On Fri, Aug 27, 2021 at 1:43 PM Rob Crittenden <rcritten@redhat.com> wrote:

Kathy Zhu wrote:
> Hi Rob,
>
> Thank you! That filter did the trick. There are 9 pTRRecord in the zone!
> See attached for details. What is the safe way to delete those "hidden"
> records? I assume that the zone can be deleted after those pTRRecord
> being deleted first. Many thanks.

Use ldapdelete to remove the conflicts using the DN, e.g:

$ ldapdelete -Y GSSAPI
idnsName=200+nsuniqueid=0aa41606-f47811ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

rob

>
> Kathy.
>
> [root@ipa0 ~]$ ldapsearch -Y GSSAPI -b
> idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
>
> SASL/GSSAPI authentication started
>
> SASL username: admin@EXAMPLE.COM <mailto:admin@EXAMPLE.COM>
>
> SASL SSF: 256
>
> SASL data security layer installed.
>
> # extended LDIF
>
> #
>
> # LDAPv3
>
> # base <idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com> with
> scope subtree
>
> # filter: (objectclass=*)
>
> # requesting: ALL
>
> #
>
>
> # 15.0.10.in-addr.arpa., dns, example.com <http://example.com>
>
> dn: idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
>
> idnsSOAserial: 1630088951
>
> idnsZoneActive: FALSE
>
> idnsSOAminimum: 3600
>
> idnsSOAexpire: 1209600
>
> idnsSOAretry: 900
>
> idnsSOArefresh: 3600
>
> idnsAllowQuery: any;
>
> idnsSOArName: hostmaster
>
> idnsAllowDynUpdate: TRUE
>
> idnsSOAmName: ipa0.example.com <http://ipa0.example.com>.
>
> idnsName: 15.0.10.in-addr.arpa.
>
> idnsUpdatePolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> krb5-subdomain
> 15.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
>
> idnsAllowTransfer: none;
>
> objectClass: top
>
> objectClass: idnsrecord
>
> objectClass: idnszone
>
> nSRecord: ipa0.example.com <http://ipa0.example.com>.
>
> nSRecord: ipa2.example.com <http://ipa2.example.com>.
>
> nSRecord: ipa3.example.com <http://ipa3.example.com>.
>
> nSRecord: hou1-ipa1.example.com <http://hou1-ipa1.example.com>.
>
> nSRecord: sfo1-ipa1.example.com <http://sfo1-ipa1.example.com>.
>
> nSRecord: hou2-ipa1.example.com <http://hou2-ipa1.example.com>.
>
> nSRecord: hq-ipa1.example.com <http://hq-ipa1.example.com>.
>
> nSRecord: gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>.
>
>
> # search result
>
> search: 4
>
> result: 0 Success
>
>
> # numResponses: 2
>
> # numEntries: 1
>
> [root@ipa0 ~]$ ldapsearch -Y GSSAPI -b
> idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
> '(objectclass=ldapsubentry)'
>
> SASL/GSSAPI authentication started
>
> SASL username: admin@EXAMPLE.COM <mailto:admin@EXAMPLE.COM>
>
> SASL SSF: 256
>
> SASL data security layer installed.
>
> # extended LDIF
>
> #
>
> # LDAPv3
>
> # base <idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com> with
> scope subtree
>
> # filter: (objectclass=ldapsubentry)
>
> # requesting: ALL
>
> #
>
>
> # 200 + 0aa41606-f47811ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns,
> example.com <http://example.com>
>
> dn:
> idnsName=200+nsuniqueid=0aa41606-f47811ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
>
> pTRRecord: user9-laptop.example.com <http://user9-laptop.example.com>.
>
> dNSTTL: 300
>
> objectClass: idnsRecord
>
> objectClass: top
>
> objectClass: ldapsubentry
>
> idnsName: 200
>
>
> # 155 + f3e40606-f6a711ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns,
> example.com <http://example.com>
>
> dn:
> idnsName=155+nsuniqueid=f3e40606-f6a711ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
>
> pTRRecord: user7-laptop.example.com <http://user7-laptop.example.com>.
>
> dNSTTL: 300
>
> objectClass: idnsRecord
>
> objectClass: top
>
> objectClass: ldapsubentry
>
> idnsName: 155
>
>
> # 183 + c0f24006-f6b011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns,
> example.com <http://example.com>
>
> dn:
> idnsName=183+nsuniqueid=c0f24006-f6b011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
>
> pTRRecord: DESKTOP-test.example.com <http://DESKTOP-test.example.com>.
>
> dNSTTL: 300
>
> objectClass: idnsRecord
>
> objectClass: top
>
> objectClass: ldapsubentry
>
> idnsName: 183
>
>
> # 101 + 4a137207-f6c511ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns,
> example.com <http://example.com>
>
> dn:
> idnsName=101+nsuniqueid=4a137207-f6c511ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
>
> pTRRecord: test-laptop.example.com <http://test-laptop.example.com>.
>
> dNSTTL: 300
>
> objectClass: idnsRecord
>
> objectClass: top
>
> objectClass: ldapsubentry
>
> idnsName: 101
>
>
> # 74 + 1ccac207-f6cd11ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns,
> example.com <http://example.com>
>
> dn:
> idnsName=74+nsuniqueid=1ccac207-f6cd11ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
>
> pTRRecord: jsmith-laptop.example.com <http://jsmith-laptop.example.com>.
>
> dNSTTL: 300
>
> objectClass: idnsRecord
>
> objectClass: top
>
> objectClass: ldapsubentry
>
> idnsName: 74
>
>
> # 63 + bdd08006-f79411ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns,
> example.com <http://example.com>
>
> dn:
> idnsName=63+nsuniqueid=bdd08006-f79411ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
>
> pTRRecord: kwang-laptop.example.com <http://kwang-laptop.example.com>.
>
> dNSTTL: 300
>
> objectClass: idnsRecord
>
> objectClass: top
>
> objectClass: ldapsubentry
>
> idnsName: 63
>
>
> # 160 + ea49d205-f85011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns,
> example.com <http://example.com>
>
> dn:
> idnsName=160+nsuniqueid=ea49d205-f85011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
>
> pTRRecord: john-laptop.example.com <http://john-laptop.example.com>.
>
> dNSTTL: 300
>
> objectClass: idnsRecord
>
> objectClass: top
>
> objectClass: ldapsubentry
>
> idnsName: 160
>
>
> # 32 + e7f77005-f87011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns,
> example.com <http://example.com>
>
> dn:
> idnsName=32+nsuniqueid=e7f77005-f87011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
>
> pTRRecord: key10-laptop.example.com <http://key10-laptop.example.com>.
>
> dNSTTL: 300
>
> objectClass: idnsRecord
>
> objectClass: top
>
> objectClass: ldapsubentry
>
> idnsName: 32
>
>
> # 66 + 3fc5b812-c04911eb-b84afb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns,
> example.com <http://example.com>
>
> dn:
> idnsName=66+nsuniqueid=3fc5b812-c04911eb-b84afb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
>
> pTRRecord: load8-laptop.example.com <http://load8-laptop.example.com>.
>
> dNSTTL: 300
>
> objectClass: idnsRecord
>
> objectClass: top
>
> objectClass: ldapsubentry
>
> idnsName: 66
>
>
> # search result
>
> search: 4
>
> result: 0 Success
>
>
> # numResponses: 10
>
> # numEntries: 9
>
> [root@ipa0 ~]$
>
>
> On Fri, Aug 27, 2021 at 9:58 AM Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Kathy Zhu wrote:
> > Hi Rob,
> >
> > There are 5 more reverse zones which can not be deleted as well. IPA
> > said "Not allowed on non-leaf entry". Though that is the same
> complaint,
> > however, there are no "glue, extensibleobject" objectclasses
> associated
> > with those 5 zones. Please see attached for details. I like to have
> > those deleted as well.
>
> 389 seems to think there are records under those even though IPA isn't
> seeing them. 389 doesn't show conflict values. I think I'd try
> ldapsearch to see if there is anything below it.
>
> kinit admin
> ldapsearch -Y GSSAPI -b
> idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
>
> If nothing then add this filter to the end, '(objectclass=ldapsubentry)'
>
> rob
>
> >
> > Thanks.
> >
> > Kathy.
