[Samba] dns_delete_tombstones error messages

Norbert Hanke norbert.hanke at gmx.ch
Sat Mar 8 13:03:41 UTC 2025 

On 3/8/2025 1:03 PM, Rowland Penny via samba wrote:
> On Sat, 8 Mar 2025 11:24:52 +0100
> Norbert Hanke via samba <samba at lists.samba.org> wrote:
>
>> On 3/7/2025 11:57 AM, Rowland Penny via samba wrote:
>>> On Thu, 6 Mar 2025 22:24:47 +0100
>>> Norbert Hanke via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi all,
>>>>
>>>> Since quite some time I see error messages like this in sysslog, on
>>>> all my Samba Domain Controllers:
>>>>
>>>> Mar  6 12:40:41 dc1 daemon.err samba[448205]: [2025/03/06
>>>> 12:40:41.899326,  0]
>>>> source4/dsdb/kcc/scavenge_dns_records.c:470(dns_delete_tombstones)
>>>> Mar  6 12:40:41 dc1 daemon.err samba[448205]:
>>>> dns_delete_tombstones: The tombstoned dns node
>>>> DC=E7450,DC=ad.mydomain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ad,DC=mydomain,DC=tld
>>>> has 611 dns records, expected one.
>>>>
>>>> How can I get rid of these 610 extra tombstones?
>>>>
>>> Provided that the tombstoned records are in the form
>>> '......0ADEL.......', then you can use samba-tool on a DC:
>>>
>>> sudo samba-tool domain tombstones expunge --tombstone-lifetime=0
>>>
>>> Usually warnings apply, make sure you have a good backup first.
>>>
>>> Rowland
>> I already do that every day as part of housekeeping, and it seems to
>> have no effect:
>>
>> # samba-tool domain tombstones expunge --tombstone-lifetime=0
>> --use-kerberos=required
>> Removed 0 objects and 0 links successfully
>>
>> Norbert
>>
>>
> According to that, you have no tombstoned records.
>
> Try running this:
>
> ldbsearch --cross-ncs --show-binary -H ldap://dc.ad.mydomain.tld -P -b
> "DC=E7450,DC=ad.mydomain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ad,DC=mydomain,DC=tld"
> -s base '(objectClass=dnsNode)'
>
> NOTE: that is all on one line and you need to alter it to suit your
> domain.
>
> It should produce the dns record for 'E7450' and among the output there
> should just one of these blocks:
>
> dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
>          wDataLength              : 0x0004 (4)
>          wType                    : DNS_TYPE_A (1)
>          version                  : 0x05 (5)
>          rank                     : DNS_RANK_ZONE (240)
>          flags                    : 0x0000 (0)
>          dwSerial                 : 0x000000e5 (229)
>          dwTtlSeconds             : 0x00000384 (900)
>          dwReserved               : 0x00000000 (0)
>          dwTimeStamp              : 0x00000000 (0)
>          data                     : union dnsRecordData(case 1)
>          ipv4                     : 192.168.1.141
>
> I think you might have 611 such blocks, if so, you need to delete the
> excess A records.
>
> Rowland

Thanks Roland!

Yes, there were indeed 611 such records, for two different ipv4
addresses: 518 for one address and 93 for the other one.

I successfully deleted all of them with

# ldbdel -H ldap://dc1.ad.mydomain.tld -P
"DC=E7450,DC=ad.mydomain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ad,DC=mydomain,DC=tld"

Norbert

More information about the samba mailing list