Problem: DNS and LDAP Inconsistency After Dynamic DNS Update (DDNS) from Windows Clients

Knowledge Base Community
, , , , ,
1

DNS and LDAP Inconsistency After Dynamic DNS Update (DDNS) from Windows Clients

Problem

After a Windows client joined to a Univention Corporate Server (UCS) domain performs a Dynamic DNS (DDNS) update (for example via ipconfig /registerdns), inconsistencies may occur between LDAP, Samba DLZ DNS, and the Univention Management Console (UMC).

These inconsistencies lead to:

  • Unassigned or empty Forward and Reverse DNS entries in UMC.
  • Duplicate PTR records remaining in LDAP.
  • Stale IP information in DHCP host objects.
  • Inconsistent DNS resolution and unreliable administrative data in UDM.

Affected Environment

  • UCS version: 5.0-x & 5.2-x
  • Samba version: 4.16 & 4.21
  • Domain example: ucs5schoolhejne.intranet
  • Primary DC: dc0.ucs5schoolhejne.intranet
  • Client OS: Windows 10 Pro
  • Initial IP: 10.200.30.41
  • Updated IP: 10.200.30.44
  • MAC: 52:54:00:0a:15:02

Symptoms

After the Windows client updates its IP and triggers a DDNS registration:

  • The Samba DLZ backend correctly updates both the A and PTR records.
  • The LDAP host object also reflects the new IP address.
  • The DHCP host object still references the old IP address.
  • Duplicate PTR records (for old and new IPs) remain in LDAP.
  • UMC shows empty Forward and Reverse DNS zone assignments.
  • UDM queries still return stale DNS data.

Steps to Reproduce

  1. Join a Windows client with a static IP (e.g. 10.200.30.41) to the UCS domain.

  2. Confirm correct Forward and Reverse DNS configuration in UMC.

  3. Change the client’s IP address (e.g. to 10.200.30.44).

  4. On the Windows client, execute:

    ipconfig /registerdns

    or allow Windows to perform an automatic DDNS update.

  5. Observe Samba and DNS update logs in /var/log/daemon.log.

  6. Inspect results using the following commands:

    univention-s4search --cross-ncs dc=<hostname>
univention-ldapsearch -LLL cn=<hostname>
udm computers/windows list --filter cn=<hostname>

Expected Behavior

  • The DNS and LDAP records remain synchronized across:

    • Samba DLZ DNS
    • LDAP host and DHCP objects
    • UMC zone fields

  • Old A and PTR records are automatically removed when a new IP is registered.

  • UMC continues to display correct and consistent DNS zone links.

Actual Behavior

  • Samba DLZ updates A and PTR records correctly for the new IP.
  • LDAP host entries are updated, but the DHCP object retains the old IP.
  • Duplicate PTR records remain in LDAP.
  • UMC loses the linkage between host and zone (fields appear empty).
  • UDM shows inconsistent or stale DNS entries.

This results in data divergence across UCS subsystems: Samba, LDAP, and UMC.

Log Evidence

Excerpt from /var/log/daemon.log:

Oct  9 23:24:40 dc0 named[17025]: samba_dlz: committed transaction on zone ucs5schoolhejne.intranet
Oct  9 23:24:40 dc0 named[17025]: samba_dlz: committed transaction on zone 30.200.10.in-addr.arpa
Oct  9 23:24:43 dc0 directory_logger: DN=relativeDomainName=44,zoneName=30.200.10.in-addr.arpa,...

These entries confirm that Samba DNS successfully commits the DDNS update, but the LDAP backend retains outdated reverse records.

Root Cause

The UCS synchronization process between Samba DLZ DNS and LDAP DNS backend does not fully reconcile record deletions when a DDNS update is triggered by a Windows client.

As a result:

  • Obsolete DNS records persist in LDAP.
  • DHCP host objects are not updated accordingly.
  • UMC fails to map DNS entries correctly once inconsistencies occur.

Bug ID: 58705

Impact

  • DNS lookups may resolve to incorrect or outdated IP addresses.
  • Reverse lookups return multiple or invalid PTR results.
  • Host management in UMC and UDM becomes unreliable.
  • Automation tools relying on LDAP consistency may fail or misconfigure systems.
  • Administrative overhead and error risk increase in managed environments.

Workaround

Until an official fix is available, the following manual cleanup can be performed:

  1. Identify the affected host:

    udm computers/windows list --filter cn=<hostname>

  2. Manually remove outdated PTR entries:

    udm dns/ptr_record remove --dn="relativeDomainName=<oldIP>,zoneName=<reversezone>,cn=dns,<baseDN>"

  3. Correct DHCP entries if necessary:

    udm dhcp/host modify --dn="cn=<hostname>,cn=<dhcpzone>,cn=dhcp,<baseDN>" --set fixedaddress=<newIP>

  4. Verify DNS consistency:

    host <hostname>
host <newIP>

Recommendation

Univention engineering recommends the following long-term improvements:

  1. Ensure that UMC correctly displays zone assignments after Samba-based DDNS updates.
  2. Implement cleanup logic in the DNS synchronization mechanism to remove stale A/PTR records from LDAP.
  3. Extend verification in the univention-samba4 listener module to maintain synchronization integrity.
  4. Provide an administrative consistency check script to detect and repair mismatched DNS entries.

Additional Information

Relevant commands for diagnostic verification:

univention-s4search --cross-ncs --show-binary dc=<hostname>
univention-ldapsearch -LLL cn=<hostname>
udm dns/ptr_record list --filter '(|(relativeDomainName=<old>)(relativeDomainName=<new>))'

If inconsistencies persist after manual cleanup, please open a support case and attach:

  • /var/log/daemon.log
  • /var/log/univention/listener.log
  • Output of the commands listed above

See also: