[Samba] Moving FSMO roles doesnt affect srv records in DNS ?.

Rowland penny rpenny at samba.org
Wed Sep 23 13:26:47 UTC 2020

On 23/09/2020 12:40, Peter Boos via samba wrote:
> We've added an extra DC for redundancy to the Debian based Active Directory.
> We updated our older smaba version to the current one, and joined a new DC.
> Then the commands where givven to move all the FSMO roles
> Which we verified with "samba-tool fsmo show", which showed that all roles are on the new DC.
> However in DNS all underscore srv records of the AD services still point to the old server.
> Not sure how samba handels it, though as the virtual pdc emulator is pointing to the old DNS server.
> The old DC still seams to handle all logon's now.
> As we verified by cmd command set in win 10 clients (showing logon server as the old dc)..
>   Is this normal behaviour for Samba, are srv records not updated ?.
> I find it strange and am wondered if our AD is now running as intended.
> How to verify Samba.

This is the way it is supposed to work: Every so often, samba_dnsupdate 
is run on a DC, this uses a file 'dns_update_list'. Any missing files 
from the list are created. One of the lines from the list is this:

# The PDC emulator
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}                    

I think if you check again, you will now have the required SRV record, 
but you may also have another record for the old pdc_emulator role 
owner. Whilst it seems there is code to add the _ldap._tcp.pdc record, 
there doesn't seem to any to remove it from the old role owner.

You can remove the incorrect record (if you have it) with 'samba-tool 
dns delete'


More information about the samba mailing list