Hi Rob,

There are 5 more reverse zones which can not be deleted as well. IPA said "Not allowed on non-leaf entry". Though that is the same complaint, however, there are no "glue, extensibleobject" objectclasses associated with those 5 zones. Please see attached for details. I like to have those deleted as well.

Thanks.

Kathy.

[root@ipa0 export-ipa-data]# ipa dnsrecord-find 15.0.10.in-addr.arpa. --all

dn: idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

Record name: @

NS record: ipa0.example.com., ipa2.example.com., ipa3.example.com., hou1-ipa1.example.com., sfo1-ipa1.example.com., hou2-ipa1.example.com., hq-

ipa1.example.com., gcc2-ipa1.example.com.

idnsallowdynupdate: TRUE

idnsallowquery: any;

idnsallowtransfer: none;

idnssoaexpire: 1209600

idnssoaminimum: 3600

idnssoamname: ipa0.example.com.

idnssoarefresh: 3600

idnssoaretry: 900

idnssoarname: hostmaster

idnssoaserial: 1629023582

idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 15.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;

idnszoneactive: FALSE

objectclass: top, idnsrecord, idnszone

----------------------------

Number of entries returned 1

----------------------------

[root@ipa0 export-ipa-data]# ipa dnsrecord-find 14.0.10.in-addr.arpa. --all

dn: idnsname=14.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

Record name: @

NS record: ipa0.example.com., ipa2.example.com., ipa3.example.com., hou1-ipa1.example.com., sfo1-ipa1.example.com., hou2-ipa1.example.com., hq-

ipa1.example.com., gcc2-ipa1.example.com.

idnsallowdynupdate: TRUE

idnsallowquery: any;

idnsallowtransfer: none;

idnssoaexpire: 1209600

idnssoaminimum: 3600

idnssoamname: ipa0.example.com.

idnssoarefresh: 3600

idnssoaretry: 900

idnssoarname: hostmaster

idnssoaserial: 1629023582

idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 14.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;

idnszoneactive: FALSE

objectclass: top, idnsrecord, idnszone

----------------------------

Number of entries returned 1

----------------------------

[root@ipa0 export-ipa-data]# ipa dnsrecord-find 13.0.10.in-addr.arpa. --all

dn: idnsname=13.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

Record name: @

NS record: ipa0.example.com., ipa2.example.com., ipa3.example.com., hou1-ipa1.example.com., sfo1-ipa1.example.com., hou2-ipa1.example.com., hq-

ipa1.example.com., gcc2-ipa1.example.com.

idnsallowdynupdate: TRUE

idnsallowquery: any;

idnsallowtransfer: none;

idnssoaexpire: 1209600

idnssoaminimum: 3600

idnssoamname: ipa0.example.com.

idnssoarefresh: 3600

idnssoaretry: 900

idnssoarname: hostmaster

idnssoaserial: 1629023582

idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 13.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;

idnszoneactive: FALSE

objectclass: top, idnsrecord, idnszone

----------------------------

Number of entries returned 1

----------------------------

[root@ipa0 export-ipa-data]# ipa dnsrecord-find 12.0.10.in-addr.arpa. --all

dn: idnsname=12.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

Record name: @

NS record: ipa0.example.com., ipa2.example.com., ipa3.example.com., hou1-ipa1.example.com., sfo1-ipa1.example.com., hou2-ipa1.example.com., hq-

ipa1.example.com., gcc2-ipa1.example.com.

idnsallowdynupdate: TRUE

idnsallowquery: any;

idnsallowtransfer: none;

idnssoaexpire: 1209600

idnssoaminimum: 3600

idnssoamname: ipa0.example.com.

idnssoarefresh: 3600

idnssoaretry: 900

idnssoarname: hostmaster

idnssoaserial: 1629023582

idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 12.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;

idnszoneactive: FALSE

objectclass: top, idnsrecord, idnszone

----------------------------

Number of entries returned 1

----------------------------

[root@ipa0 export-ipa-data]# ipa dnsrecord-find 0.0.10.in-addr.arpa. --all

dn: idnsname=0.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

Record name: @

NS record: ipa0.example.com., ipa2.example.com., ipa3.example.com., hou1-ipa1.example.com., sfo1-ipa1.example.com., hou2-ipa1.example.com., hq-

ipa1.example.com., gcc2-ipa1.example.com.

idnsallowdynupdate: TRUE

idnsallowquery: any;

idnsallowtransfer: none;

idnssoaexpire: 1209600

idnssoaminimum: 3600

idnssoamname: ipa0.example.com.

idnssoarefresh: 3600

idnssoaretry: 900

idnssoarname: hostmaster.example.com.

idnssoaserial: 1629023582

idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 0.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;

idnszoneactive: FALSE

objectclass: top, idnsrecord, idnszone

----------------------------

Number of entries returned 1

----------------------------

[root@ipa0 export-ipa-data]#

On Thu, Aug 19, 2021 at 6:08 PM Kathy Zhu kzhu@nuro.ai wrote:

Yes, I want to delete the zone. I tried a few ways, none worked so far.

On Thu, Aug 19, 2021 at 5:15 PM Rob Crittenden rcritten@redhat.com wrote:

...

Kathy Zhu via FreeIPA-users wrote:

...

Hi List,

When I run ipa-healthcheck on all of our ipa servers, they all reported following:

[root@ipa0 ~]# ipa-healthcheck --failures-only --output-type human

ERROR:

ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com:

...

