After investigating my DC demotion problem, it looks like the issues are in DNS. Apparently Windows DNS updates propagate correctly to Samba, but the other way it does not work. So the Samba DNS has the complete DC situation, but Windows only knows about itself (in the SRV records, the A record for the domain, etc). Of course I can fix it manually in Windows if needed. As I also have another problem with DNS (the clients cannot update their name in DNS, all the time I get named[1598]: client 172.29.32.1#53548: update 'example.nl/IN' denied and like many others I found using Google I have not been able to fix it), I am considering switching from BIND backend to internal DNS. However, I need BIND locally on the machine. So I think I could configure BIND to listen only on 127.0.0.1, have SAMBA DNS listen on the server LAN address, and configure it to forward to 127.0.0.1. That way I can have the Samba DNS for handling the AD DNS, and BIND for all software running on the server. I think I could even configure BIND to forward the AD domain name to the LAN address and have it picked up by Samba. But of course I like to keep "interfaces = lo eth0" (eth1 is internet on this machine). The question is: will this work? What socket address(es) will Samba listen on when starting its DNS server? The "interfaces" specified in smb.conf? Or is there a separate configuration possibility for this? Will it be listening on 0.0.0.0? Will it fatally abort when it tries to listen on 127.0.0.1 and finds BIND already using that address? or will it just go on and listen only on the eth0 address? Many questions... but I hesitate to just switch and see what happens. Rob