[Samba] pdc emulator dns record missing after transferring role

Rowland penny rpenny at samba.org
Wed Mar 18 12:07:18 UTC 2020 

On 18/03/2020 11:25, Alex via samba wrote:
> Hi,
>
> Samba: 4.12.0
>
> During the migration from Windows DCs to Samba DCs, the following issue came up:
> after  transferring  PDC  emulator  role to a samba DC, the according DNS record
> wasn't re-created:
>
> # samba-tool fsmo show -d 0 | grep PdcEmulationMasterRole
> PdcEmulationMasterRole owner: CN=NTDS Settings,CN=VM-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
>
> # dig _ldap._tcp.pdc._msdcs.abisoft.biz any
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> _ldap._tcp.pdc._msdcs.domain.com any
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40894
> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; ANSWER SECTION:
> _ldap._tcp.pdc._msdcs.domain.com. 600 IN SRV    0 100 389 vm-dc1.domain.com.
>
> # samba-tool fsmo transfer --role pdc -Uadministrator
> FSMO transfer of 'pdc' role successful
>
> # samba-tool fsmo show -d 0 | grep PdcEmulationMasterRole
> PdcEmulationMasterRole owner: CN=NTDS Settings,CN=VM-DC4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
>
> # dig _ldap._tcp.pdc._msdcs.abisoft.biz any
>
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> _ldap._tcp.pdc._msdcs.domain.com any
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22457
> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> After transferring the PDC role back to Windows DC, the record was re-created.
>
> Am I missing something here or it's a bug?
>
Yes and no (well not in the way you are thinking)

Yes, you are missing the fact that the dns_update_list has this:

# The PDC emulator
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}                    
${HOSTNAME} 389

If this is the DC with the PDC Emulator role, but doesn't have the 
required dns record, samba_dnsupdate should create it next time it is 
run and Samba runs it regularly.

No, it isn't a bug, except after checking on my domain, I find I have 
two dns records for _ldap._tcp.pdc._msdcs.samdom.example.com and you can 
only have one PDC Emulator. I will have to examine the code (it could 
just be my domain), but it is possible that there is no code to delete 
the dns record if the computer isn't the PDC Emulator.

Rowland

More information about the samba mailing list