Replication conflict

[root@ipa0 ~]#

[root@ipa0 ~]# ipa-healthcheck --failures-only

[

{

"source": "ipahealthcheck.ds.replication",

"kw": {

  "msg": "Replication conflict",

  "glue": true,

  "conflict": "deletedEntryHasChildren",

  "key": "idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com"

},

"uuid": "3027f742-4b7b-4a20-9650-a5a030699480",

"duration": "0.002318",

"when": "20210819234114Z",

"check": "ReplicationConflictCheck",

"result": "ERROR"

}

]

[root@ipa0 ~]#

[root@ipa0 ~]# ipa dnsrecord-find 1.1.10.in-addr.arpa. --sizelimit=99999 --all --structured

dn: idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com

Record name: @

Records:

Record type: NS

Record data: ipa1.example.com <http://ipa1.example.com>.

NS Hostname: ipa1.example.com <http://ipa1.example.com>.

idnsallowdynupdate: TRUE

idnsallowquery: any;

idnsallowtransfer: none;

idnssoaexpire: 1209600

idnssoaminimum: 3600

idnssoamname: ipa0.example.com http://ipa0.example.com.

idnssoarefresh: 3600

idnssoaretry: 900

idnssoarname: hostmaster

idnssoaserial: 1629023582

idnsupdatepolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 1.1.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;

idnszoneactive: FALSE

objectclass: top, idnsrecord, idnszone, glue, extensibleobject

---

Number of entries returned 1

---

[root@ipa0 ~]#

Notice above, glue is true! After googling, I found following:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/htm...

...

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...

...

The explanation made sense to me. However, I do not know what happened to get us into this situation.

A good zone displays objectclass like this:

objectclass: top, idnsrecord, idnszone

Note, no "glue, extensibleobject" there.

This zone can not be deleted since "Not allowed on non-leaf entry". Any ideas to delete this zone?

Do you want to delete the zone?

rob

Hi Rob,

Thank you! That filter did the trick. There are 9 pTRRecord in the zone! See attached for details. What is the safe way to delete those "hidden" records? I assume that the zone can be deleted after those pTRRecord being deleted first. Many thanks.

Kathy.

[root@ipa0 ~]$ ldapsearch -Y GSSAPI -b idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

SASL/GSSAPI authentication started

SASL username: admin@EXAMPLE.COM

SASL SSF: 256

SASL data security layer installed.

# extended LDIF

#

# LDAPv3

# base <idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com> with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

# 15.0.10.in-addr.arpa., dns, example.com

dn: idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

idnsSOAserial: 1630088951

idnsZoneActive: FALSE

idnsSOAminimum: 3600

idnsSOAexpire: 1209600

idnsSOAretry: 900

idnsSOArefresh: 3600

idnsAllowQuery: any;

idnsSOArName: hostmaster

idnsAllowDynUpdate: TRUE

idnsSOAmName: ipa0.example.com.

idnsName: 15.0.10.in-addr.arpa.

idnsUpdatePolicy: grant EXAMPLE.COM krb5-subdomain 15.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;

idnsAllowTransfer: none;

objectClass: top

objectClass: idnsrecord

objectClass: idnszone

nSRecord: ipa0.example.com.

nSRecord: ipa2.example.com.

nSRecord: ipa3.example.com.

nSRecord: hou1-ipa1.example.com.

nSRecord: sfo1-ipa1.example.com.

nSRecord: hou2-ipa1.example.com.

nSRecord: hq-ipa1.example.com.

nSRecord: gcc2-ipa1.example.com.

# search result

search: 4

result: 0 Success

# numResponses: 2

# numEntries: 1

[root@ipa0 ~]$ ldapsearch -Y GSSAPI -b idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com '(objectclass=ldapsubentry)'

SASL/GSSAPI authentication started

SASL username: admin@EXAMPLE.COM

SASL SSF: 256

SASL data security layer installed.

# extended LDIF

#

# LDAPv3

# base <idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com> with scope subtree

# filter: (objectclass=ldapsubentry)

# requesting: ALL

#

# 200 + 0aa41606-f47811ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com

dn: idnsName=200+nsuniqueid=0aa41606-f47811ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

pTRRecord: user9-laptop.example.com.

dNSTTL: 300

objectClass: idnsRecord

objectClass: top

objectClass: ldapsubentry

idnsName: 200

# 155 + f3e40606-f6a711ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com

dn: idnsName=155+nsuniqueid=f3e40606-f6a711ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

pTRRecord: user7-laptop.example.com.

dNSTTL: 300

objectClass: idnsRecord

objectClass: top

objectClass: ldapsubentry

idnsName: 155

# 183 + c0f24006-f6b011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com

dn: idnsName=183+nsuniqueid=c0f24006-f6b011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

pTRRecord: DESKTOP-test.example.com.

dNSTTL: 300

objectClass: idnsRecord

objectClass: top

objectClass: ldapsubentry

idnsName: 183

# 101 + 4a137207-f6c511ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com

dn: idnsName=101+nsuniqueid=4a137207-f6c511ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

pTRRecord: test-laptop.example.com.

dNSTTL: 300

objectClass: idnsRecord

objectClass: top

objectClass: ldapsubentry

idnsName: 101

# 74 + 1ccac207-f6cd11ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com

dn: idnsName=74+nsuniqueid=1ccac207-f6cd11ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

pTRRecord: jsmith-laptop.example.com.

dNSTTL: 300

objectClass: idnsRecord

objectClass: top

objectClass: ldapsubentry

idnsName: 74

# 63 + bdd08006-f79411ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com

dn: idnsName=63+nsuniqueid=bdd08006-f79411ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

pTRRecord: kwang-laptop.example.com.

dNSTTL: 300

objectClass: idnsRecord

objectClass: top

objectClass: ldapsubentry

idnsName: 63

# 160 + ea49d205-f85011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com

dn: idnsName=160+nsuniqueid=ea49d205-f85011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

pTRRecord: john-laptop.example.com.

dNSTTL: 300

objectClass: idnsRecord

objectClass: top

objectClass: ldapsubentry

idnsName: 160

# 32 + e7f77005-f87011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com

dn: idnsName=32+nsuniqueid=e7f77005-f87011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

pTRRecord: key10-laptop.example.com.

dNSTTL: 300

objectClass: idnsRecord

objectClass: top

objectClass: ldapsubentry

idnsName: 32

# 66 + 3fc5b812-c04911eb-b84afb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com

dn: idnsName=66+nsuniqueid=3fc5b812-c04911eb-b84afb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

pTRRecord: load8-laptop.example.com.

dNSTTL: 300

objectClass: idnsRecord

objectClass: top

objectClass: ldapsubentry

idnsName: 66

# search result

search: 4

result: 0 Success

# numResponses: 10

# numEntries: 9

[root@ipa0 ~]$

On Fri, Aug 27, 2021 at 9:58 AM Rob Crittenden rcritten@redhat.com wrote:

Kathy Zhu wrote:

...

Hi Rob,

There are 5 more reverse zones which can not be deleted as well. IPA said "Not allowed on non-leaf entry". Though that is the same complaint, however, there are no "glue, extensibleobject" objectclasses associated with those 5 zones. Please see attached for details. I like to have those deleted as well.

389 seems to think there are records under those even though IPA isn't seeing them. 389 doesn't show conflict values. I think I'd try ldapsearch to see if there is anything below it.

kinit admin ldapsearch -Y GSSAPI -b idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

If nothing then add this filter to the end, '(objectclass=ldapsubentry)'

rob

...

Thanks.

Kathy.

[root@ipa0 export-ipa-data]# ipa dnsrecord-find 15.0.10.in-addr.arpa.

--all

...

dn: idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

Record name: @

NS record: ipa0.example.com http://ipa0.example.com., ipa2.example.com http://ipa2.example.com., ipa3.example.com http://ipa3.example.com., hou1-ipa1.example.com http://hou1-ipa1.example.com., sfo1-ipa1.example.com http://sfo1-ipa1.example.com., hou2-ipa1.example.com http://hou2-ipa1.example.com., hq-

         ipa1.example.com <http://ipa1.example.com>.,

gcc2-ipa1.example.com http://gcc2-ipa1.example.com.

idnsallowdynupdate: TRUE

idnsallowquery: any;

idnsallowtransfer: none;

idnssoaexpire: 1209600

idnssoaminimum: 3600

idnssoamname: ipa0.example.com http://ipa0.example.com.

idnssoarefresh: 3600

idnssoaretry: 900

idnssoarname: hostmaster

idnssoaserial: 1629023582

idnsupdatepolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 15.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;

idnszoneactive: FALSE

objectclass: top, idnsrecord, idnszone

---

Number of entries returned 1

---

[root@ipa0 export-ipa-data]# ipa dnsrecord-find 14.0.10.in-addr.arpa.

--all

...

dn: idnsname=14.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

Record name: @

NS record: ipa0.example.com http://ipa0.example.com., ipa2.example.com http://ipa2.example.com., ipa3.example.com http://ipa3.example.com., hou1-ipa1.example.com http://hou1-ipa1.example.com., sfo1-ipa1.example.com http://sfo1-ipa1.example.com., hou2-ipa1.example.com http://hou2-ipa1.example.com., hq-

         ipa1.example.com <http://ipa1.example.com>.,

gcc2-ipa1.example.com http://gcc2-ipa1.example.com.

idnsallowdynupdate: TRUE

idnsallowquery: any;

idnsallowtransfer: none;

idnssoaexpire: 1209600

idnssoaminimum: 3600

idnssoamname: ipa0.example.com http://ipa0.example.com.

idnssoarefresh: 3600

idnssoaretry: 900

idnssoarname: hostmaster

idnssoaserial: 1629023582

idnsupdatepolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 14.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;

idnszoneactive: FALSE

objectclass: top, idnsrecord, idnszone

---

Number of entries returned 1

---

[root@ipa0 export-ipa-data]# ipa dnsrecord-find 13.0.10.in-addr.arpa.

--all

...

dn: idnsname=13.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

Record name: @

NS record: ipa0.example.com http://ipa0.example.com., ipa2.example.com http://ipa2.example.com., ipa3.example.com http://ipa3.example.com., hou1-ipa1.example.com http://hou1-ipa1.example.com., sfo1-ipa1.example.com http://sfo1-ipa1.example.com., hou2-ipa1.example.com http://hou2-ipa1.example.com., hq-

         ipa1.example.com <http://ipa1.example.com>.,

gcc2-ipa1.example.com http://gcc2-ipa1.example.com.

idnsallowdynupdate: TRUE

idnsallowquery: any;

idnsallowtransfer: none;

idnssoaexpire: 1209600

idnssoaminimum: 3600

idnssoamname: ipa0.example.com http://ipa0.example.com.

idnssoarefresh: 3600

idnssoaretry: 900

idnssoarname: hostmaster

idnssoaserial: 1629023582

idnsupdatepolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 13.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;

idnszoneactive: FALSE

objectclass: top, idnsrecord, idnszone

---

Number of entries returned 1

---

[root@ipa0 export-ipa-data]# ipa dnsrecord-find 12.0.10.in-addr.arpa.