> >
> >
> > [root@ipa0 export-ipa-data]# ipa dnsrecord-find
> 15.0.10.in-addr.arpa. --all
> >
> > dn: idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
> >
> > Record name: @
> >
> > NS record: ipa0.example.com <http://ipa0.example.com>
> <http://ipa0.example.com>.,
> > ipa2.example.com <http://ipa2.example.com>
> <http://ipa2.example.com>., ipa3.example.com <http://ipa3.example.com>
> > <http://ipa3.example.com>., hou1-ipa1.example.com
> <http://hou1-ipa1.example.com>
> > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com
> <http://sfo1-ipa1.example.com>
> > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com
> <http://hou2-ipa1.example.com>
> > <http://hou2-ipa1.example.com>., hq-
> >
> >    ipa1.example.com <http://ipa1.example.com>
> <http://ipa1.example.com>.,
> > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>
> <http://gcc2-ipa1.example.com>.
> >
> > idnsallowdynupdate: TRUE
> >
> > idnsallowquery: any;
> >
> > idnsallowtransfer: none;
> >
> > idnssoaexpire: 1209600
> >
> > idnssoaminimum: 3600
> >
> > idnssoamname: ipa0.example.com <http://ipa0.example.com>
> <http://ipa0.example.com>.
> >
> > idnssoarefresh: 3600
> >
> > idnssoaretry: 900
> >
> > idnssoarname: hostmaster
> >
> > idnssoaserial: 1629023582
> >
> > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM>
> <http://EXAMPLE.COM>
> > krb5-subdomain 15.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard
> * ANY;
> >
> > idnszoneactive: FALSE
> >
> > objectclass: top, idnsrecord, idnszone
> >
> > ----------------------------
> >
> > Number of entries returned 1
> >
> > ----------------------------
> >
> > [root@ipa0 export-ipa-data]# ipa dnsrecord-find
> 14.0.10.in-addr.arpa. --all
> >
> > dn: idnsname=14.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
> >
> > Record name: @
> >
> > NS record: ipa0.example.com <http://ipa0.example.com>
> <http://ipa0.example.com>.,
> > ipa2.example.com <http://ipa2.example.com>
> <http://ipa2.example.com>., ipa3.example.com <http://ipa3.example.com>
> > <http://ipa3.example.com>., hou1-ipa1.example.com
> <http://hou1-ipa1.example.com>
> > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com
> <http://sfo1-ipa1.example.com>
> > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com
> <http://hou2-ipa1.example.com>
> > <http://hou2-ipa1.example.com>., hq-
> >
> >    ipa1.example.com <http://ipa1.example.com>
> <http://ipa1.example.com>.,
> > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>
> <http://gcc2-ipa1.example.com>.
> >
> > idnsallowdynupdate: TRUE
> >
> > idnsallowquery: any;
> >
> > idnsallowtransfer: none;
> >
> > idnssoaexpire: 1209600
> >
> > idnssoaminimum: 3600
> >
> > idnssoamname: ipa0.example.com <http://ipa0.example.com>
> <http://ipa0.example.com>.
> >
> > idnssoarefresh: 3600
> >
> > idnssoaretry: 900
> >
> > idnssoarname: hostmaster
> >
> > idnssoaserial: 1629023582
> >
> > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM>
> <http://EXAMPLE.COM>
> > krb5-subdomain 14.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard
> * ANY;
> >
> > idnszoneactive: FALSE
> >
> > objectclass: top, idnsrecord, idnszone
> >
> > ----------------------------
> >
> > Number of entries returned 1
> >
> > ----------------------------
> >
> > [root@ipa0 export-ipa-data]# ipa dnsrecord-find
> 13.0.10.in-addr.arpa. --all
> >
> > dn: idnsname=13.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
> >
> > Record name: @
> >
> > NS record: ipa0.example.com <http://ipa0.example.com>
> <http://ipa0.example.com>.,
> > ipa2.example.com <http://ipa2.example.com>
> <http://ipa2.example.com>., ipa3.example.com <http://ipa3.example.com>
> > <http://ipa3.example.com>., hou1-ipa1.example.com
> <http://hou1-ipa1.example.com>
> > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com
> <http://sfo1-ipa1.example.com>
> > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com
> <http://hou2-ipa1.example.com>
> > <http://hou2-ipa1.example.com>., hq-
> >
> >    ipa1.example.com <http://ipa1.example.com>
> <http://ipa1.example.com>.,
> > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>
> <http://gcc2-ipa1.example.com>.
> >
> > idnsallowdynupdate: TRUE
> >
> > idnsallowquery: any;
> >
> > idnsallowtransfer: none;
> >
> > idnssoaexpire: 1209600
> >
> > idnssoaminimum: 3600
> >
> > idnssoamname: ipa0.example.com <http://ipa0.example.com>
> <http://ipa0.example.com>.
