Hello,
I've  just  discovered  a  bogus  record in _msdcs zone which exists on
samba-dc
(vm-dc4, 4.12.2) only and missing on a PDC (vm-dc1, Windows Server 2008 R2):
# samba-tool dns query localhost _msdcs.domain.com @ ALL -U administrator
2>/dev/null
Password for [DOMAIN\administrator]:
  Name=, Records=3, Children=0
    NS: vm-dc1.domain.com. (flags=600000f0, serial=181, ttl=3600)
    NS: vm-dc4.domain.com. (flags=600000f0, serial=181, ttl=3600)
    SOA: serial=181, refresh=900, retry=600, expire=86400, minttl=3600,
ns=vm-dc1.domain.com., email=hostmaster.domain.com. (flags=600000f0, serial=181,
ttl=3600)
  Name=com, Records=0, Children=1                                      <-
this one (notice it has a children)
  Name=a4a6a0f0-a085-4a01-84ff-7b7b00081575, Records=1, Children=0
    CNAME: vm-dc1.domain.com. (flags=f0, serial=110, ttl=600)
  Name=aae5c8b4-5d21-4030-884a-e5dc2ca963df, Records=1, Children=0
    CNAME: vm-dc4.domain.com. (flags=f0, serial=169, ttl=900)
  Name=dc, Records=0, Children=2
  Name=domains, Records=0, Children=1
  Name=gc, Records=0, Children=2
  Name=pdc, Records=0, Children=1
I can also see it in DNS Manager MMC. However, I'm unable to delete it:
[2020/05/18 15:56:26.881194,  0]
../../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1610(dnsserver_operate_zone)
  dnsserver: zone operation 'DeleteNode' not implemented    
DnssrvOperation2: struct DnssrvOperation2
          in: struct DnssrvOperation2
              dwClientVersion          : DNS_CLIENT_VERSION_LONGHORN (458752)
              dwSettingFlags           : 0x00000000 (0)
              pwszServerName           : *
                  pwszServerName           : 'vm-dc4'
              pszZone                  : *
                  pszZone                  : '_msdcs.domain.com'
              dwContext                : 0x00000000 (0)
              pszOperation             : *
                  pszOperation             : 'DeleteNode'
              dwTypeId                 : DNSSRV_TYPEID_NAME_AND_PARAM (15)
              pData                    : union DNSSRV_RPC_UNION(case 15)
              NameAndParam             : *
                  NameAndParam: struct DNS_RPC_NAME_AND_PARAM
                      dwParam                  : 0x00000001 (1)
                      pszNodeName              : *
                          pszNodeName              :
'com._msdcs.domain.com'
Also I can't query it (there should be children as we saw above):
# samba-tool dns query localhost _msdcs.domain.com com ALL -U administrator
2>/dev/null
Password for [DOMAIN\administrator]:
#
Compare with the same query agains the gc subdomain:
# samba-tool dns query localhost _msdcs.domain.com gc ALL -U administrator
2>/dev/null
Password for [DOMAIN\administrator]:
  Name=, Records=2, Children=0
    A: 172.26.1.84 (flags=f0, serial=190, ttl=900)
    A: 172.26.1.81 (flags=f0, serial=190, ttl=600)
  Name=_sites, Records=0, Children=1
  Name=_tcp, Records=0, Children=1
Questions:
1. Is it safe to delete it using ADSIEdit (for example)
2. Why can't I query and/or delete it using standard means?
-- 
Best regards,
Alex
On 18/05/2020 14:15, Alex via samba wrote> Questions: > 1. Is it safe to delete it using ADSIEdit (for example)Yes, but I would use ldbdel> 2. Why can't I query and/or delete it using standard means?Probably because it is a wrong record ???? Try running this on a DC: ldbsearch --cross-ncs --show-binary -H /var/lib/samba/private/sam.ldb -b 'DC=_msdcs.domain.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=domain,DC=com' -s sub '(objectClass=dnsNode)' You might have to divert the output to a file to capture all the output, you should then be able to work out the ldbdel command. Rowland
>>> 2. Why can't I query and/or delete it using standard means?>> Probably because it is a wrong record ????>> Try running this on a DC:>> ldbsearch --cross-ncs --show-binary -H /var/lib/samba/private/sam.ldb -b >> 'DC=_msdcs.domain.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=domain,DC=com' >> -s sub '(objectClass=dnsNode)'> Thanks, Rowland. I've just tried your command but the output does not contain > that bogus record. I even tried to remove the objectClass filter - still no > luck.One record I've finally found that looks suspicious: # ldbsearch --cross-ncs --show-binary -H /usr/local/samba/private/sam.ldb -b 'DC=vm-dc4.domain.com.,DC=_msdcs.domain.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=domain,DC=com' -s sub # record 1 dn: DC=vm-dc4.domain.com.,DC=_msdcs.domain.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=domain,DC=com objectClass: top objectClass: dnsNode instanceType: 4 whenCreated: 20200318110215.0Z whenChanged: 20200318110215.0Z uSNCreated: 13282 uSNChanged: 13282 showInAdvancedViewOnly: TRUE name: vm-dc4.domain.com. objectGUID: 80170015-b113-4435-bb33-ba60f4f9f608 dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x0004 (4) wType : DNS_TYPE_A (1) version : 0x05 (5) rank : DNS_RANK_GLUE (128) flags : 0x0000 (0) dwSerial : 0x000000b6 (182) dwTtlSeconds : 0x00000e10 (3600) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00000000 (0) data : union dnsRecordData(case 1) ipv4 : 172.26.1.84 objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=domain,DC=com dc: vm-dc4.domain.com. distinguishedName: DC=vm-dc4.domain.com.,DC=_msdcs.domain.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=domain,DC=com I considered it suspicious b/c no similar record exists for vm-dc1: # ldbsearch --cross-ncs --show-binary -H /usr/local/samba/private/sam.ldb -b DC=vm-dc1.domain.com.,DC=_msdcs.domain.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=domain,DC=com -s sub search error - No such Base DN: DC=vm-dc1.domain.com.,DC=_msdcs.domain.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=domain,DC=com What do you think? -- Best regards, Alex
On 18/05/2020 18:27, Alex wrote:>>>> 2. Why can't I query and/or delete it using standard means? >>> Probably because it is a wrong record ???? >>> Try running this on a DC: >>> ldbsearch --cross-ncs --show-binary -H /var/lib/samba/private/sam.ldb -b >>> 'DC=_msdcs.domain.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=domain,DC=com' >>> -s sub '(objectClass=dnsNode)' >> Thanks, Rowland. I've just tried your command but the output does not contain >> that bogus record. I even tried to remove the objectClass filter - still no >> luck. > One record I've finally found that looks suspicious: > # ldbsearch --cross-ncs --show-binary -H /usr/local/samba/private/sam.ldb -b 'DC=vm-dc4.domain.com.,DC=_msdcs.domain.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=domain,DC=com' -s sub > > # record 1 > dn: DC=vm-dc4.domain.com.,DC=_msdcs.domain.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=domain,DC=com > objectClass: top > objectClass: dnsNode > instanceType: 4 > whenCreated: 20200318110215.0Z > whenChanged: 20200318110215.0Z > uSNCreated: 13282 > uSNChanged: 13282 > showInAdvancedViewOnly: TRUE > name: vm-dc4.domain.com. > objectGUID: 80170015-b113-4435-bb33-ba60f4f9f608 > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x0004 (4) > wType : DNS_TYPE_A (1) > version : 0x05 (5) > rank : DNS_RANK_GLUE (128) > flags : 0x0000 (0) > dwSerial : 0x000000b6 (182) > dwTtlSeconds : 0x00000e10 (3600) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 1) > ipv4 : 172.26.1.84 > > objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=domain,DC=com > dc: vm-dc4.domain.com. > distinguishedName: DC=vm-dc4.domain.com.,DC=_msdcs.domain.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=domain,DC=com > > I considered it suspicious b/c no similar record exists for vm-dc1: > # ldbsearch --cross-ncs --show-binary -H /usr/local/samba/private/sam.ldb -b DC=vm-dc1.domain.com.,DC=_msdcs.domain.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=domain,DC=com -s sub > search error - No such Base DN: DC=vm-dc1.domain.com.,DC=_msdcs.domain.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=domain,DC=com > > What do you think? >Strange, I do not have any computer (let alone DC) records in the forest zone, this is one of my DC's record: ?dn: DC=DC01,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com objectClass: top objectClass: dnsNode instanceType: 4 whenCreated: 20200306135346.0Z whenChanged: 20200306135346.0Z uSNCreated: 1367771 showInAdvancedViewOnly: TRUE name: DC01 objectGUID: 2db5ee07-6361-4c40-b2c2-d321cda9e311 dnsRecord:???? NDR: struct dnsp_DnssrvRpcRecord ??????? wDataLength????????????? : 0x0004 (4) ??????? wType??????????????????? : DNS_TYPE_A (1) ??????? version????????????????? : 0x05 (5) ??????? rank???????????????????? : DNS_RANK_ZONE (240) ??????? flags??????????????????? : 0x0000 (0) ??????? dwSerial???????????????? : 0x000318c1 (202945) ??????? dwTtlSeconds???????????? : 0x00000384 (900) ??????? dwReserved?????????????? : 0x00000000 (0) ??????? dwTimeStamp????????????? : 0x00000000 (0) ???????? data???????????????????? : union dnsRecordData(case 1) ??????? ipv4???????????????????? : 192.168.0.8 objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com dc: DC01 uSNChanged: 1367772 distinguishedName: DC=DC01,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com Do you have similar records for your DC's ? Rowland