--all

...

dn: idnsname=12.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

Record name: @

NS record: ipa0.example.com http://ipa0.example.com., ipa2.example.com http://ipa2.example.com., ipa3.example.com http://ipa3.example.com., hou1-ipa1.example.com http://hou1-ipa1.example.com., sfo1-ipa1.example.com http://sfo1-ipa1.example.com., hou2-ipa1.example.com http://hou2-ipa1.example.com., hq-

         ipa1.example.com <http://ipa1.example.com>.,

gcc2-ipa1.example.com http://gcc2-ipa1.example.com.

idnsallowdynupdate: TRUE

idnsallowquery: any;

idnsallowtransfer: none;

idnssoaexpire: 1209600

idnssoaminimum: 3600

idnssoamname: ipa0.example.com http://ipa0.example.com.

idnssoarefresh: 3600

idnssoaretry: 900

idnssoarname: hostmaster

idnssoaserial: 1629023582

idnsupdatepolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 12.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;

idnszoneactive: FALSE

objectclass: top, idnsrecord, idnszone

---

Number of entries returned 1

---

[root@ipa0 export-ipa-data]# ipa dnsrecord-find 0.0.10.in-addr.arpa.

--all

...

dn: idnsname=0.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

Record name: @

NS record: ipa0.example.com http://ipa0.example.com., ipa2.example.com http://ipa2.example.com., ipa3.example.com http://ipa3.example.com., hou1-ipa1.example.com http://hou1-ipa1.example.com., sfo1-ipa1.example.com http://sfo1-ipa1.example.com., hou2-ipa1.example.com http://hou2-ipa1.example.com., hq-

         ipa1.example.com <http://ipa1.example.com>.,

gcc2-ipa1.example.com http://gcc2-ipa1.example.com.

idnsallowdynupdate: TRUE

idnsallowquery: any;

idnsallowtransfer: none;

idnssoaexpire: 1209600

idnssoaminimum: 3600

idnssoamname: ipa0.example.com http://ipa0.example.com.

idnssoarefresh: 3600

idnssoaretry: 900

idnssoarname: hostmaster.example.com http://hostmaster.example.com.

idnssoaserial: 1629023582

idnsupdatepolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 0.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;

idnszoneactive: FALSE

objectclass: top, idnsrecord, idnszone

---

Number of entries returned 1

---

[root@ipa0 export-ipa-data]#

On Thu, Aug 19, 2021 at 6:08 PM Kathy Zhu <kzhu@nuro.ai mailto:kzhu@nuro.ai> wrote:

Yes, I want to delete the zone. I tried a few ways, none worked so

far.

...

On Thu, Aug 19, 2021 at 5:15 PM Rob Crittenden <rcritten@redhat.com
<mailto:rcritten@redhat.com>> wrote:

    Kathy Zhu via FreeIPA-users wrote:
    > Hi List,
    >
    > When I run ipa-healthcheck on all of our ipa servers, they all
    reported
    > following:
    >
    > [root@ipa0 ~]# ipa-healthcheck --failures-only --output-type

human

...

    >
    > ERROR:
    >

ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com:

...

    > Replication conflict
    >
    > [root@ipa0 ~]#
    >
    > [root@ipa0 ~]# ipa-healthcheck --failures-only
    >
    > [
    >
    >   {
    >
    >     "source": "ipahealthcheck.ds.replication",
    >
    >     "kw": {
    >
    >       "msg": "Replication conflict",
    >
    >       "glue": true,
    >
    >       "conflict": "deletedEntryHasChildren",
    >
    >       "key":
    "idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com"
    >
    >     },
    >
    >     "uuid": "3027f742-4b7b-4a20-9650-a5a030699480",
    >
    >     "duration": "0.002318",
    >
    >     "when": "20210819234114Z",
    >
    >     "check": "ReplicationConflictCheck",
    >
    >     "result": "ERROR"
    >
    >   }
    >
    > ]
    >
    > [root@ipa0 ~]#
    >
    > [root@ipa0 ~]# ipa dnsrecord-find 1.1.10.in-addr.arpa.
    > --sizelimit=99999 --all --structured
    >
    >   dn: idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com
    >
    >   Record name: @
    >
    >   Records:
    >
    >     Record type: NS
    >
    >     Record data: ipa1.example.com <http://ipa1.example.com>
    <http://ipa1.example.com>.
    >
    >     NS Hostname: ipa1.example.com <http://ipa1.example.com>
    <http://ipa1.example.com>.
    >
    >   idnsallowdynupdate: TRUE
    >
    >   idnsallowquery: any;
    >
    >   idnsallowtransfer: none;
    >
    >   idnssoaexpire: 1209600
    >
    >   idnssoaminimum: 3600
    >
    >   idnssoamname: ipa0.example.com <http://ipa0.example.com>
    <http://ipa0.example.com>.
    >
    >   idnssoarefresh: 3600
    >
    >   idnssoaretry: 900
    >
    >   idnssoarname: hostmaster
    >
    >   idnssoaserial: 1629023582
    >
    >   idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM>
    <http://EXAMPLE.COM>
    > krb5-subdomain 1.1.10.in-addr.arpa. PTR; grant dhcp-key
    wildcard * ANY;
    >
    >   idnszoneactive: FALSE
    >
    >   objectclass: top, idnsrecord, idnszone, glue,

extensibleobject

...

    >
    > ----------------------------
    >
    > Number of entries returned 1
    >
    > ----------------------------
    >
    > [root@ipa0 ~]#
    >
    >
    > Notice above, glue is true! After googling, I found following:
    >
    >
    >

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/htm...

...

    >
    >
    >

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...

...

    >
    >
    > The explanation made sense to me. However, I do not know what
    happened
    > to get us into this situation.
    >
    >
    > A good zone displays objectclass like this:
    >
    >
    > objectclass: top, idnsrecord, idnszone
    >
    >
    >
    > Note, no "glue, extensibleobject" there.
    >
    >
    > This zone can not be deleted since "Not allowed on non-leaf
    entry". Any
    > ideas to delete this zone?

    Do you want to delete the zone?

    rob

Hi Rob,

After deleted those hidden records inside the zones, I deleted those zones smoothly. Remember 1.1.10.in-addr.arpa.zone which was marked with glue=true? There was one hidden ptr record inside the zone. After that record being deleted, 1.1.10.in-addr.arpa.zone disappread itself :-). Thank you so much for your help! Have a great weekend!

Kathy.

On Fri, Aug 27, 2021 at 1:43 PM Rob Crittenden rcritten@redhat.com wrote:

Kathy Zhu wrote:

...

Hi Rob,

Thank you! That filter did the trick. There are 9 pTRRecord in the zone! See attached for details. What is the safe way to delete those "hidden" records? I assume that the zone can be deleted after those pTRRecord being deleted first. Many thanks.

Use ldapdelete to remove the conflicts using the DN, e.g:

$ ldapdelete -Y GSSAPI

idnsName=200+nsuniqueid=0aa41606-f47811ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

rob

...

Kathy.

[root@ipa0 ~]$ ldapsearch -Y GSSAPI -b idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

SASL/GSSAPI authentication started

SASL username: admin@EXAMPLE.COM mailto:admin@EXAMPLE.COM

SASL SSF: 256

SASL data security layer installed.

# extended LDIF

#

# LDAPv3

# base <idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com> with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

# 15.0.10.in-addr.arpa., dns, example.com http://example.com

dn: idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

idnsSOAserial: 1630088951

idnsZoneActive: FALSE

idnsSOAminimum: 3600

idnsSOAexpire: 1209600

idnsSOAretry: 900

idnsSOArefresh: 3600

idnsAllowQuery: any;

idnsSOArName: hostmaster

idnsAllowDynUpdate: TRUE

idnsSOAmName: ipa0.example.com http://ipa0.example.com.

idnsName: 15.0.10.in-addr.arpa.

idnsUpdatePolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 15.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;

idnsAllowTransfer: none;

objectClass: top

objectClass: idnsrecord

objectClass: idnszone

nSRecord: ipa0.example.com http://ipa0.example.com.

nSRecord: ipa2.example.com http://ipa2.example.com.

nSRecord: ipa3.example.com http://ipa3.example.com.

nSRecord: hou1-ipa1.example.com http://hou1-ipa1.example.com.

nSRecord: sfo1-ipa1.example.com http://sfo1-ipa1.example.com.

nSRecord: hou2-ipa1.example.com http://hou2-ipa1.example.com.

nSRecord: hq-ipa1.example.com http://hq-ipa1.example.com.

nSRecord: gcc2-ipa1.example.com http://gcc2-ipa1.example.com.

# search result

search: 4

result: 0 Success

# numResponses: 2

# numEntries: 1

[root@ipa0 ~]$ ldapsearch -Y GSSAPI -b idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com '(objectclass=ldapsubentry)'

SASL/GSSAPI authentication started

SASL username: admin@EXAMPLE.COM mailto:admin@EXAMPLE.COM

SASL SSF: 256

SASL data security layer installed.

# extended LDIF

#

# LDAPv3

# base <idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com> with scope subtree

# filter: (objectclass=ldapsubentry)

# requesting: ALL

#

# 200 + 0aa41606-f47811ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com

dn:

idnsName=200+nsuniqueid=0aa41606-f47811ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

...

pTRRecord: user9-laptop.example.com http://user9-laptop.example.com.

dNSTTL: 300

objectClass: idnsRecord

objectClass: top

objectClass: ldapsubentry

idnsName: 200

# 155 + f3e40606-f6a711ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com

dn:

idnsName=155+nsuniqueid=f3e40606-f6a711ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

...

pTRRecord: user7-laptop.example.com http://user7-laptop.example.com.

dNSTTL: 300

objectClass: idnsRecord

objectClass: top

objectClass: ldapsubentry

idnsName: 155

# 183 + c0f24006-f6b011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com

dn:

idnsName=183+nsuniqueid=c0f24006-f6b011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

...

pTRRecord: DESKTOP-test.example.com http://DESKTOP-test.example.com.

