[Samba] dns replication error due to deleted records

Thu Oct 10 18:41:06 UTC 2019

On 10/10/2019 19:23, Luca Olivetti via samba wrote:
> Today I noticed something that has been going on for some weeks:
>
> I have 2 dc, (dc1 and dc2) both debian buster with the distro provided 
> samba (4.9.5), recently upgraded from stretch.
>
> samba-tool drs showrepl on dc2 says
>
> DC=DomainDnsZones,DC=samba,DC=wetron,DC=es
>         Default-First-Site-Name\DC1 via RPC
>                 DSA object GUID: 89812346-9037-43b0-86ab-c5052f55125d
>                 Last attempt @ Thu Oct 10 20:05:28 2019 CEST failed, 
> result 58 (WERR_BAD_NET_RESP)
>                 273 consecutive failure(s).
>                 Last success @ Thu Oct 10 12:05:27 2019 CEST
>
> (the rest of the incoming replications are fine, only the 
> DomainDnsZone fails).
>
> It turns out that dc2 chokes on "\0ADEL" dns records, supposedly 
> deleted objects.

What you have there is known as a tombstone record and Samba has a tool 
to remove them:

samba-tool domain tombstones expunge NC 
--tombstone-lifetime=TOMBSTONE_LIFETIME

Where 'NC' is the naming context and 'TOMBSTONE_LIFETIME' is the days to 
keep deleted records for.

>
> I found a "solution" here:
>
> https://www.dotnetcatch.com/2018/06/19/samba-replication-failures/
>
> The procedure to solve it is not exactly the same but it put me on 
> the, hopefully, right track. I scripted it since it got tiresome and 
> it solved the replication problem, for a while, but now it reappeared 
> (that's the message above).
>
> This started on September 25, when I upgraded dc2 from stretch to 
> buster. A few days later I also upgraded dc1 (it was still running 
> jessie).
>
> I'm using internal dns and the dhcp server talks to dc1 to update the 
> dns records, that would explain why there are records to replicate but 
> doesn't explain why samba fails (when it didn't before).

How is the dhcp server updating the dns records ?

Rowland