by CNF:<some uuid>?
>From what come these uuid? They change every time, ie for one DC the uuid
on right of CNF: is not the same in zone _msdcs and in main zone.

And so I wonder what are these records with CNF:<uuid> and if they are
necessary and also why they would be necessary...

20min later:

I'm lucky: I have a Microsoft consultant (or advisor? no idea, my English
is still poor : ) sitting right behind me. He's not an AD expert but he was
able to ask a Microsoft AD expert about these CNF: records.
The answer of this MS AD expert is these *CNF:<uuid> can exists (at least)
for DNS zones (object class DnsZone) and for DNS records (object class
DnsNode) are created by AD when collision happen during replication, ie
when two object with same name but different GUID are created on different
DC. During replication one object is renamed to harmonize the DB.

These entries can be safely removed in MS AD. I expect they can be safely
removed in Samba AD too.

Kindly regards,


More information about the samba mailing list