dNSTTL: 300

objectClass: idnsRecord

objectClass: top

objectClass: ldapsubentry

idnsName: 183

# 101 + 4a137207-f6c511ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com

dn:

idnsName=101+nsuniqueid=4a137207-f6c511ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

...

pTRRecord: test-laptop.example.com http://test-laptop.example.com.

dNSTTL: 300

objectClass: idnsRecord

objectClass: top

objectClass: ldapsubentry

idnsName: 101

# 74 + 1ccac207-f6cd11ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com

dn:

idnsName=74+nsuniqueid=1ccac207-f6cd11ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

...

pTRRecord: jsmith-laptop.example.com http://jsmith-laptop.example.com.

dNSTTL: 300

objectClass: idnsRecord

objectClass: top

objectClass: ldapsubentry

idnsName: 74

# 63 + bdd08006-f79411ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com

dn:

idnsName=63+nsuniqueid=bdd08006-f79411ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

...

pTRRecord: kwang-laptop.example.com http://kwang-laptop.example.com.

dNSTTL: 300

objectClass: idnsRecord

objectClass: top

objectClass: ldapsubentry

idnsName: 63

# 160 + ea49d205-f85011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com

dn:

idnsName=160+nsuniqueid=ea49d205-f85011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

...

pTRRecord: john-laptop.example.com http://john-laptop.example.com.

dNSTTL: 300

objectClass: idnsRecord

objectClass: top

objectClass: ldapsubentry

idnsName: 160

# 32 + e7f77005-f87011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com

dn:

idnsName=32+nsuniqueid=e7f77005-f87011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

...

pTRRecord: key10-laptop.example.com http://key10-laptop.example.com.

dNSTTL: 300

objectClass: idnsRecord

objectClass: top

objectClass: ldapsubentry

idnsName: 32

# 66 + 3fc5b812-c04911eb-b84afb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com

dn:

idnsName=66+nsuniqueid=3fc5b812-c04911eb-b84afb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

...

pTRRecord: load8-laptop.example.com http://load8-laptop.example.com.

dNSTTL: 300

objectClass: idnsRecord

objectClass: top

objectClass: ldapsubentry

idnsName: 66

# search result

search: 4

result: 0 Success

# numResponses: 10

# numEntries: 9

[root@ipa0 ~]$

On Fri, Aug 27, 2021 at 9:58 AM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:

Kathy Zhu wrote:
> Hi Rob,
>
> There are 5 more reverse zones which can not be deleted as well.

IPA

...

> said "Not allowed on non-leaf entry". Though that is the same
complaint,
> however, there are no "glue, extensibleobject" objectclasses
associated
> with those 5 zones. Please see attached for details. I like to have
> those deleted as well.

389 seems to think there are records under those even though IPA

isn't

...

seeing them. 389 doesn't show conflict values. I think I'd try
ldapsearch to see if there is anything below it.

kinit admin
ldapsearch -Y GSSAPI -b
idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com

If nothing then add this filter to the end,

'(objectclass=ldapsubentry)'

...

rob

>
> Thanks.
>
> Kathy.
>
>
> [root@ipa0 export-ipa-data]# ipa dnsrecord-find
15.0.10.in-addr.arpa. --all
>
>   dn: idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
>
>   Record name: @
>
>   NS record: ipa0.example.com <http://ipa0.example.com>
<http://ipa0.example.com>.,
> ipa2.example.com <http://ipa2.example.com>
<http://ipa2.example.com>., ipa3.example.com <

http://ipa3.example.com%3E

...

> <http://ipa3.example.com>., hou1-ipa1.example.com
<http://hou1-ipa1.example.com>
> <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com
<http://sfo1-ipa1.example.com>
> <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com
<http://hou2-ipa1.example.com>
> <http://hou2-ipa1.example.com>., hq-
>
>              ipa1.example.com <http://ipa1.example.com>
<http://ipa1.example.com>.,
> gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>
<http://gcc2-ipa1.example.com>.
>
>   idnsallowdynupdate: TRUE
>
>   idnsallowquery: any;
>
>   idnsallowtransfer: none;
>
>   idnssoaexpire: 1209600
>
>   idnssoaminimum: 3600
>
>   idnssoamname: ipa0.example.com <http://ipa0.example.com>
<http://ipa0.example.com>.
>
>   idnssoarefresh: 3600
>
>   idnssoaretry: 900
>
>   idnssoarname: hostmaster
>
>   idnssoaserial: 1629023582
>
>   idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM>
<http://EXAMPLE.COM>
> krb5-subdomain 15.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard
* ANY;
>
>   idnszoneactive: FALSE
>
>   objectclass: top, idnsrecord, idnszone
>
> ----------------------------
>
> Number of entries returned 1
>
> ----------------------------
>
> [root@ipa0 export-ipa-data]# ipa dnsrecord-find
14.0.10.in-addr.arpa. --all
>
>   dn: idnsname=14.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
>
>   Record name: @
>
>   NS record: ipa0.example.com <http://ipa0.example.com>
<http://ipa0.example.com>.,
> ipa2.example.com <http://ipa2.example.com>
<http://ipa2.example.com>., ipa3.example.com <

http://ipa3.example.com%3E

...

> <http://ipa3.example.com>., hou1-ipa1.example.com
<http://hou1-ipa1.example.com>
> <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com
<http://sfo1-ipa1.example.com>
> <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com
<http://hou2-ipa1.example.com>
> <http://hou2-ipa1.example.com>., hq-
>
>              ipa1.example.com <http://ipa1.example.com>
<http://ipa1.example.com>.,
> gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>
<http://gcc2-ipa1.example.com>.
>
>   idnsallowdynupdate: TRUE
>
>   idnsallowquery: any;
>
>   idnsallowtransfer: none;
>
>   idnssoaexpire: 1209600
>
>   idnssoaminimum: 3600
>
>   idnssoamname: ipa0.example.com <http://ipa0.example.com>
<http://ipa0.example.com>.
>
>   idnssoarefresh: 3600
>
>   idnssoaretry: 900
>
>   idnssoarname: hostmaster
>
>   idnssoaserial: 1629023582
>
>   idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM>
<http://EXAMPLE.COM>
> krb5-subdomain 14.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard
* ANY;
>
>   idnszoneactive: FALSE
>
>   objectclass: top, idnsrecord, idnszone
>
> ----------------------------
>
> Number of entries returned 1
>
> ----------------------------
>
> [root@ipa0 export-ipa-data]# ipa dnsrecord-find
13.0.10.in-addr.arpa. --all
>
>   dn: idnsname=13.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
>
>   Record name: @
>
>   NS record: ipa0.example.com <http://ipa0.example.com>
<http://ipa0.example.com>.,
> ipa2.example.com <http://ipa2.example.com>
<http://ipa2.example.com>., ipa3.example.com <

http://ipa3.example.com%3E

...

> <http://ipa3.example.com>., hou1-ipa1.example.com
<http://hou1-ipa1.example.com>
> <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com
<http://sfo1-ipa1.example.com>
> <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com
<http://hou2-ipa1.example.com>
> <http://hou2-ipa1.example.com>., hq-
>
>              ipa1.example.com <http://ipa1.example.com>
<http://ipa1.example.com>.,
> gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>
<http://gcc2-ipa1.example.com>.
>
>   idnsallowdynupdate: TRUE
>
>   idnsallowquery: any;
>
>   idnsallowtransfer: none;
>
>   idnssoaexpire: 1209600
>
>   idnssoaminimum: 3600
>
>   idnssoamname: ipa0.example.com <http://ipa0.example.com>
<http://ipa0.example.com>.
>
>   idnssoarefresh: 3600
>
>   idnssoaretry: 900
>
>   idnssoarname: hostmaster
>
>   idnssoaserial: 1629023582
>
>   idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM>
<http://EXAMPLE.COM>
> krb5-subdomain 13.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard
* ANY;
>
>   idnszoneactive: FALSE
>
>   objectclass: top, idnsrecord, idnszone
>
> ----------------------------
>
> Number of entries returned 1
>
> ----------------------------
>
> [root@ipa0 export-ipa-data]# ipa dnsrecord-find
12.0.10.in-addr.arpa. --all
>
>   dn: idnsname=12.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
>
>   Record name: @
>
>   NS record: ipa0.example.com <http://ipa0.example.com>
<http://ipa0.example.com>.,
> ipa2.example.com <http://ipa2.example.com>
<http://ipa2.example.com>., ipa3.example.com <

http://ipa3.example.com%3E

...

> <http://ipa3.example.com>., hou1-ipa1.example.com
<http://hou1-ipa1.example.com>
> <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com
<http://sfo1-ipa1.example.com>
> <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com
<http://hou2-ipa1.example.com>
> <http://hou2-ipa1.example.com>., hq-
>
>              ipa1.example.com <http://ipa1.example.com>
<http://ipa1.example.com>.,
> gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>
<http://gcc2-ipa1.example.com>.
>
>   idnsallowdynupdate: TRUE
>
>   idnsallowquery: any;
>
>   idnsallowtransfer: none;
>
>   idnssoaexpire: 1209600
>
>   idnssoaminimum: 3600
>
>   idnssoamname: ipa0.example.com <http://ipa0.example.com>
<http://ipa0.example.com>.
>
>   idnssoarefresh: 3600
>
>   idnssoaretry: 900
>
>   idnssoarname: hostmaster
>
>   idnssoaserial: 1629023582
>
>   idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM>
<http://EXAMPLE.COM>
> krb5-subdomain 12.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard
* ANY;
>
>   idnszoneactive: FALSE
>
>   objectclass: top, idnsrecord, idnszone
>
> ----------------------------
>
> Number of entries returned 1
>
> ----------------------------
>
> [root@ipa0 export-ipa-data]# ipa dnsrecord-find
0.0.10.in-addr.arpa. --all
>
>   dn: idnsname=0.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
>
>   Record name: @
>
>   NS record: ipa0.example.com <http://ipa0.example.com>
<http://ipa0.example.com>.,
> ipa2.example.com <http://ipa2.example.com>
<http://ipa2.example.com>., ipa3.example.com <

http://ipa3.example.com%3E

...

