samba - Aug 2018 - Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates

I have one more interesting thing.

I copied DC01 to LAB environment. I demoted "dead" servers DC02X and
DC03X. After that I changed DNS backend to BIND.
Now samba_dnsupdate --verbose --all-names run as expected (without TSIG
errors).

Also, I have one problematic client joined to domain during
troubleshooting and it cannot do DNS update with Bind. So I also cloned
it to LAB like DC01.
At the first start Bind again flailed to update DNS A record for that
machine. So I deleted this A record from Samba and rejoined that
machine. And after that, client can do update by ipconfig /registerdns.

Have I been wrote that I was confused? No, NOW I have total chaos in my
mind.
Can somebody explain me this behavior?

In LAB with forcefully demoted DCs everything work as expected. I made
no additional modifications. Just samba-tool domain demote
--remove-other-dead-server= and samba-tool dbcheck --cross-ncs --fix
(found 4 errors).
Then only samba_upgradedns --dns-backend=BIND9_DLZ. No changes in
configuration (just server services = -dns), restart samba and start
named services.
And it magically works.

Jiri
>>> Jiří Černý 24.8.2018 10:16 >>>
Hello, everyone.

To recapitulate the results of our research:
1) I can confirm Samba 4.8 and Bind 9.9.4 (distribution package) on
CentOS 7 (tested od 7.5) work even with dynamic DNS updates without any
additional fixes or need to recompile Bind package.
I think it will work also on other RHEL 7 clones, so we should update
Wiki page:
https://wiki.samba.org/index.php/Using_BIND_DLZ_backend_with_secured_/_signed_DNS_updates

2) There is something terribly wrong with our domain. Specifically
dynamic DNS updates with Bind 9 DLZ. But I do not know when and if it
ever worked in our environment. 
It passes every test I can found on wiki, but only Bind 9 DLZ dynamic
updates (nsupdate driven) not.
It looks like there are some permissions inside Samba databases which
don't work. But I can't say how to find them.

So my updated question.
Is it possible to trace where the problem is? Some debug hints?
And is it even possible to fix that? If not, what ca I do? We have too
many users and computers and I can't start the new domain from scratch.
Rejoin of computers is ok, but I have to preserve user's and even domain
SIDs because of permissions on their Windows profiles.
Or, would it be a solution to build a new domain and set up a trust
relationship between old and new? And migrate users one by one? But I am
afraid that trust code of Samba does not have enough abilities to do
this (such a solution would require a domain user of one domain to be a
member of the group in second domain) in mixed Windows and Linux/Winbind
environment (see https://bugzilla.samba.org/show_bug.cgi?id=13300).



Jiri