[Samba] Duplicate PDC SRV records in DNS and can't delete the wrong one with samba-tool

Mon Mar 13 20:58:19 UTC 2023

Hi,

I transferred FSMO roles from my DC2 to my DC1, and that looks ok from
samba-tool point of view:

# samba-tool fsmo show
ldb_wrap open of secrets.ldb
SchemaMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
DomainDnsZonesMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld
ForestDnsZonesMasterRole owner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=mydomain,DC=tld

But in DNS I now have 2 SRV entries for the PDC role:

# host -t SRV _ldap._tcp.pdc._msdcs.ad.mydomain.tld dc1.ad.mydomain.tld
Using domain server:
Name: dc1.ad.mydomain.tld
Address: 10.88.1.8#53
Aliases:

_ldap._tcp.pdc._msdcs.ad.mydomain.tld has SRV record 0 100 389
dc2.ad.mydomain.tld.
_ldap._tcp.pdc._msdcs.ad.mydomain.tld has SRV record 0 100 389
dc1.ad.mydomain.tld.

samba-tool also sees 2 records:

# samba-tool dns query dc1.ad.mydomain.tld _msdcs.ad.mydomain.tld
_tcp.pdc SRV
Using binding ncacn_ip_tcp:dc1.ad.mydomain.tld[,sign]
resolve_lmhosts: Attempting lmhosts lookup for name
dc1.ad.mydomain.tld<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
dc1.ad.mydomain.tld<0x20>
   Name=, Records=0, Children=0
   Name=_ldap, Records=2, Children=0
     SRV: dc2.ad.mydomain.tld. (389, 0, 100) (flags=f0, serial=458, ttl=900)
     SRV: dc1.ad.mydomain.tld. (389, 0, 100) (flags=f0, serial=458, ttl=900)

That is wrong: the record with dc2 should not exist and I would expect
it gets deleted and the one with dc1 created while transferring the fsmo
role.

I tried to manually delete the wrong record but that does not work:

# samba-tool dns delete dc1.ad.mydomain.tld _msdcs.ad.mydomain.tld
_tcp.pdc SRV 'dc2.ad.mydomain.tld 389 0 100'
Using binding ncacn_ip_tcp:dc1.ad.mydomain.tld[,sign]
resolve_lmhosts: Attempting lmhosts lookup for name
dc1.ad.mydomain.tld<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
dc1.ad.mydomain.tld<0x20>
ERROR: Record does not exist; record could not be deleted.
zone[_msdcs.ad.mydomain.tld] name[_tcp.pdc]
   File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line 1223,
in run
dns_conn.DnssrvUpdateRecord2(dnsserver.DNS_CLIENT_VERSION_LONGHORN,

Is this a bug, or am I doing something wrong? Any help is appreciated.

Deleting that record using the Windows MMC DNS snap-in works.

Regards, Norbert