On Mon, 2025-10-27 at 18:20 -0700, Steven Monai via samba
wrote:> On 2025-10-27 9:56 a.m., Ing. Markus Gschwendt via samba wrote:
> > Hi!
>
> Hello Markus,
>
> > We just did an upgrade from Samba NT-style domain to AD.
> > Most things are working fine. Just the AXFR transfer to a secondary
> > nameserver is missing some records.
>
> [snip]
> > A DNS lookup for the SRV record on the AD does return the record
> > correctly:
> >
> > dig SRV _ldap._tcp.dc._msdcs.example.internal @192.168.0.XXX
> ...> _ldap._tcp.dc._msdcs.example.internal. 3600 IN SRV 0 100 389
> > ad1.example.internal.
>
> [snip]
>
> > if I manually ask for the whole zone via AXFR the record is
> > missing:
> >
> > dig axfr example.internal @192.168.0.XXX |grep SRV
>
>
> I believe you have made an incorrect assumption. There is not just
> one
> zone, but two:
>
> example.internal AND _msdcs.example.internal
>
> Even though the latter is a subdomain of the former, the latter is a
> separate zone, and its contents are NOT transferred when you request
> AXFR on example.internal. Zone transfers are not recursive.
>
> Try this test instead:
>
> dig? @192.168.0.XXX? _msdcs.example.internal? AXFR | grep -i srv
>
> I think you will find your "missing" records are there.
Wow, thanks for that hint!
Yes, I did read about this is a separate zone but I was not aware that
subdomains are not included in the AXFR but its obvious now.
I just tested to put a second slave zone in the other nameserver and
replication works.
Tomorrow I will test Windows clients as I can not do this remotely.
But now I'm puzzled why this works in just one slave zone at the other
site we have ...
Thanks Steven and Rowland for looking into this!
Markus