This might a related, just mentioning it. https://bugzilla.samba.org/show_bug.cgi?id=12800 https://bugzilla.samba.org/show_bug.cgi?id=13973 after moving or seizing the FSMO roles, the old server can still be found as dns record as _ldap._tcp._pdc._msdcs.dom.tld In most cases a move or seize involve a dead/broken server but in the case you are not removing a "dead" server, you end up with 2 _pdc records. discussed this with Rowland, his reply on it: > The problem seems to be that there is no code to remove > '_ldap._tcp.pdc._msdcs.<domain>' for the old PDC_Emulator when you > move/seize the PDC_Emulator role. Then samba_dnsupdate comes > along and creates a record for the new PDC_Emulator. > > Rowland Found on Buster with samba 4.12.7 and bind9_dlz