[Samba] dns_delete_tombstones error messages

Rowland Penny rpenny at samba.org
Sat Mar 8 12:03:00 UTC 2025 

On Sat, 8 Mar 2025 11:24:52 +0100
Norbert Hanke via samba <samba at lists.samba.org> wrote:

> 
> On 3/7/2025 11:57 AM, Rowland Penny via samba wrote:
> > On Thu, 6 Mar 2025 22:24:47 +0100
> > Norbert Hanke via samba <samba at lists.samba.org> wrote:
> >
> >> Hi all,
> >>
> >> Since quite some time I see error messages like this in sysslog, on
> >> all my Samba Domain Controllers:
> >>
> >> Mar  6 12:40:41 dc1 daemon.err samba[448205]: [2025/03/06
> >> 12:40:41.899326,  0]
> >> source4/dsdb/kcc/scavenge_dns_records.c:470(dns_delete_tombstones)
> >> Mar  6 12:40:41 dc1 daemon.err samba[448205]:
> >> dns_delete_tombstones: The tombstoned dns node
> >> DC=E7450,DC=ad.mydomain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ad,DC=mydomain,DC=tld
> >> has 611 dns records, expected one.
> >>
> >> How can I get rid of these 610 extra tombstones?
> >>
> > Provided that the tombstoned records are in the form
> > '......0ADEL.......', then you can use samba-tool on a DC:
> >
> > sudo samba-tool domain tombstones expunge --tombstone-lifetime=0
> >
> > Usually warnings apply, make sure you have a good backup first.
> >
> > Rowland
> 
> I already do that every day as part of housekeeping, and it seems to
> have no effect:
> 
> # samba-tool domain tombstones expunge --tombstone-lifetime=0
> --use-kerberos=required
> Removed 0 objects and 0 links successfully
> 
> Norbert
> 
> 

According to that, you have no tombstoned records.

Try running this:

ldbsearch --cross-ncs --show-binary -H ldap://dc.ad.mydomain.tld -P -b
"DC=E7450,DC=ad.mydomain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ad,DC=mydomain,DC=tld"
-s base '(objectClass=dnsNode)'

NOTE: that is all on one line and you need to alter it to suit your
domain.

It should produce the dns record for 'E7450' and among the output there
should just one of these blocks:

dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
        wDataLength              : 0x0004 (4)
        wType                    : DNS_TYPE_A (1)
        version                  : 0x05 (5)
        rank                     : DNS_RANK_ZONE (240)
        flags                    : 0x0000 (0)
        dwSerial                 : 0x000000e5 (229)
        dwTtlSeconds             : 0x00000384 (900)
        dwReserved               : 0x00000000 (0)
        dwTimeStamp              : 0x00000000 (0)
        data                     : union dnsRecordData(case 1)
        ipv4                     : 192.168.1.141

I think you might have 611 such blocks, if so, you need to delete the
excess A records.

Rowland

More information about the samba mailing list