samba - Jul 2025 - Duplicate PDC records in _msdcs zone

Hello,

As you have assumed, I never moved the PDC_Emulator role 15,000 times. I've
done it maybe like 10-20 times, two times per update I've had.
I don't think it's related to the zone transfer. We do a zone transfer
because the internal DNS at my company aren't the DCs and that we had some
issue with a delegation but it worked great with zone transfer. But I don't
remember what the issue was as it was from two years ago.
I've done a loop to delete all the unnecessary DNS entries and I'll
check if the number goes up again with time or if it's stable.

Thanks for your help,
Nicolas Martinussen
________________________________
De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny
via samba <samba at lists.samba.org>
Envoy? : lundi 14 juillet 2025 12:12
? : samba at lists.samba.org <samba at lists.samba.org>
Cc : Rowland Penny <rpenny at samba.org>
Objet : Re: [Samba] Duplicate PDC records in _msdcs zone

ATTENTION: Cet e-mail provient d'une personne externe ? votre organisation.
Ne cliquez pas sur des liens ou n'ouvrez pas de pi?ces jointes, sauf si vous
faites confiance ? l'exp?diteur et avez la certitude que le contenu est sans
risque.

On Mon, 14 Jul 2025 09:52:26 +0000
Nicolas Martinussen via samba <samba at lists.samba.org> wrote:
> Hello,
>
> I have a strange issue with my _msdcs zone. The PDC record
> (_ldap._tcp.pdc._msdcs) is duplicated 15.000 times...
Now that is strange, not that you have multiple dns records for the
PDC_Emulator role owner, but that you have so many.

While there is code to check for a dns record for the current
PDC_Emulator role owner and create it if it doesn't exist, there is no
code to delete the old dns record when the role is moved, so, have you
really moved the role 15,000 times ?
Could it have anything to do with all the zone transfers you are doing ?
Why are you doing the zone transfers ?
> I've discovered
> it because the DNS that does the transfer of that zone complained
> about too many records. After checking, I in fact got a lot of
> records: ~# dig @192.168.XX.XX _msdcs.MYDOMAIN AXFR | sort | uniq -c
> | sort -nr 15120 _ldap._tcp.pdc._msdcs.MYDOMAIN. 900 IN SRV 0 100 389
> dc-01.MYDOMAIN.
>
> For the other records, I get only one instance for each, so it's just
> the PDC record.
>
> Here is my smb.conf
> [global]
>         netbios name = DC-01
>         realm = MYDOMAIN
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = MYDOMAIN
>         idmap_ldb:use rfc2307 = yes
>         dns zone transfer clients allow = 192.168.102.102
> 192.168.102.103 192.168.102.98 192.168.102.99 192.168.103.138
> 192.168.103.139 dns zone scavenging = yes
>
>         # WINS
>         wins support = yes
>         dns proxy = yes
>         # WINS
>
>         # TLS
>         tls enabled  = yes
>         tls keyfile  = tls/dc-01.2023.key
>         tls certfile = tls/dc-01.2023.crt
>         tls cafile   = tls/CA/joskin_AD_CA.2023.crt
>         # TLS
>
> [sysvol]
>         path = /data/sysvol
>         read only = No
>
> [netlogon]
>         path = /data/sysvol/MYDOMAIN/scripts
>         read only = No
>
> And here is my named.conf
> options {
>         listen-on port 53 { 127.0.0.1; 192.168.XX.XX; };
>         directory       "/var/named";
>         dump-file       "/var/named/data/cache_dump.db";
>         statistics-file "/var/named/data/named_stats.txt";
>         memstatistics-file "/var/named/data/named_mem_stats.txt";
>         secroots-file   "/var/named/data/named.secroots";
>         recursing-file  "/var/named/data/named.recursing";
>
>         allow-query { 192.168.0.0/16; };
>         auth-nxdomain yes;
>         notify no;
>         empty-zones-enable no;
>         recursion yes;
>         allow-transfer { 192.168.YY.YY; };
>         tkey-gssapi-keytab
"/usr/local/samba/bind-dns/dns.keytab";
>         minimal-responses yes;
>
>         forwarders { 192.168.YY.YY; };
>
>         managed-keys-directory "/var/named/dynamic";
>
>         pid-file "/run/named/named.pid";
>         session-keyfile "/run/named/session.key";
> };
>
> logging {
>         channel default_debug {
>                 file "data/named.run";
>                 severity dynamic;
>         };
> };
>
> include "/usr/local/samba/bind-dns/named.conf";
>
> I have absolutely no idea what can cause that and how to resolve
> that.
I have, see above.
The fix is simple, delete all the incorrect dns records.

I tried to add the code to delete the record when the FSMO role was
moved, but it is extremely difficult as the required 'permissions' do
not get passed down to where the role is transferred.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Mon, 14 Jul 2025 12:02:06 +0000
Nicolas Martinussen <nicolas.martinussen at joskin.com> wrote:
> Hello,
> 
> As you have assumed, I never moved the PDC_Emulator role 15,000
> times. I've done it maybe like 10-20 times, two times per update
I've
> had. I don't think it's related to the zone transfer. We do a zone
> transfer because the internal DNS at my company aren't the DCs and
> that we had some issue with a delegation but it worked great with
> zone transfer. But I don't remember what the issue was as it was from
> two years ago. I've done a loop to delete all the unnecessary DNS
> entries and I'll check if the number goes up again with time or if
> it's stable.
> 
There may be light at the end of the tunnel.

It sounds like you used your companies dns domain for the AD domain
instead of a subdomain i.e. your companies dns domain is 'example.com'
and you used that instead of something like 'ad.example.com'. Doing
that would make your companies dns servers authoritative for the AD
dns domain as well as the AD DCs.

Your DCs should be authoritative for the AD domain and your companies
dns servers shouldn't.

Rowland