Currently samba4 returns the SOA of an integrated zone with the primary server that created the zone, normally the first provisioned server in a domain. This means that this server is responsible for accepting all ddns updates, as clients direct their updates to the host in the SOA. Samba4 via either bind-dlz or the internal server should rewrite the SOA with itself as the primary server when queried so that dynamic updates are distributed.
We also need to return the SOA record in the authoritative section when the client asks for a non-existing name in our zone. That's how clients typically find the server for dynamic dns updates.
Fixed by c1bf6d24936b5255b9a714f8f252e281b7f82c9f in master for Samba 4.7