Hi! We just did an upgrade from Samba NT-style domain to AD. Most things are working fine. Just the AXFR transfer to a secondary nameserver is missing some records. Everything is on the latest packages of debian bookworm (Samba, Bind,...) The AD DC has a bind9 which and gets zone information via DLZ module. A DNS lookup for the SRV record on the AD does return the record correctly: dig SRV _ldap._tcp.dc._msdcs.example.internal @192.168.0.XXX ; <<>> DiG 9.20.11-4-Debian <<>> SRV _ldap._tcp.dc._msdcs.example.internal @192.168.0.XXX ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28466 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 79f68a16d56af3d70100000068ff8bd19ebb9a54d2a9b7d7 (good) ;; QUESTION SECTION: ;_ldap._tcp.dc._msdcs.example.internal. IN SRV ;; ANSWER SECTION: _ldap._tcp.dc._msdcs.example.internal. 3600 IN SRV 0 100 389 ad1.example.internal. ;; Query time: 3 msec ;; SERVER: 192.168.0.XXX#53(192.168.0.XXX) (UDP) ;; WHEN: Mon Oct 27 16:12:17 CET 2025 ;; MSG SIZE? rcvd: 171 if I manually ask for the whole zone via AXFR the record is missing: dig axfr example.internal @192.168.0.XXX |grep SRV _gc._tcp.example.internal. 900 IN SRV 0 100 3268 ad1.example.internal. _kerberos._tcp.example.internal. 900 IN SRV 0 100 88 ad1.example.internal. _ldap._tcp.DomainDnsZones.example.internal. 900 IN SRV 0 100 389 ad1.example.internal. _kpasswd._udp.example.internal. 900 IN SRV 0 100 464 ad1.example.internal. _ldap._tcp.Default-First-Site-Name._sites.example.internal. 900 IN SRV 0 100 389 ad1.example.internal. _gc._tcp.Default-First-Site-Name._sites.example.internal. 900 IN SRV 0 100 3268 ad1.example.internal. _ldap._tcp.ForestDnsZones.example.internal. 900 IN SRV 0 100 389 ad1.example.internal. _kpasswd._tcp.example.internal. 900 IN SRV 0 100 464 ad1.example.internal. _ldap._tcp.Default-First-Site- Name._sites.ForestDnsZones.example.internal. 900 IN SRV 0 100 389 ad1.example.internal. _ldap._tcp.Default-First-Site- Name._sites.DomainDnsZones.example.internal. 900 IN SRV 0 100 389 ad1.example.internal. _ldap._tcp.example.internal. 900 IN SRV 0 100 389 ad1.example.internal. _kerberos._udp.example.internal. 900 IN SRV 0 100 88 ad1.example.internal. _kerberos._tcp.Default-First-Site-Name._sites.example.internal. 900 IN SRV 0 100 88 ad1.example.internal. This means * Inside samba ldb the record is present. * Bind seems it can deliver the SRV record. * But it is not delivered in a zone transfer via AXFR. As you can see from the output, the axfr transfer itself does work and the allow-settings are correct. Why is the record in AXFR missing or how can I get it into AXFR? Can anybody help on this? At another site/company we have the same setup (versions, config,...) and there it's working without problems. Markus
On Mon, 27 Oct 2025 17:56:38 +0100 "Ing. Markus Gschwendt via samba" <samba at lists.samba.org> wrote:> Hi! > > We just did an upgrade from Samba NT-style domain to AD. > Most things are working fine. Just the AXFR transfer to a secondary > nameserver is missing some records. > > Everything is on the latest packages of debian bookworm (Samba, > Bind,...)I would have used Trixie, bookworm isn't likely to get any further Samba updates.> The AD DC has a bind9 which and gets zone information via DLZ module. > > > > A DNS lookup for the SRV record on the AD does return the record > correctly: > > dig SRV _ldap._tcp.dc._msdcs.example.internal @192.168.0.XXXThere must be a reason why you have sanitised that 192.168.0 IP, but it beats me, it isn't routable outside your network.> ; <<>> DiG 9.20.11-4-Debian <<>> SRV > _ldap._tcp.dc._msdcs.example.internal @192.168.0.XXX > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28466 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: > 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ; COOKIE: 79f68a16d56af3d70100000068ff8bd19ebb9a54d2a9b7d7 (good) > ;; QUESTION SECTION: > ;_ldap._tcp.dc._msdcs.example.internal. IN SRV > > ;; ANSWER SECTION: > _ldap._tcp.dc._msdcs.example.internal. 