> <http://ipa3.example.com>., hou1-ipa1.example.com
<http://hou1-ipa1.example.com>
> <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com
<http://sfo1-ipa1.example.com>
> <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com
<http://hou2-ipa1.example.com>
> <http://hou2-ipa1.example.com>., hq-
>
>              ipa1.example.com <http://ipa1.example.com>
<http://ipa1.example.com>.,
> gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>
<http://gcc2-ipa1.example.com>.
>
>   idnsallowdynupdate: TRUE
>
>   idnsallowquery: any;
>
>   idnsallowtransfer: none;
>
>   idnssoaexpire: 1209600
>
>   idnssoaminimum: 3600
>
>   idnssoamname: ipa0.example.com <http://ipa0.example.com>
<http://ipa0.example.com>.
>
>   idnssoarefresh: 3600
>
>   idnssoaretry: 900
>
>   idnssoarname: hostmaster.example.com
<http://hostmaster.example.com> <http://hostmaster.example.com>.
>
>   idnssoaserial: 1629023582
>
>   idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM>
<http://EXAMPLE.COM>
> krb5-subdomain 0.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard *
ANY;
>
>   idnszoneactive: FALSE
>
>   objectclass: top, idnsrecord, idnszone
>
> ----------------------------
>
> Number of entries returned 1
>
> ----------------------------
>
> [root@ipa0 export-ipa-data]#
>
>
> On Thu, Aug 19, 2021 at 6:08 PM Kathy Zhu <kzhu@nuro.ai
<mailto:kzhu@nuro.ai>
> <mailto:kzhu@nuro.ai <mailto:kzhu@nuro.ai>>> wrote:
>
>     Yes, I want to delete the zone. I tried a few ways, none
worked so far.
>
>     On Thu, Aug 19, 2021 at 5:15 PM Rob Crittenden
<rcritten@redhat.com <mailto:rcritten@redhat.com>
>     <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>

wrote:

...

>
>         Kathy Zhu via FreeIPA-users wrote:
>         > Hi List,
>         >
>         > When I run ipa-healthcheck on all of our ipa servers,
they all
>         reported
>         > following:
>         >
>         > [root@ipa0 ~]# ipa-healthcheck --failures-only
--output-type human
>         >
>         > ERROR:
>         >
>

ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com:

...

>         > Replication conflict
>         >
>         > [root@ipa0 ~]#
>         >
>         > [root@ipa0 ~]# ipa-healthcheck --failures-only
>         >
>         > [
>         >
>         >   {
>         >
>         >     "source": "ipahealthcheck.ds.replication",
>         >
>         >     "kw": {
>         >
>         >       "msg": "Replication conflict",
>         >
>         >       "glue": true,
>         >
>         >       "conflict": "deletedEntryHasChildren",
>         >
>         >       "key":
>         "idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com"
>         >
>         >     },
>         >
>         >     "uuid": "3027f742-4b7b-4a20-9650-a5a030699480",
>         >
>         >     "duration": "0.002318",
>         >
>         >     "when": "20210819234114Z",
>         >
>         >     "check": "ReplicationConflictCheck",
>         >
>         >     "result": "ERROR"
>         >
>         >   }
>         >
>         > ]
>         >
>         > [root@ipa0 ~]#
>         >
>         > [root@ipa0 ~]# ipa dnsrecord-find 1.1.10.in-addr.arpa.
>         > --sizelimit=99999 --all --structured
>         >
>         >   dn:

idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com

...

>         >
>         >   Record name: @
>         >
>         >   Records:
>         >
>         >     Record type: NS
>         >
>         >     Record data: ipa1.example.com
<http://ipa1.example.com> <http://ipa1.example.com>
>         <http://ipa1.example.com>.
>         >
>         >     NS Hostname: ipa1.example.com
<http://ipa1.example.com> <http://ipa1.example.com>
>         <http://ipa1.example.com>.
>         >
>         >   idnsallowdynupdate: TRUE
>         >
>         >   idnsallowquery: any;
>         >
>         >   idnsallowtransfer: none;
>         >
>         >   idnssoaexpire: 1209600
>         >
>         >   idnssoaminimum: 3600
>         >
>         >   idnssoamname: ipa0.example.com
<http://ipa0.example.com> <http://ipa0.example.com>
>         <http://ipa0.example.com>.
>         >
>         >   idnssoarefresh: 3600
>         >
>         >   idnssoaretry: 900
>         >
>         >   idnssoarname: hostmaster
>         >
>         >   idnssoaserial: 1629023582
>         >
>         >   idnsupdatepolicy: grant EXAMPLE.COM
<http://EXAMPLE.COM> <http://EXAMPLE.COM>
>         <http://EXAMPLE.COM>
>         > krb5-subdomain 1.1.10.in-addr.arpa. PTR; grant dhcp-key
>         wildcard * ANY;
>         >
>         >   idnszoneactive: FALSE
>         >
>         >   objectclass: top, idnsrecord, idnszone, glue,
extensibleobject
>         >
>         > ----------------------------
>         >
>         > Number of entries returned 1
>         >
>         > ----------------------------
>         >
>         > [root@ipa0 ~]#
>         >
>         >
>         > Notice above, glue is true! After googling, I found
following:
>         >
>         >
>         >
>

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/htm...

...

>         >
>         >
>         >
>

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...

...

>         >
>         >
>         > The explanation made sense to me. However, I do not know
what
>         happened
>         > to get us into this situation.
>         >
>         >
>         > A good zone displays objectclass like this:
>         >
>         >
>         > objectclass: top, idnsrecord, idnszone
>         >
>         >
>         >
>         > Note, no "glue, extensibleobject" there.
>         >
>         >
>         > This zone can not be deleted since "Not allowed on

non-leaf

...

>         entry". Any
>         > ideas to delete this zone?
>
>         Do you want to delete the zone?
>
>         rob
>