samba - Jul 2025 - Duplicate PDC records in _msdcs zone

For the domain, I used ad.MYDOMAIN, so the DCs are in fact authoritative of that
domain.
So, I'll try to explain a bit better how it's done here.

We have 3 DNS servers,one at our registrar that manages MYDOMAIN, an internal
recursive server and the AD DNS server.
But, as requested by my highers ups, I haven't put a delegation for
ad.MYDOMAIN at the registrar because they didn't want that to be public.
Thus, I had to find a way to still make it work.

So, my solution was to configure the internal recursive DNS to have the zone
ad.MYDOMAIN which was a zone transfer to the AD. Here is the config on the
recursive DNS side:
zone "168.192.in-addr.arpa" IN {
        type slave;
        masters { 192.168.XX.XX; };
};
zone "ad.MYDOMAIN" IN {
        type slave;
        masters { 192.168.XX.XX; };
};
zone "_msdcs.ad.MYDOMAIN" IN {
        type slave;
        masters { 192.168.XX.XX; };
};

By doing that, that made the ad.MYDOMAIN zone available for all the computers
inside the company. It's probably not the best way. A delegation would have
been better, but it was a way to make it work. And it works fine, except for
maybe this duplicated PDC record.

Nicolas

________________________________
De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny
via samba <samba at lists.samba.org>
Envoy? : lundi 14 juillet 2025 14:13
? : samba at lists.samba.org <samba at lists.samba.org>
Cc : Rowland Penny <rpenny at samba.org>
Objet : Re: [Samba] Duplicate PDC records in _msdcs zone

On Mon, 14 Jul 2025 12:02:06 +0000
Nicolas Martinussen <nicolas.martinussen at joskin.com> wrote:
> Hello,
>
> As you have assumed, I never moved the PDC_Emulator role 15,000
> times. I've done it maybe like 10-20 times, two times per update
I've
> had. I don't think it's related to the zone transfer. We do a zone
> transfer because the internal DNS at my company aren't the DCs and
> that we had some issue with a delegation but it worked great with
> zone transfer. But I don't remember what the issue was as it was from
> two years ago. I've done a loop to delete all the unnecessary DNS
> entries and I'll check if the number goes up again with time or if
> it's stable.
>
There may be light at the end of the tunnel.

It sounds like you used your companies dns domain for the AD domain
instead of a subdomain i.e. your companies dns domain is 'example.com'
and you used that instead of something like 'ad.example.com'. Doing
that would make your companies dns servers authoritative for the AD
dns domain as well as the AD DCs.

Your DCs should be authoritative for the AD domain and your companies
dns servers shouldn't.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

I may have found part of the reason why I had 15k entries. First, I see that I
have a SERVFAIL for the DNS update of _ldap._tcp.pdc._msdcs.ad.MYDOMAIN that I
also get if I try a samba_dnsupdate

[2025/04/29 13:36:55.662362,  0]
../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
  dnsupdate_nameupdate_done: Failed DNS update with exit code 1
[2025/04/29 13:46:55.366463,  0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/local/samba-4.22.1/sbin/samba_dnsupdate: update failed: SERVFAIL
[2025/04/29 13:46:55.914953,  0]
../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
  dnsupdate_nameupdate_done: Failed DNS update with exit code 1
[2025/04/29 13:56:55.342197,  0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/local/samba-4.22.1/sbin/samba_dnsupdate: update failed: SERVFAIL
[2025/04/29 13:56:56.007850,  0]
../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
  dnsupdate_nameupdate_done: Failed DNS update with exit code 1

I've thus increased a bit the log verbosity of the bind server on dc-01 and
I see this error in the logs

14-Jul-2025 16:18:32.352 database: error: samba_dlz: failed to modify
DC=_ldap._tcp.pdc,DC=_msdcs.ad.MYDOMAIN,CN=MicrosoftDNS,DC=ForestDnsZones,DC=ad,DC=MYDOMAIN
- WERR_DS_OBJ_STRING_NAME_EXISTS

What is strange is that sometimes, it creates the DNS entry and sometimes it
doesn't. Right now, I'm already at 4 entries for
_ldap._tcp.pdc._msdcs.ad.MYDOMAIN

I'll try to investigate why I get the SERVFAIL tomorrow.