3600 IN SRV 0 100 389 > ad1.example.internal. > > ;; Query time: 3 msec > ;; SERVER: 192.168.0.XXX#53(192.168.0.XXX) (UDP) > ;; WHEN: Mon Oct 27 16:12:17 CET 2025 > ;; MSG SIZE? rcvd: 171 > > > > if I manually ask for the whole zone via AXFR the record is missing: > > dig axfr example.internal @192.168.0.XXX |grep SRV > _gc._tcp.example.internal. 900 IN SRV 0 100 3268 > ad1.example.internal. > _kerberos._tcp.example.internal. 900 IN SRV 0 > 100 88 ad1.example.internal. > _ldap._tcp.DomainDnsZones.example.internal. 900 IN SRV 0 100 389 > ad1.example.internal. > _kpasswd._udp.example.internal. 900 IN SRV 0 100 464 > ad1.example.internal. > _ldap._tcp.Default-First-Site-Name._sites.example.internal. 900 IN SRV > 0 100 389 ad1.example.internal. > _gc._tcp.Default-First-Site-Name._sites.example.internal. 900 > IN SRV 0 100 3268 ad1.example.internal. > _ldap._tcp.ForestDnsZones.example.internal. 900 IN SRV 0 100 389 > ad1.example.internal. > _kpasswd._tcp.example.internal. 900 IN SRV 0 100 464 > ad1.example.internal. > _ldap._tcp.Default-First-Site- > Name._sites.ForestDnsZones.example.internal. 900 IN SRV 0 100 389 > ad1.example.internal. > _ldap._tcp.Default-First-Site- > Name._sites.DomainDnsZones.example.internal. 900 IN SRV 0 100 389 > ad1.example.internal. > _ldap._tcp.example.internal. 900 IN SRV 0 100 389 > ad1.example.internal. > _kerberos._udp.example.internal. 900 IN SRV 0 > 100 88 ad1.example.internal. > _kerberos._tcp.Default-First-Site-Name._sites.example.internal. 900 IN > SRV 0 100 88 ad1.example.internal. > > > This means > * Inside samba ldb the record is present. > * Bind seems it can deliver the SRV record. > * But it is not delivered in a zone transfer via AXFR. > > As you can see from the output, the axfr transfer itself does work and > the allow-settings are correct. > > Why is the record in AXFR missing or how can I get it into AXFR? > Can anybody help on this?It is very easy to get DNS onto another server, add another DC, you should have more than one DC anyway. Rowland> > At another site/company we have the same setup (versions, config,...) > and there it's working without problems. > > Markus >
You really need Trixie or else at least Samba from backports. Bookwork is 4.17 latest is 4.23 http://samba.bigbird.es/doku.php?id=samba:installing-from-backports On Oct 27, 2025 at 17:36 +0000, office+samba at gschwendt.at, wrote:> > Everything is on the latest packages of debian bookworm (Samba, > Bind,...)
On 2025-10-27 9:56 a.m., Ing. Markus Gschwendt via samba wrote:> Hi!Hello Markus,> We just did an upgrade from Samba NT-style domain to AD. > Most things are working fine. Just the AXFR transfer to a secondary > nameserver is missing some records.[snip]> A DNS lookup for the SRV record on the AD does return the record > correctly: > > dig SRV _ldap._tcp.dc._msdcs.example.internal @192.168.0.XXX...> _ldap._tcp.dc._msdcs.example.internal. 3600 IN SRV 0 100 389> ad1.example.internal.[snip]> if I manually ask for the whole zone via AXFR the record is missing: > > dig axfr example.internal @192.168.0.XXX |grep SRVI believe you have made an incorrect assumption. There is not just one zone, but two: example.internal AND _msdcs.example.internal Even though the latter is a subdomain of the former, the latter is a separate zone, and its contents are NOT transferred when you request AXFR on example.internal. Zone transfers are not recursive. Try this test instead: dig @192.168.0.XXX _msdcs.example.internal AXFR | grep -i srv I think you will find your "missing" records are there. I hope this helps, -S.M.