How-to: Samba4 - Clean Up Incorrect DNS SRV Records

MiracErde · June 4, 2025, 10:46pm

How to:

This article describes how to identify and remove incorrect SRV records for Samba4 in a Univention Corporate Server (UCS) environment using the samba-tool and the Univention provided check script. This is particularly useful when demoting a Domain Controller or when SRV records still point to decommissioned servers.

1. Validate DNS Records

To verify the current Samba4 DNS setup and identify unwanted SRV records, use the script:

/usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh

gc._msdcs.schule.bremen has address 10.0.1.1
_gc._tcp.schule.bremen has SRV record 0 100 3268 master.schule.bremen.
_ldap._tcp.gc._msdcs.schule.bremen has SRV record 0 100 3268 schul-replica.schule.bremen.
_ldap._tcp.gc._msdcs.schule.bremen has SRV record 0 100 3268 master.schule.bremen.
_ldap._tcp.schule.bremen has SRV record 0 100 389 master.schule.bremen.
_ldap._tcp.dc._msdcs.schule.bremen has SRV record 0 100 389 schul-replica.schule.bremen.
_ldap._tcp.dc._msdcs.schule.bremen has SRV record 0 100 389 master.schule.bremen.
_ldap._tcp.pdc._msdcs.schule.bremen has SRV record 0 100 389 master.schule.bremen.
_ldap._tcp.8ee6cdd1-357c-4011-a256-297107772a6f.domains._msdcs.schule.bremen has SRV record 0 100 389 master.schule.bremen.
_kerberos._tcp.dc._msdcs.schule.bremen has SRV record 0 100 88 master.schule.bremen.
_kerberos._tcp.dc._msdcs.schule.bremen has SRV record 0 100 88 schul-replica.schule.bremen.
_kerberos._tcp.schule.bremen has SRV record 0 100 88 master.schule.bremen.
_kerberos._tcp.schule.bremen has SRV record 0 100 88 schul-replica.schule.bremen.
_kerberos._udp.schule.bremen has SRV record 0 100 88 schul-replica.schule.bremen.
_kerberos._udp.schule.bremen has SRV record 0 100 88 master.schule.bremen.
_kpasswd._tcp.schule.bremen has SRV record 0 100 464 master.schule.bremen.
_kpasswd._tcp.schule.bremen has SRV record 0 100 464 schul-replica.schule.bremen.
_kpasswd._udp.schule.bremen has SRV record 0 100 464 master.schule.bremen.
_kpasswd._udp.schule.bremen has SRV record 0 100 464 schul-replica.schule.bremen.
Located DC 'master' in site 'Default-First-Site-Name'
282dceec-4959-49f0-ae73-ef7970df8eeb._msdcs.schule.bremen is an alias for master.schule.bremen.
## Records for site Default-First-Site-Name:
_ldap._tcp.Default-First-Site-Name._sites.schule.bremen has SRV record 0 100 389 schul-replica.schule.bremen.
_ldap._tcp.Default-First-Site-Name._sites.schule.bremen has SRV record 0 100 389 master.schule.bremen.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.schule.bremen has SRV record 0 100 389 master.schule.bremen.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.schule.bremen has SRV record 0 100 389 schul-replica.schule.bremen.
_kerberos._tcp.Default-First-Site-Name._sites.schule.bremen has SRV record 0 100 88 schul-replica.schule.bremen.
_kerberos._tcp.Default-First-Site-Name._sites.schule.bremen has SRV record 0 100 88 master.schule.bremen.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.schule.bremen has SRV record 0 100 88 schul-replica.schule.bremen.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.schule.bremen has SRV record 0 100 88 master.schule.bremen.
## Optional GC Records for site Default-First-Site-Name:
_gc._tcp.Default-First-Site-Name._sites.schule.bremen has SRV record 0 100 3268 schul-replica.schule.bremen.
_gc._tcp.Default-First-Site-Name._sites.schule.bremen has SRV record 0 100 3268 master.schule.bremen.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.schule.bremen has SRV record 0 100 3268 master.schule.bremen.
_kerberos.schule.bremen descriptive text "SCHULE.BREMEN"

The output should list only valid and required DNS entries. If you see records for hosts that no longer exist (e.g., schul-replica.schule.bremen), they must be removed.

2. Identify Unwanted SRV Records

Run the following queries to check for DNS records that may need to be deleted:

samba-tool dns query master _msdcs.schule.bremen _kerberos._tcp.dc SRV -P
samba-tool dns query master schule.bremen _kerberos._tcp.schule.bremen SRV -P
samba-tool dns query master schule.bremen _kerberos._udp.schule.bremen SRV -P
samba-tool dns query master schule.bremen _kpasswd._tcp.schule.bremen SRV -P
samba-tool dns query master schule.bremen _kpasswd._udp.schule.bremen SRV -P
samba-tool dns query master schule.bremen _ldap._tcp.Default-First-Site-Name._sites SRV -P
samba-tool dns query master _msdcs.schule.bremen _ldap._tcp.Default-First-Site-Name._sites.dc SRV -P
samba-tool dns query master schule.bremen _kerberos._tcp.Default-First-Site-Name._sites SRV -P
samba-tool dns query master _msdcs.schule.bremen _kerberos._tcp.Default-First-Site-Name._sites.dc SRV -P
samba-tool dns query master schule.bremen _gc._tcp.Default-First-Site-Name._sites SRV -P