Nicolas
________________________________
De : Nicolas Martinussen <nicolas.martinussen at joskin.com>
Envoy? : lundi 14 juillet 2025 14:30
? : samba at lists.samba.org <samba at lists.samba.org>
Cc : Rowland Penny <rpenny at samba.org>
Objet : RE: [Samba] Duplicate PDC records in _msdcs zone

For the domain, I used ad.MYDOMAIN, so the DCs are in fact authoritative of that
domain.
So, I'll try to explain a bit better how it's done here.

We have 3 DNS servers,one at our registrar that manages MYDOMAIN, an internal
recursive server and the AD DNS server.
But, as requested by my highers ups, I haven't put a delegation for
ad.MYDOMAIN at the registrar because they didn't want that to be public.
Thus, I had to find a way to still make it work.

So, my solution was to configure the internal recursive DNS to have the zone
ad.MYDOMAIN which was a zone transfer to the AD. Here is the config on the
recursive DNS side:
zone "168.192.in-addr.arpa" IN {
        type slave;
        masters { 192.168.XX.XX; };
};
zone "ad.MYDOMAIN" IN {
        type slave;
        masters { 192.168.XX.XX; };
};
zone "_msdcs.ad.MYDOMAIN" IN {
        type slave;
        masters { 192.168.XX.XX; };
};

By doing that, that made the ad.MYDOMAIN zone available for all the computers
inside the company. It's probably not the best way. A delegation would have
been better, but it was a way to make it work. And it works fine, except for
maybe this duplicated PDC record.

Nicolas

________________________________
De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny
via samba <samba at lists.samba.org>
Envoy? : lundi 14 juillet 2025 14:13
? : samba at lists.samba.org <samba at lists.samba.org>
Cc : Rowland Penny <rpenny at samba.org>
Objet : Re: [Samba] Duplicate PDC records in _msdcs zone

On Mon, 14 Jul 2025 12:02:06 +0000
Nicolas Martinussen <nicolas.martinussen at joskin.com> wrote:
> Hello,
>
> As you have assumed, I never moved the PDC_Emulator role 15,000
> times. I've done it maybe like 10-20 times, two times per update
I've
> had. I don't think it's related to the zone transfer. We do a zone
> transfer because the internal DNS at my company aren't the DCs and
> that we had some issue with a delegation but it worked great with
> zone transfer. But I don't remember what the issue was as it was from
> two years ago. I've done a loop to delete all the unnecessary DNS
> entries and I'll check if the number goes up again with time or if
> it's stable.
>
There may be light at the end of the tunnel.

It sounds like you used your companies dns domain for the AD domain
instead of a subdomain i.e. your companies dns domain is 'example.com'
and you used that instead of something like 'ad.example.com'. Doing
that would make your companies dns servers authoritative for the AD
dns domain as well as the AD DCs.

Your DCs should be authoritative for the AD domain and your companies
dns servers shouldn't.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Mon, 14 Jul 2025 12:30:23 +0000
Nicolas Martinussen <nicolas.martinussen at joskin.com> wrote:
> For the domain, I used ad.MYDOMAIN, so the DCs are in fact
> authoritative of that domain. So, I'll try to explain a bit better
> how it's done here.
> 
> We have 3 DNS servers,one at our registrar that manages MYDOMAIN, an
> internal recursive server and the AD DNS server. But, as requested by
> my highers ups, I haven't put a delegation for ad.MYDOMAIN at the
> registrar because they didn't want that to be public. Thus, I had to
> find a way to still make it work.
Basically, as far as I understand it, DNS works like this:
a client asks its nameserver for an address
if the nameserver knows the information for the address, it returns it,
if it doesn't, it asks its nameserver.

In my opinion you should have used forwarders, that is, your domain
clients should use the DCs for 'ad.MYDOMAIN' and anything outside the
AD domain should be forwarded to the DCs 'forwarder', in this case
probably your DNS servers for 'MYDOMAIN'. Anything not a domain client,
should use the DNS servers for 'MYDOMAIN' and they should forward
anything for 'ad.MYDOMAIN' to the dns servers running on the DCs.

Rowland