samba - Oct 2018 - Troubles with moving from Samba to windows DC

Hello,

I am in the process of moving from a Samba DC to a windows server DC. I
have promoted a Server 2008R2 and used the robocopy workaround to
populate SYSVOL, then - after a few days - demoted the samba DC. So the
windows DC is currently the only one in the domain, I want to promote
another Server 2016 instance.

I am facing similar problems like described here:
https://community.spiceworks.com/topic/2093484-linux-samba-to-windows-ad-2008-r2-dns-problem

- Adding DNS entries did not work, after cleaning up old references like
in the article, this worked.

- I am, however, still getting Event ID 4014 ("The DNS server was unable
toinitialize AD security interfaces") from DNS. This does not go away
with restarting like in the article.

- Worst thing is, when trying to promote the Server 2016 DC, I get "DNS
cannot be installed on this domain controller because this domain does
not host DNS." The zone in question is not made of a single component
and it is hosted in AD, so MS proposed solution does not work.

I am experiencing some other problems with SYSVOL, which may or may not
be related to the DNS problem:

- I cannot open Group Policy Editor, it says "the server cannot perform
the requested operation". Existing GPOs seem to work.

- dcdiag fails the test VerifyReferences, complaining like

[1] Problem: Missing Expected Value
Base Object: CN=AD2008,OU=Domain Controllers,DC=abc,DC=com
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: Please See Knowledge Base Article Q312862

- FRS Service is disabled, DFS service is running, so it seems this DC
would like to use DFS for SYSVOL replication. dfsrmig /getmigrationstate
says the global state is "Eliminated" but the local state is
"Starting",
so inconsistent.

- Using regedit, I see a key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DFSR\Parameters\SysVols\Promoting
SysVols\abc.com, with value "Parent
Computer"="demotedsambadc.abc.com"

- Using DFS console, I see a SYSVOL replication set which is empty, i.e.
has no members.

I am currently focused on the DNS problems, as they prevent me from
correctly promoting the second DC.

Any help is appreciated.

Bye,

Andreas