Dear list, I tried to replace the AD DC in my home network (all running samba-4.2.0rc2). I followed this procedure: - setup and join DC2 to the domain served by DC1 - transfer FSMO - demote and switch off DC1 and as there were still remnants of DC1 in the domain: - wipe out the traces of DC1 in ADUC. The first issue is, that not all the traces could be wiped out. ADUC refuses to do so while complaining about missing permissions. The second issue was, that bind didn't come up after the scrubbing procedure: Oct 18 20:08:12 DC2 named[1733]: samba_dlz: configured writeable zone 'samdom.samba.org' Oct 18 20:08:12 DC2 named[1733]: zone _msdcs.samdom.samba.org/NONE: has no NS records Oct 18 20:08:12 DC2 named[1733]: samba_dlz: Failed to configure zone '_msdcs.samdom.samba.org' Oct 18 20:08:12 DC2 named[1733]: loading configuration: bad zone Oct 18 20:08:12 DC2 named[1733]: exiting (due to fatal error) I could this fix up by doing: samba-tool dns add DC2 _msdcs.samdom.samba.org @ NS DC2.samdom.samba.org -Uadministrator - apparently I had deleted the record @ IN NS DC1.samdom.samba.org. I think, that it is a bug, that this entry is on DC2. Seen from a BIND9 view, there are two master DNS server in the net, which have exactly the same entries in their zone files, e.g.: $TTL 86400 @ IN SOA dns.samdom.samba.org admin.samdom.samba.org. ( ... -> SOA goes here @ IN NS DC1.samdom.samba.org. DC1.samdom.samba.org. IN A 192.168.1.1 DC2.samdom.samba.org. IN A 192.168.1.2 But I think, on the second server the zone file should look like this: $TTL 86400 @ IN SOA dns.samdom.samba.org admin.samdom.samba.org. ( ... -> SOA goes here @ IN NS DC2.samdom.samba.org. DC1.samdom.samba.org. IN A 192.168.1.1 DC2.samdom.samba.org. IN A 192.168.1.2 , i.e. the NS entry should point to the server itself. Then both servers have a valid configuration as master DNS. A second option would be to modify the NS record when doing a FSMO transfer. But it is definitely a bug, when it points to a demoted server after demoting. And - if I was in the position to express a wish: it would be nice, if samba-tool (or some other) could wipe out traces of demoted domain controllers. That would really be a great thing. Best regards Peter PS: I would be pretty surprised, if this was only a 4.2.0rcx issue...