[Samba] DNS state after upgrading samba

Rowland penny rpenny at samba.org
Mon Aug 5 07:18:04 UTC 2019

On 05/08/2019 07:48, henri transfert via samba wrote:
> Hello,
> I am in the process of upgrading one single DC (internal DNS) to 4.8.12.
> I have followed the procedure of adding a new DC, transfert FSMO roles and
> demote the old DC.
> Everything gone right (except at the tranfert FSMO step where I faced the
> problem described here
> https://lists.samba.org/archive/samba/2017-August/210140.html , this bug
> subsists in 4.8.12 , maybe it has been fixed in later release ? At the end
> , I have all roles transfered ok to the new DC).
> After the demote step, I followed the wiki
> https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC#Verifying_the_Demotion
> , and manually deleted all references to the old DC from the DNS manager.
> Nevertheless, I still have some references to the old DC in the Forward
> Lookup Zone:"(same as parent folder) Start Of Authority" and "(same as
> parent folder) Name Server .
> I only have a "Properties" menu for these entries, so I cannot delete these
> manually.
> I have the same entries in the _msdcs , and Reverse Lookup Zone.
> First question :
> How can I delete these entries to remove any reference to the old DC ?
> Second question :
> I have only one SOA entry, and this one refers to the old DC. Is it safe to
> manually modify its properties with the new DC data ? If not how can I
> correct this ?
> Thanks  in advance for your help.
> Henri

There are two schools of thought here, you can do what you have done and 
add a new DC to upgrade, but this has its problem, as you have found. 
You have to remove all references of the old DC etc. You are also 
depleting the ridpool, every time you add a new DC, it gets its own 
portion of the ridpool, do this often enough and you will deplete the 

The other school of thought is to upgrade in place, doing it this way 
means that you do not have to change anything, this is the way I do it, 
without problem, of course YMMV ;-)

You should have used 'samba-tool domain demote 
--remove-other-dead-server=<The _Old_DC>'

You will probably have to trawl through sam.ldb and find the records 
that need to be removed and then try and remove them with samba-tool 
and/or ldb-tools.

You will need to add your new DC to the SOA before removing the old DCs 


More information about the samba mailing list