Deubgging some issues with my DFS client logic I found that samba answers domain DFS root referral requests by pointing back to the domain name instead of the DFS namespace server (or DC respectively). It appears to reflect back the requested host/domain name, which works for standalone DFS but not domain based.

In Data
    Max Referral Level: 4
    File Name: \samba4ad.springfield\dfs

-> Referral
    Version: 3
    Size: 34
    Server Type: Root targets returns (1)
    Flags: 0x0000
    TTL: 600
    Path Offset: 34
    Alt Path Offset: 86
    Node Offset: 138
    Server GUID: 00000000-0000-0000-0000-000000000000
    Path: \samba4ad.springfield\dfs
    Alt Path: \samba4ad.springfield\dfs
    Node: \samba4ad.springfield\dfs


While this may work by accident under some circumstances (domain A record pointing to the DC which is also the DFS namespace server, no kerberos auth), this is definitly not the correct behavior (you never end up with an actual server name/SPN). Windows clients seem to ignore these referrals. 
Windows 2019 response for comparison:

In Data
    Max Referral Level: 4
    File Name: \w2k19single.springfield\dfs

-> Referral
    Version: 4
    Size: 34
    Server Type: Root targets returns (1)
    Flags: 0x0004, TargetSetBoundary
    TTL: 300
    Path Offset: 34
    Alt Path Offset: 92
    Node Offset: 150
    Server GUID: 00000000-0000-0000-0000-000000000000
    Path: \w2k19single.springfield\dfs
    Alt Path: \w2k19single.springfield\dfs
    Node: \W2K19-SINGLE-DC.w2k19single.springfield\dfs



#11333 could be related.

Attaching some examples, can provide the PCAPs if needed (however, only will be back in three weeks).