Hello,
I have a strange issue with my _msdcs zone. The PDC record
(_ldap._tcp.pdc._msdcs) is duplicated 15.000 times... I've discovered it
because the DNS that does the transfer of that zone complained about too many
records. After checking, I in fact got a lot of records:
~# dig @192.168.XX.XX _msdcs.MYDOMAIN AXFR | sort | uniq -c | sort -nr
15120 _ldap._tcp.pdc._msdcs.MYDOMAIN. 900 IN SRV 0 100 389 dc-01.MYDOMAIN.
For the other records, I get only one instance for each, so it's just the
PDC record.
Here is my smb.conf
[global]
netbios name = DC-01
realm = MYDOMAIN
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = MYDOMAIN
idmap_ldb:use rfc2307 = yes
dns zone transfer clients allow = 192.168.102.102 192.168.102.103
192.168.102.98 192.168.102.99 192.168.103.138 192.168.103.139
dns zone scavenging = yes
# WINS
wins support = yes
dns proxy = yes
# WINS
# TLS
tls enabled = yes
tls keyfile = tls/dc-01.2023.key
tls certfile = tls/dc-01.2023.crt
tls cafile = tls/CA/joskin_AD_CA.2023.crt
# TLS
[sysvol]
path = /data/sysvol
read only = No
[netlogon]
path = /data/sysvol/MYDOMAIN/scripts
read only = No
And here is my named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.XX.XX; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { 192.168.0.0/16; };
auth-nxdomain yes;
notify no;
empty-zones-enable no;
recursion yes;
allow-transfer { 192.168.YY.YY; };
tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
minimal-responses yes;
forwarders { 192.168.YY.YY; };
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
include "/usr/local/samba/bind-dns/named.conf";
I have absolutely no idea what can cause that and how to resolve that. Is there
somebody that could maybe help me ?
Thanks in advance,
Nicolas Martinussen
On Mon, 14 Jul 2025 09:52:26 +0000 Nicolas Martinussen via samba <samba at lists.samba.org> wrote:> Hello, > > I have a strange issue with my _msdcs zone. The PDC record > (_ldap._tcp.pdc._msdcs) is duplicated 15.000 times...Now that is strange, not that you have multiple dns records for the PDC_Emulator role owner, but that you have so many. While there is code to check for a dns record for the current PDC_Emulator role owner and create it if it doesn't exist, there is no code to delete the old dns record when the role is moved, so, have you really moved the role 15,000 times ? Could it have anything to do with all the zone transfers you are doing ? Why are you doing the zone transfers ?> I've discovered > it because the DNS that does the transfer of that zone complained > about too many records. After checking, I in fact got a lot of > records: ~# dig @192.168.XX.XX _msdcs.MYDOMAIN AXFR | sort | uniq -c > | sort -nr 15120 _ldap._tcp.pdc._msdcs.MYDOMAIN. 900 IN SRV 0 100 389 > dc-01.MYDOMAIN. > > For the other records, I get only one instance for each, so it's just > the PDC record. > > Here is my smb.conf > [global] > netbios name = DC-01 > realm = MYDOMAIN > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = MYDOMAIN > idmap_ldb:use rfc2307 = yes > dns zone transfer clients allow = 192.168.102.102 > 192.168.102.103 192.168.102.98 192.168.102.99 192.168.103.138 > 192.168.103.139 dns zone scavenging = yes > > # WINS > wins support = yes > dns proxy = yes > # WINS > > # TLS > tls enabled = yes > tls keyfile = tls/dc-01.2023.key > tls certfile = tls/dc-01.2023.crt > tls cafile = tls/CA/joskin_AD_CA.2023.crt > # TLS > > [sysvol] > path = /data/sysvol > read only = No > > [netlogon] > path = /data/sysvol/MYDOMAIN/scripts > read only = No > > And here is my named.conf > options { > listen-on port 53 { 127.0.0.1; 192.168.XX.XX; }; > directory "/var/named"; > dump-file "/var/named/data/cache_dump.db"; > statistics-file "/var/named/data/named_stats.txt"; > memstatistics-file "/var/named/data/named_mem_stats.txt"; > secroots-file "/var/named/data/named.secroots"; > recursing-file "/var/named/data/named.recursing"; > > allow-query { 192.168.0.0/16; }; > auth-nxdomain yes; > notify no; > empty-zones-enable no; > recursion yes; > allow-transfer { 192.168.YY.YY; }; > tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab"; > minimal-responses yes; > > forwarders { 192.168.YY.YY; }; > > managed-keys-directory "/var/named/dynamic"; > > pid-file "/run/named/named.pid"; > session-keyfile "/run/named/session.key"; > }; > > logging { > channel default_debug { > file "data/named.run"; > severity dynamic; > }; > }; > > include "/usr/local/samba/bind-dns/named.conf"; > > I have absolutely no idea what can cause that and how to resolve > that.I have, see above. The fix is simple, delete all the incorrect dns records. I tried to add the code to delete the record when the FSMO role was moved, but it is extremely difficult as the required 'permissions' do not get passed down to where the role is transferred. Rowland
Hi, Atleast in tcp6 the auto-dns-update seems to duplicate ip6 address to Samba. What I have done is: .... ? ? ? ? bind interfaces only = yes ? ? ? ? interfaces = lo 192.168.1.0/24 .... Binding into one address only. Might help. SH On 14/07/2025 12.52, Nicolas Martinussen via samba wrote:> Hello, > > I have a strange issue with my _msdcs zone. The PDC record (_ldap._tcp.pdc._msdcs) is duplicated 15.000 times... I've discovered it because the DNS that does the transfer of that zone complained about too many records. After checking, I in fact got a lot of records: > ~# dig @192.168.XX.XX _msdcs.MYDOMAIN AXFR | sort | uniq -c | sort -nr > 15120 _ldap._tcp.pdc._msdcs.MYDOMAIN. 900 IN SRV 0 100 389 dc-01.MYDOMAIN. > > For the other records, I get only one instance for each, so it's just the PDC record. > > Here is my smb.conf > [global] > netbios name = DC-01 > realm = MYDOMAIN > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = MYDOMAIN > idmap_ldb:use rfc2307 = yes > dns zone transfer clients allow = 192.168.102.102 192.168.102.103 192.168.102.98 192.168.102.99 192.168.103.138 192.168.103.139 > dns zone scavenging = yes > > # WINS > wins support = yes > dns proxy = yes > # WINS > > # TLS > tls enabled = yes > tls keyfile = tls/dc-01.2023.key > tls certfile = tls/dc-01.2023.crt > tls cafile = tls/CA/joskin_AD_CA.2023.crt > # TLS > > [sysvol] > path = /data/sysvol > read only = No > > [netlogon] > path = /data/sysvol/MYDOMAIN/scripts > read only = No > > And here is my named.conf > options { > listen-on port 53 { 127.0.0.1; 192.168.XX.XX; }; > directory "/var/named"; > dump-file "/var/named/data/cache_dump.db"; > statistics-file "/var/named/data/named_stats.txt"; > memstatistics-file "/var/named/data/named_mem_stats.txt"; > secroots-file "/var/named/data/named.secroots"; > recursing-file "/var/named/data/named.recursing"; > > allow-query { 192.168.0.0/16; }; > auth-nxdomain yes; > notify no; > empty-zones-enable no; > recursion yes; > allow-transfer { 192.168.YY.YY; }; > tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab"; > minimal-responses yes; > > forwarders { 192.168.YY.YY; }; > > managed-keys-directory "/var/named/dynamic"; > > pid-file "/run/named/named.pid"; > session-keyfile "/run/named/session.key"; > }; > > logging { > channel default_debug { > file "data/named.run"; > severity dynamic; > }; > }; > > include "/usr/local/samba/bind-dns/named.conf"; > > I have absolutely no idea what can cause that and how to resolve that. Is there somebody that could maybe help me ? > > Thanks in advance, > Nicolas Martinussen-- Sami Hulkko +358 45 8569 319 sahulkko at gmail.com sahulkko at icloud.com