[Samba] AXFR transfer: SRV for DC missing

Rowland Penny rpenny at samba.org
Tue Oct 28 09:18:12 UTC 2025 

On Tue, 28 Oct 2025 03:02:34 +0100
Markus Gschwendt via samba <samba at lists.samba.org> wrote:

> 
> It did read this some time ago and I don't remember the source -
> sorry. But good to know it should still work in Trixie.
> However, the upgrade was necessary because we could not join Win11
> 24H2 clients and we thought its time to migrate to AD anyways.

The time, in my opinion, was more than 5 years ago, if not longer.

> 
> > 
> > > So we did the migration prior to the Debian upgrade.
> > > As we have the problem with AXFR transfers only at one of 2 sites
> > > I'd
> > > like to fix this before we do any further upgrades.
> > 
> > Why do you want to do this ? 
> > Samba AD DCs are authoritative for the DNS domain, all of them, it
> > is known as multi-master. There is no real need to transfer the
> > records to
> > an external dns server.
> 
> We really don't want the Samba server to be our central DNS system.

It doesn't have to be, but as AD lives and dies on DNS, the DC(s) need
to be 'central' for your AD domain clients. The DC(s) need to be the
first port of contact for the domain clients, anything unknown e.g.
www.google.com is forwarded to an external DNS server.

> Separating services is the main reason. (Security, debugging, ...)
> Maybe a discussion for another thread.

In my opinion you are setting yourself up for a lot pain.

> 
> >  
> > > (A short try to upgrade to Trixie did not start samba - I had no
> > > time
> > > to investigate)
> > 
> > It should have started, provided you ran something like 'systemctl
> > start samba-ad-dc'.
> > 
> 
> I'll try again in some weeks when we are done with the rest of the
> migration.
> 

> 
> It's like 'ad1.companyname.internal'
> .internal as TLD as recommended by IANA [0]

If IANA is recommending that, then I do not know why, they haven't
added it to the reserved list.
However, that is beyond the point, whatever you use should not be
routable from the internet.

> 
> > ...
> > > 
> > > We need to get the whole zone information to another Bind9 server
> > > via
> > > AXFR.
> > 
> > Why ?
> 
> I think that's one of the reasons the bind9_dlz module exists and even
> there is a setting in smb.conf '[global]' to allow such transfers.
> E.g.:
> 'dns zone transfer clients allow = 192.168.0.1'

I have never really understood just why you would do that, it isn't
required and can cause problems. As I said, just set your domain
clients to use the DC(s) as their nameservers and everything just works.

Rowland

More information about the samba mailing list