3. Delete Incorrect SRV Records

Use the following commands to remove outdated entries pointing to schul-replica.schule.bremen:

samba-tool dns delete master _msdcs.schule.bremen _kerberos._tcp.dc SRV 'schul-replica.schule.bremen 88 0 100' -P
samba-tool dns delete master schule.bremen _kerberos._tcp.schule.bremen SRV 'schul-replica.schule.bremen 88 0 100' -P
samba-tool dns delete master schule.bremen _kerberos._udp.schule.bremen SRV 'schul-replica.schule.bremen 88 0 100' -P
samba-tool dns delete master schule.bremen _kpasswd._tcp.schule.bremen SRV 'schul-replica.schule.bremen 464 0 100' -P
samba-tool dns delete master schule.bremen _kpasswd._udp.schule.bremen SRV 'schul-replica.schule.bremen 464 0 100' -P
samba-tool dns delete master schule.bremen _ldap._tcp.Default-First-Site-Name._sites SRV 'schul-replica.schule.bremen 389 0 100' -P
samba-tool dns delete master _msdcs.schule.bremen _ldap._tcp.Default-First-Site-Name._sites.dc SRV 'schul-replica.schule.bremen 389 0 100' -P
samba-tool dns delete master schule.bremen _kerberos._tcp.Default-First-Site-Name._sites SRV 'schul-replica.schule.bremen 88 0 100' -P
samba-tool dns delete master _msdcs.schule.bremen _kerberos._tcp.Default-First-Site-Name._sites.dc SRV 'schul-replica.schule.bremen 88 0 100' -P
samba-tool dns delete master schule.bremen _gc._tcp.Default-First-Site-Name._sites SRV 'schul-replica.schule.bremen 3268 0 100' -P

Each deletion should return:

Record deleted successfully

4. Verify Clean DNS State

Re-run the diagnostic script to confirm the removal:

/usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh

gc._msdcs.schule.bremen has address 10.0.1.1
_gc._tcp.schule.bremen has SRV record 0 100 3268 master.schule.bremen.
_ldap._tcp.gc._msdcs.schule.bremen has SRV record 0 100 3268 master.schule.bremen.
_ldap._tcp.schule.bremen has SRV record 0 100 389 master.schule.bremen.
_ldap._tcp.dc._msdcs.schule.bremen has SRV record 0 100 389 master.schule.bremen.
_ldap._tcp.pdc._msdcs.schule.bremen has SRV record 0 100 389 master.schule.bremen.
_ldap._tcp.8ee6cdd1-357c-4011-a256-297107772a6f.domains._msdcs.schule.bremen has SRV record 0 100 389 master.schule.bremen.
_kerberos._tcp.dc._msdcs.schule.bremen has SRV record 0 100 88 master.schule.bremen.
_kerberos._tcp.schule.bremen has SRV record 0 100 88 master.schule.bremen.
_kerberos._udp.schule.bremen has SRV record 0 100 88 master.schule.bremen.
_kpasswd._tcp.schule.bremen has SRV record 0 100 464 master.schule.bremen.
_kpasswd._udp.schule.bremen has SRV record 0 100 464 master.schule.bremen.
Located DC 'master' in site 'Default-First-Site-Name'
282dceec-4959-49f0-ae73-ef7970df8eeb._msdcs.schule.bremen is an alias for master.schule.bremen.
## Records for site Default-First-Site-Name:
_ldap._tcp.Default-First-Site-Name._sites.schule.bremen has SRV record 0 100 389 master.schule.bremen.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.schule.bremen has SRV record 0 100 389 master.schule.bremen.
_kerberos._tcp.Default-First-Site-Name._sites.schule.bremen has SRV record 0 100 88 master.schule.bremen.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.schule.bremen has SRV record 0 100 88 master.schule.bremen.
## Optional GC Records for site Default-First-Site-Name:
_gc._tcp.Default-First-Site-Name._sites.schule.bremen has SRV record 0 100 3268 master.schule.bremen.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.schule.bremen has SRV record 0 100 3268 master.schule.bremen.
_kerberos.schule.bremen descriptive text "SCHULE.BREMEN"

Expected output should now only show entries related to the active Domain Controller master.schule.bremen.

5. Summary of Required Records

After cleanup, you should see only these essential DNS entries:
Global Records

gc._msdcs.schule.bremen → A record for 10.0.1.1

_ldap._tcp.schule.bremen, _kerberos._tcp.schule.bremen, _kpasswd._tcp.schule.bremen, etc. → Pointing to master.schule.bremen

MSDCS Records

_ldap._tcp.dc._msdcs.schule.bremen

_kerberos._tcp.dc._msdcs.schule.bremen

All pointing to master.schule.bremen

Site-Specific Records

_ldap._tcp.Default-First-Site-Name._sites.schule.bremen

_kerberos._tcp.Default-First-Site-Name._sites.schule.bremen

_gc._tcp.Default-First-Site-Name._sites.schule.bremen (optional GC)

All pointing to master.schule.bremen

Notes

If the demoted server might be reused or rejoined, do not delete its DNS records manually—ensure proper demotion and cleanup.

Always validate with samba-tool dbcheck or univention-check-join-status after DNS cleanup for consistency.

If problems persist after cleanup, consider restarting Samba services or performing a DNS zone reload:

systemctl restart samba-ad-dc