> >
> > idnssoarefresh: 3600
> >
> > idnssoaretry: 900
> >
> > idnssoarname: hostmaster
> >
> > idnssoaserial: 1629023582
> >
> > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM>
> <http://EXAMPLE.COM>
> > krb5-subdomain 13.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard
> * ANY;
> >
> > idnszoneactive: FALSE
> >
> > objectclass: top, idnsrecord, idnszone
> >
> > ----------------------------
> >
> > Number of entries returned 1
> >
> > ----------------------------
> >
> > [root@ipa0 export-ipa-data]# ipa dnsrecord-find
> 12.0.10.in-addr.arpa. --all
> >
> > dn: idnsname=12.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
> >
> > Record name: @
> >
> > NS record: ipa0.example.com <http://ipa0.example.com>
> <http://ipa0.example.com>.,
> > ipa2.example.com <http://ipa2.example.com>
> <http://ipa2.example.com>., ipa3.example.com <http://ipa3.example.com>
> > <http://ipa3.example.com>., hou1-ipa1.example.com
> <http://hou1-ipa1.example.com>
> > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com
> <http://sfo1-ipa1.example.com>
> > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com
> <http://hou2-ipa1.example.com>
> > <http://hou2-ipa1.example.com>., hq-
> >
> >    ipa1.example.com <http://ipa1.example.com>
> <http://ipa1.example.com>.,
> > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>
> <http://gcc2-ipa1.example.com>.
> >
> > idnsallowdynupdate: TRUE
> >
> > idnsallowquery: any;
> >
> > idnsallowtransfer: none;
> >
> > idnssoaexpire: 1209600
> >
> > idnssoaminimum: 3600
> >
> > idnssoamname: ipa0.example.com <http://ipa0.example.com>
> <http://ipa0.example.com>.
> >
> > idnssoarefresh: 3600
> >
> > idnssoaretry: 900
> >
> > idnssoarname: hostmaster
> >
> > idnssoaserial: 1629023582
> >
> > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM>
> <http://EXAMPLE.COM>
> > krb5-subdomain 12.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard
> * ANY;
> >
> > idnszoneactive: FALSE
> >
> > objectclass: top, idnsrecord, idnszone
> >
> > ----------------------------
> >
> > Number of entries returned 1
> >
> > ----------------------------
> >
> > [root@ipa0 export-ipa-data]# ipa dnsrecord-find
> 0.0.10.in-addr.arpa. --all
> >
> > dn: idnsname=0.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
> >
> > Record name: @
> >
> > NS record: ipa0.example.com <http://ipa0.example.com>
> <http://ipa0.example.com>.,
> > ipa2.example.com <http://ipa2.example.com>
> <http://ipa2.example.com>., ipa3.example.com <http://ipa3.example.com>
> > <http://ipa3.example.com>., hou1-ipa1.example.com
> <http://hou1-ipa1.example.com>
> > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com
> <http://sfo1-ipa1.example.com>
> > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com
> <http://hou2-ipa1.example.com>
> > <http://hou2-ipa1.example.com>., hq-
> >
> >    ipa1.example.com <http://ipa1.example.com>
> <http://ipa1.example.com>.,
> > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>
> <http://gcc2-ipa1.example.com>.
> >
> > idnsallowdynupdate: TRUE
> >
> > idnsallowquery: any;
> >
> > idnsallowtransfer: none;
> >
> > idnssoaexpire: 1209600
> >
> > idnssoaminimum: 3600
> >
> > idnssoamname: ipa0.example.com <http://ipa0.example.com>
> <http://ipa0.example.com>.
> >
> > idnssoarefresh: 3600
> >
> > idnssoaretry: 900
> >
> > idnssoarname: hostmaster.example.com
> <http://hostmaster.example.com> <http://hostmaster.example.com>.
> >
> > idnssoaserial: 1629023582
> >
> > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM>
> <http://EXAMPLE.COM>
> > krb5-subdomain 0.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard *
> ANY;
> >
> > idnszoneactive: FALSE
> >
> > objectclass: top, idnsrecord, idnszone
> >
> > ----------------------------
> >
> > Number of entries returned 1
> >
> > ----------------------------
> >
> > [root@ipa0 export-ipa-data]#
> >
> >
> > On Thu, Aug 19, 2021 at 6:08 PM Kathy Zhu <kzhu@nuro.ai
> <mailto:kzhu@nuro.ai>
> > <mailto:kzhu@nuro.ai <mailto:kzhu@nuro.ai>>> wrote:
> >
> > Yes, I want to delete the zone. I tried a few ways, none
> worked so far.
