samba - Nov 2025 - Stray DC A record in DNS

Hello,

We had a small configuration glitch it seems and for a few seconds, the
same Samba Domain Controller was online with two different IPs:
192.168.231.34 and .35.

Since then, bind9 answers for `dc01.samba-ad.example.org` with both IPs,
and this is causing problems in various parts of our infrastructure:

```
# dig @127.0.0.1 dc01.samba-ad.toni.immo +short
192.168.231.34
192.168.231.35
```

The thing is: we **cannot** figure out where it gets that .35 from.
We've removed it:

```
# samba-tool dns delete 127.0.0.1 samba-ad.toni.immo dc01 A 192.168.231.35 -U
Administrator
Record deleted successfully
# samba-tool dns query 127.0.0.1 samba-ad.toni.immo @ ALL -U Administrator |
grep 192.168.231.35 || echo not present anymore
not present anymore
```

but `dig` still returns it.

```
# for i in /var/lib/samba/**/*.ldb; do ldbsearch -H $i | grep 192.168.231.35
&& echo $i; done
(no output)
```

We've tried `rndc flushname` and `rndc flushtree`, restarting bind9,
even the whole machine. We've stopped bind9 and removed the lines from
/var/cache/bind/named_dump.db and restarted the nameserver.

We cannot find it in the LDB files:

```
# grep -R "192.168.231.35" /etc/bind /var/lib/bind /var/cache/bind ||
echo no matches
no matches
```

I am at my wits end. This is voodoo magic. Where does the system persist
this IP? Do you have any ideas where else to look?

Any help appreciated!

Thank you,

-- 
martin krafft | https://matrix.to/#/#madduck:madduck.net
  
who's general failure, and why's he reading my disk?
{: .blockquote }
  
spamtraps: madduck.bogus at madduck.net
{: .hidden }

On Thu, 27 Nov 2025 12:59:01 +0100
martin f krafft via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> We had a small configuration glitch it seems and for a few seconds,
> the same Samba Domain Controller was online with two different IPs:
> 192.168.231.34 and .35.
> 
> Since then, bind9 answers for `dc01.samba-ad.example.org` with both
> IPs, and this is causing problems in various parts of our
> infrastructure:
No it doesn't, your Samba AD DC does.
> 
> ```
> # dig @127.0.0.1 dc01.samba-ad.toni.immo +short
> 192.168.231.34
> 192.168.231.35
> ```
> 
> The thing is: we **cannot** figure out where it gets that .35 from.
It is in AD.
> We've removed it:
> 
> ```
> # samba-tool dns delete 127.0.0.1 samba-ad.toni.immo dc01 A
> 192.168.231.35 -U Administrator Record deleted successfully
> # samba-tool dns query 127.0.0.1 samba-ad.toni.immo @ ALL -U
> Administrator | grep 192.168.231.35 || echo not present anymore not
> present anymore ```
> 
> but `dig` still returns it.
> 
> ```
> # for i in /var/lib/samba/**/*.ldb; do ldbsearch -H $i | grep
> 192.168.231.35 && echo $i; done (no output)
That search probably will not work, for two reasons, you really
shouldn't search in sam.ldb.d and your search terms are
insufficient.

You should be doing something like this:

ldbsearch --cross-ncs --show-binary -H /var/lib/samba/private/sam.ldb >
full.ldif

Then search in full.ldif for your ipaddress, it may be there multiple
times.
> ```
> 
> We've tried `rndc flushname` and `rndc flushtree`, restarting bind9,
> even the whole machine. We've stopped bind9 and removed the lines from
> /var/cache/bind/named_dump.db and restarted the nameserver.
If you did find the ipaddress in the bind9 config files, I would then
suggest you correct the files. Samba uses bind_dlz to connect Bind9 to
the dns records in AD, there shouldn't be any AD dns records in the
bind9 files.
 
Rowland