[Samba] samba AD - bind - deleted DNS entries are not removed completely

Kacper Wirski kacper.wirski at gmail.com
Wed Nov 21 19:48:34 UTC 2018

So in my case - is it safe to delete directly using ldbdel or using 
windows ADSI gui ldap editor? Or is there another way? What is the right 
way to do it?

something like:

ldbdel -H /usr/local/samba/private/sam.ldb 
-b"DC=DomainDnsZones,DC=mydomain,DC=com '(dNSTombstoned: TRUE)' ?

I read in samba 4.9 new features release notes about scavenging but I'm 
not sure if it's the same thing as in the posted link and anyway - this 
feature only supposedly works only in new zones.

W dniu 21.11.2018 o 20:27, Rowland Penny via samba pisze:
> On Wed, 21 Nov 2018 19:39:53 +0100
> Kacper Wirski via samba <samba at lists.samba.org> wrote:
>> To answer my own question:
>> Yes, it's seems like a feature.
> Yes, it is a feature, an AD feature ;-)
>> I ran basic ldbsearch query:
>> ldbsearch -H /usr/local/samba/private/sam.ldb -b
>> "DC=DomainDnsZones,DC=mydomain,DC=com" and saw in output entries with:
>> dNSTombstoned: TRUE
>> Overall there are a couple hundred entries with as such. So now my
>> question is:
>> How can I safely remove them, any tips/guideliness? I thought that
>> doing tombstone expunge would get rid of them - but apparently not.
> Have a look here:
> https://blogs.technet.microsoft.com/isrpfeplat/2010/09/23/dns-scavenging-internals-or-what-is-the-dnstombstoned-attribute-for-ad-integrated-zones/
> It seems that the DC is supposed to scavenge the stale dns records
> after a certain period, usually 7 days, but it looks like Samba doesn't
> have the code, unless someone knows different.
> Rowland

More information about the samba mailing list