> >
> > On Thu, Aug 19, 2021 at 5:15 PM Rob Crittenden
> <rcritten@redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote:
> >
> > Kathy Zhu via FreeIPA-users wrote:
> > > Hi List,
> > >
> > > When I run ipa-healthcheck on all of our ipa servers,
> they all
> > reported
> > > following:
> > >
> > > [root@ipa0 ~]# ipa-healthcheck --failures-only
> --output-type human
> > >
> > > ERROR:
> > >
> >
>   ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com:
> > > Replication conflict
> > >
> > > [root@ipa0 ~]#
> > >
> > > [root@ipa0 ~]# ipa-healthcheck --failures-only
> > >
> > > [
> > >
> > > {
> > >
> > > "source": "ipahealthcheck.ds.replication",
> > >
> > > "kw": {
> > >
> > > "msg": "Replication conflict",
> > >
> > > "glue": true,
> > >
> > > "conflict": "deletedEntryHasChildren",
> > >
> > > "key":
> > "idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com"
> > >
> > > },
> > >
> > > "uuid": "3027f742-4b7b-4a20-9650-a5a030699480",
> > >
> > > "duration": "0.002318",
> > >
> > > "when": "20210819234114Z",
> > >
> > > "check": "ReplicationConflictCheck",
> > >
> > > "result": "ERROR"
> > >
> > > }
> > >
> > > ]
> > >
> > > [root@ipa0 ~]#
> > >
> > > [root@ipa0 ~]# ipa dnsrecord-find 1.1.10.in-addr.arpa.
> > > --sizelimit=99999 --all --structured
> > >
> > > dn: idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com
> > >
> > > Record name: @
> > >
> > > Records:
> > >
> > > Record type: NS
> > >
> > > Record data: ipa1.example.com
> <http://ipa1.example.com> <http://ipa1.example.com>
> > <http://ipa1.example.com>.
> > >
> > > NS Hostname: ipa1.example.com
> <http://ipa1.example.com> <http://ipa1.example.com>
> > <http://ipa1.example.com>.
> > >
> > > idnsallowdynupdate: TRUE
> > >
> > > idnsallowquery: any;
> > >
> > > idnsallowtransfer: none;
> > >
> > > idnssoaexpire: 1209600
> > >
> > > idnssoaminimum: 3600
> > >
> > > idnssoamname: ipa0.example.com
> <http://ipa0.example.com> <http://ipa0.example.com>
> > <http://ipa0.example.com>.
> > >
> > > idnssoarefresh: 3600
> > >
> > > idnssoaretry: 900
> > >
> > > idnssoarname: hostmaster
> > >
> > > idnssoaserial: 1629023582
> > >
> > > idnsupdatepolicy: grant EXAMPLE.COM
> <http://EXAMPLE.COM> <http://EXAMPLE.COM>
> > <http://EXAMPLE.COM>
> > > krb5-subdomain 1.1.10.in-addr.arpa. PTR; grant dhcp-key
> > wildcard * ANY;
> > >
> > > idnszoneactive: FALSE
> > >
> > > objectclass: top, idnsrecord, idnszone, glue,
> extensibleobject
> > >
> > > ----------------------------
> > >
> > > Number of entries returned 1
> > >
> > > ----------------------------
> > >
> > > [root@ipa0 ~]#
> > >
> > >
> > > Notice above, glue is true! After googling, I found
> following:
> > >
> > >
> > >
> >
>   https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/ipa-replica-manage#Solving_Orphan_Entry_Conflicts
> > >
> > >
> > >
> >
>   https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-solving_common_replication_conflicts#Solving_Common_Replication_Conflicts-Solving_Orphan_Entry_Conflicts
> > >
> > >
> > > The explanation made sense to me. However, I do not know
> what
> > happened
> > > to get us into this situation.
> > >
> > >
> > > A good zone displays objectclass like this:
> > >
> > >
> > > objectclass: top, idnsrecord, idnszone
> > >
> > >
> > >
> > > Note, no "glue, extensibleobject" there.
> > >
> > >
> > > This zone can not be deleted since "Not allowed on non-leaf
> > entry". Any
> > > ideas to delete this zone?
> >
> > Do you want to delete the zone?
> >
> > rob
> >
>