samba - Oct 2025 - AXFR transfer: SRV for DC missing

On Mon, 27 Oct 2025 17:56:38 +0100
"Ing. Markus Gschwendt via samba" <samba at lists.samba.org>
wrote:
> Hi!
> 
> We just did an upgrade from Samba NT-style domain to AD.
> Most things are working fine. Just the AXFR transfer to a secondary
> nameserver is missing some records.
> 
> Everything is on the latest packages of debian bookworm (Samba,
> Bind,...) 
I would have used Trixie, bookworm isn't likely to get any further
Samba updates.
> The AD DC has a bind9 which and gets zone information via DLZ module.
> 
> 
> 
> A DNS lookup for the SRV record on the AD does return the record
> correctly:
> 
> dig SRV _ldap._tcp.dc._msdcs.example.internal @192.168.0.XXX
There must be a reason why you have sanitised that 192.168.0 IP, but it
beats me, it isn't routable outside your network.
> ; <<>> DiG 9.20.11-4-Debian <<>> SRV
> _ldap._tcp.dc._msdcs.example.internal @192.168.0.XXX
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28466
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
> 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: 79f68a16d56af3d70100000068ff8bd19ebb9a54d2a9b7d7 (good)
> ;; QUESTION SECTION:
> ;_ldap._tcp.dc._msdcs.example.internal. IN SRV
> 
> ;; ANSWER SECTION:
> _ldap._tcp.dc._msdcs.example.internal. 3600 IN SRV 0 100 389
> ad1.example.internal.
> 
> ;; Query time: 3 msec
> ;; SERVER: 192.168.0.XXX#53(192.168.0.XXX) (UDP)
> ;; WHEN: Mon Oct 27 16:12:17 CET 2025
> ;; MSG SIZE? rcvd: 171
> 
> 
> 
> if I manually ask for the whole zone via AXFR the record is missing:
> 
> dig axfr example.internal @192.168.0.XXX |grep SRV
> _gc._tcp.example.internal. 900	IN	SRV	0 100 3268
> ad1.example.internal.
> _kerberos._tcp.example.internal.	900 IN	SRV	0
> 100 88 ad1.example.internal.
> _ldap._tcp.DomainDnsZones.example.internal. 900 IN SRV 0 100 389
> ad1.example.internal.
> _kpasswd._udp.example.internal. 900 IN	SRV	0 100 464
> ad1.example.internal.
> _ldap._tcp.Default-First-Site-Name._sites.example.internal. 900 IN SRV
> 0 100 389 ad1.example.internal.
> _gc._tcp.Default-First-Site-Name._sites.example.internal. 900
> IN	SRV 0 100 3268 ad1.example.internal.
> _ldap._tcp.ForestDnsZones.example.internal. 900 IN SRV 0 100 389
> ad1.example.internal.
> _kpasswd._tcp.example.internal. 900 IN	SRV	0 100 464
> ad1.example.internal.
> _ldap._tcp.Default-First-Site-
> Name._sites.ForestDnsZones.example.internal. 900 IN SRV 0 100 389
> ad1.example.internal.
> _ldap._tcp.Default-First-Site-
> Name._sites.DomainDnsZones.example.internal. 900 IN SRV 0 100 389
> ad1.example.internal.
> _ldap._tcp.example.internal. 900	IN	SRV	0 100 389
> ad1.example.internal.
> _kerberos._udp.example.internal.	900 IN	SRV	0
> 100 88 ad1.example.internal.
> _kerberos._tcp.Default-First-Site-Name._sites.example.internal. 900 IN
> SRV 0 100 88 ad1.example.internal.
> 
> 
> This means
> * Inside samba ldb the record is present.
> * Bind seems it can deliver the SRV record.
> * But it is not delivered in a zone transfer via AXFR.
> 
> As you can see from the output, the axfr transfer itself does work and
> the allow-settings are correct.
> 
> Why is the record in AXFR missing or how can I get it into AXFR?
> Can anybody help on this?
It is very easy to get DNS onto another server, add another DC, you
should have more than one DC anyway.

Rowland
> 
> At another site/company we have the same setup (versions, config,...)
> and there it's working without problems.
> 
> Markus
>

Thanks for the fast answers, Rowland and Peter!

On Mon, 2025-10-27 at 18:02 +0000, Rowland Penny via samba
wrote:
> On Mon, 27 Oct 2025 17:56:38 +0100
> "Ing. Markus Gschwendt via samba" <samba at
lists.samba.org> wrote:
> 
> > ...
> > Everything is on the latest packages of debian bookworm (Samba,
> > Bind,...) 
> 
> I would have used Trixie, bookworm isn't likely to get any further
> Samba updates.
This is the intention. But if I'm informed right, there is no support
for NT-style domains in the Samba version in Trixie or Bookworm
Backports. So we did the migration prior to the Debian upgrade.
As we have the problem with AXFR transfers only at one of 2 sites I'd
like to fix this before we do any further upgrades.
(A short try to upgrade to Trixie did not start samba - I had no time
to investigate)

...
> > dig SRV _ldap._tcp.dc._msdcs.example.internal @192.168.0.XXX
> 
> There must be a reason why you have sanitised that 192.168.0 IP,
> but it
> beats me, it isn't routable outside your network.
It's just the IP of the Samba AD DC server. Private IP subnet.
The domain name is changed to example.internal.
> ...
> > * Inside samba ldb the record is present.
> > * Bind seems it can deliver the SRV record.
> > * But it is not delivered in a zone transfer via AXFR.
> > 
> > As you can see from the output, the axfr transfer itself does work
> > and
> > the allow-settings are correct.
> > 
> > Why is the record in AXFR missing or how can I get it into AXFR?
> > Can anybody help on this?
> 
> It is very easy to get DNS onto another server, add another DC, you
> should have more than one DC anyway.
There is no issue with a secondary DC.

We need to get the whole zone information to another Bind9 server via
AXFR.
This NS server receives the zone from the Samba AD DC but it is missing
a few records.


Markus