samba - Jul 2025 - Duplicate PDC records in _msdcs zone

On Mon, 14 Jul 2025 12:02:06 +0000
Nicolas Martinussen <nicolas.martinussen at joskin.com> wrote:
> Hello,
> 
> As you have assumed, I never moved the PDC_Emulator role 15,000
> times. I've done it maybe like 10-20 times, two times per update
I've
> had. I don't think it's related to the zone transfer. We do a zone
> transfer because the internal DNS at my company aren't the DCs and
> that we had some issue with a delegation but it worked great with
> zone transfer. But I don't remember what the issue was as it was from
> two years ago. I've done a loop to delete all the unnecessary DNS
> entries and I'll check if the number goes up again with time or if
> it's stable.
> 
There may be light at the end of the tunnel.

It sounds like you used your companies dns domain for the AD domain
instead of a subdomain i.e. your companies dns domain is 'example.com'
and you used that instead of something like 'ad.example.com'. Doing
that would make your companies dns servers authoritative for the AD
dns domain as well as the AD DCs.

Your DCs should be authoritative for the AD domain and your companies
dns servers shouldn't.

Rowland

For the domain, I used ad.MYDOMAIN, so the DCs are in fact authoritative of that
domain.
So, I'll try to explain a bit better how it's done here.

We have 3 DNS servers,one at our registrar that manages MYDOMAIN, an internal
recursive server and the AD DNS server.
But, as requested by my highers ups, I haven't put a delegation for
ad.MYDOMAIN at the registrar because they didn't want that to be public.
Thus, I had to find a way to still make it work.

So, my solution was to configure the internal recursive DNS to have the zone
ad.MYDOMAIN which was a zone transfer to the AD. Here is the config on the
recursive DNS side:
zone "168.192.in-addr.arpa" IN {
        type slave;
        masters { 192.168.XX.XX; };
};
zone "ad.MYDOMAIN" IN {
        type slave;
        masters { 192.168.XX.XX; };
};
zone "_msdcs.ad.MYDOMAIN" IN {
        type slave;
        masters { 192.168.XX.XX; };
};

By doing that, that made the ad.MYDOMAIN zone available for all the computers
inside the company. It's probably not the best way. A delegation would have
been better, but it was a way to make it work. And it works fine, except for
maybe this duplicated PDC record.

Nicolas

________________________________
De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny
via samba <samba at lists.samba.org>
Envoy? : lundi 14 juillet 2025 14:13
? : samba at lists.samba.org <samba at lists.samba.org>
Cc : Rowland Penny <rpenny at samba.org>
Objet : Re: [Samba] Duplicate PDC records in _msdcs zone

On Mon, 14 Jul 2025 12:02:06 +0000
Nicolas Martinussen <nicolas.martinussen at joskin.com> wrote:
> Hello,
>
> As you have assumed, I never moved the PDC_Emulator role 15,000
> times. I've done it maybe like 10-20 times, two times per update
I've
> had. I don't think it's related to the zone transfer. We do a zone
> transfer because the internal DNS at my company aren't the DCs and
> that we had some issue with a delegation but it worked great with
> zone transfer. But I don't remember what the issue was as it was from
> two years ago. I've done a loop to delete all the unnecessary DNS
> entries and I'll check if the number goes up again with time or if
> it's stable.
>
There may be light at the end of the tunnel.

It sounds like you used your companies dns domain for the AD domain
instead of a subdomain i.e. your companies dns domain is 'example.com'
and you used that instead of something like 'ad.example.com'. Doing
that would make your companies dns servers authoritative for the AD
dns domain as well as the AD DCs.

Your DCs should be authoritative for the AD domain and your companies
dns servers shouldn't.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba