On Tue, 16 Jul 2024 21:52:14 +0200
Heiko Robert via samba <samba at lists.samba.org> wrote:
> Dear samba experts,
>
> I run a samba-ad (Version 4.15.13-Ubuntu) for a small organisation
> since several years without issues so far (originally instanciated by
> a QNAP system, then moved years ago to a separate Ubuntu Server via
> ad replication and then demoting the original ad from qnap)
>
> Now I realized that there are issues while trying to join a second AD.
>
> So I tried a `samba-tool dbcheck --cross-ncs` on the main server but
> just got an uncaught exception on CN=Deleted Objects. Does this mean
> I need to delete these objects manually using tdbtool or what would
> be the best way to fix this?
> hint: the zone 192.168.11 had beed deleted manually via RSAT DNS tool
> end of last year.
>
> output from dbcheck command:
>
> NOTE: old (due to rename or delete) DN string component for
> lastKnownParent in object
> DC=35\0ADEL:051e3f6a-94ee-4cd1-be44-07fb811b216a,CN=Deleted
> Objects,DC=DomainDnsZones,DC=company,DC=intra -
>
DC=11.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=company,DC=intra
That is a tombstone record, you might be able to remove it, see:
samba-tool domain tombstones expunge --help
> Not fixing old string component
> ERROR(ldb): uncaught exception - ldb_wait from (null) with
> LDB_WAIT_ALL: Operations error (1)
> File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line 186, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python3/dist-packages/samba/netcmd/dbcheck.py",
> line 169, in run
> error_count = chk.check_database(DN=DN, scope=search_scope,
> File "/usr/lib/python3/dist-packages/samba/dbchecker.py", line
> 255, in check_database
> error_count += self.check_object(object.dn,
> requested_attrs=attrs) File
> "/usr/lib/python3/dist-packages/samba/dbchecker.py", line 2310,
in
> check_object res = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE,
>
>
> Before you ask: Yes I have backups but only for 1 month and I guess
> the inconsistency may exist since years or at least months but nobody
> realized.
>
> Since there are only a view entries in the DNS partition: would it be
> an option to recreate / replace just the DNS database
> ('DC=DOMAINDNSZONES,DC=COMPANY,DC=INTRA.ldb')?
Do not remove the existing database, well not unless you want to
recreate your domain.
The thing I am worried about is where it says above 'view entries', I
do hope that is very bad English and that you are not somehow using
'views'. If it should be 'few entries', then again that
doesn't sound
quite right, there should be quite a lot of 'A' records etc in there.
Rowland