samba - Oct 2025 - AXFR transfer: SRV for DC missing

Thanks for the fast answers, Rowland and Peter!

On Mon, 2025-10-27 at 18:02 +0000, Rowland Penny via samba
wrote:
> On Mon, 27 Oct 2025 17:56:38 +0100
> "Ing. Markus Gschwendt via samba" <samba at
lists.samba.org> wrote:
> 
> > ...
> > Everything is on the latest packages of debian bookworm (Samba,
> > Bind,...) 
> 
> I would have used Trixie, bookworm isn't likely to get any further
> Samba updates.
This is the intention. But if I'm informed right, there is no support
for NT-style domains in the Samba version in Trixie or Bookworm
Backports. So we did the migration prior to the Debian upgrade.
As we have the problem with AXFR transfers only at one of 2 sites I'd
like to fix this before we do any further upgrades.
(A short try to upgrade to Trixie did not start samba - I had no time
to investigate)

...
> > dig SRV _ldap._tcp.dc._msdcs.example.internal @192.168.0.XXX
> 
> There must be a reason why you have sanitised that 192.168.0 IP,
> but it
> beats me, it isn't routable outside your network.
It's just the IP of the Samba AD DC server. Private IP subnet.
The domain name is changed to example.internal.
> ...
> > * Inside samba ldb the record is present.
> > * Bind seems it can deliver the SRV record.
> > * But it is not delivered in a zone transfer via AXFR.
> > 
> > As you can see from the output, the axfr transfer itself does work
> > and
> > the allow-settings are correct.
> > 
> > Why is the record in AXFR missing or how can I get it into AXFR?
> > Can anybody help on this?
> 
> It is very easy to get DNS onto another server, add another DC, you
> should have more than one DC anyway.
There is no issue with a secondary DC.

We need to get the whole zone information to another Bind9 server via
AXFR.
This NS server receives the zone from the Samba AD DC but it is missing
a few records.


Markus

On Mon, 27 Oct 2025 21:08:39 +0100
Markus Gschwendt via samba <samba at lists.samba.org> wrote:
> Thanks for the fast answers, Rowland and Peter!
> 
> On Mon, 2025-10-27 at 18:02 +0000, Rowland Penny via samba wrote:
> > On Mon, 27 Oct 2025 17:56:38 +0100
> > "Ing. Markus Gschwendt via samba" <samba at
lists.samba.org> wrote:
> > 
> > > ...
> > > Everything is on the latest packages of debian bookworm (Samba,
> > > Bind,...) 
> > 
> > I would have used Trixie, bookworm isn't likely to get any further
> > Samba updates.
> 
> This is the intention. But if I'm informed right, there is no support
> for NT-style domains in the Samba version in Trixie or Bookworm
> Backports.
I do not know where you got that idea from, you can set up an NT4-style
domain even with the latest Samba version, I just wouldn't recommend
doing so.
> So we did the migration prior to the Debian upgrade.
> As we have the problem with AXFR transfers only at one of 2 sites I'd
> like to fix this before we do any further upgrades.
Why do you want to do this ? 
Samba AD DCs are authoritative for the DNS domain, all of them, it is
known as multi-master. There is no real need to transfer the records to
an external dns server.
 
> (A short try to upgrade to Trixie did not start samba - I had no time
> to investigate)
It should have started, provided you ran something like 'systemctl
start samba-ad-dc'.
> 
> ...
> > > dig SRV _ldap._tcp.dc._msdcs.example.internal @192.168.0.XXX
> > 
> > There must be a reason why you have sanitised that 192.168.0 IP,
> > but it
> > beats me, it isn't routable outside your network.
> 
> It's just the IP of the Samba AD DC server. Private IP subnet.
I realised that and there was no need to sanitise it, but light might
be dawning, are you using your registered dns domain for the AD domain
and not a subdomain e.g. something like ad.example.internal ?

> The domain name is changed to example.internal.
> 
> > ...
> > > * Inside samba ldb the record is present.
> > > * Bind seems it can deliver the SRV record.
> > > * But it is not delivered in a zone transfer via AXFR.
> > > 
> > > As you can see from the output, the axfr transfer itself does
work
> > > and
> > > the allow-settings are correct.
> > > 
> > > Why is the record in AXFR missing or how can I get it into AXFR?
> > > Can anybody help on this?
> > 
> > It is very easy to get DNS onto another server, add another DC, you
> > should have more than one DC anyway.
> 
> There is no issue with a secondary DC.
> 
> We need to get the whole zone information to another Bind9 server via
> AXFR.
Why ?
> This NS server receives the zone from the Samba AD DC but it is
> missing a few records.
Rowland