The original bug has been filed in Zentyal, but went dormant, closed and wasn't acted upon: https://tracker.zentyal.org/issues/1142 When using BIND DLZ (9.9 in my case on CentOS 7) on a Samba DC with Windows 2003 R2 PDC, the presence of WINS Forwarding (https://technet.microsoft.com/en-us/library/cc731480(v=ws.11).aspx) in a domain DNS zone will cause named to fail to start with the following messages: Jul 23 23:03:30 dc1 named[10886]: zone foo.bar/NONE: has 0 SOA records Jul 23 23:03:30 dc1 named[10886]: zone foo.bar/NONE: has no NS records Jul 23 23:03:30 dc1 named[10886]: samba_dlz: Failed to configure zone 'foo.bar' Jul 23 23:03:30 dc1 named[10886]: loading configuration: bad zone Jul 23 23:03:30 dc1 named[10886]: exiting (due to fatal error) Specifically the entire failure log: Jul 23 23:03:29 dc1 named[10886]: starting BIND 9.9.4-RedHat-9.9.4-29.el7_2.3 -u named Jul 23 23:03:29 dc1 named[10886]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' Jul 23 23:03:29 dc1 named[10886]: ---------------------------------------------------- Jul 23 23:03:29 dc1 named[10886]: BIND 9 is maintained by Internet Systems Consortium, Jul 23 23:03:29 dc1 named[10886]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Jul 23 23:03:29 dc1 named[10886]: corporation. Support and training for BIND 9 are Jul 23 23:03:29 dc1 named[10886]: available at https://www.isc.org/support Jul 23 23:03:29 dc1 named[10886]: ---------------------------------------------------- Jul 23 23:03:29 dc1 named[10886]: adjusted limit on open files from 4096 to 1048576 Jul 23 23:03:29 dc1 named[10886]: found 4 CPUs, using 4 worker threads Jul 23 23:03:29 dc1 named[10886]: using 4 UDP listeners per interface Jul 23 23:03:29 dc1 named[10886]: using up to 4096 sockets Jul 23 23:03:29 dc1 named[10886]: loading configuration from '/etc/named.conf' Jul 23 23:03:29 dc1 named[10886]: reading built-in trusted keys from file '/etc/named.iscdlv.key' Jul 23 23:03:29 dc1 named[10886]: using default UDP/IPv4 port range: [1024, 65535] Jul 23 23:03:29 dc1 named[10886]: using default UDP/IPv6 port range: [1024, 65535] Jul 23 23:03:29 dc1 named[10886]: listening on IPv4 interface lo, 127.0.0.1#53 Jul 23 23:03:29 dc1 named[10886]: listening on IPv4 interface eno1, 192.168.1.41#53 Jul 23 23:03:29 dc1 named[10886]: listening on IPv6 interface lo, ::1#53 Jul 23 23:03:29 dc1 named[10886]: generating session key for dynamic DNS Jul 23 23:03:29 dc1 named[10886]: sizing zone task pool based on 6 zones Jul 23 23:03:29 dc1 named[10886]: Loading 'AD DNS Zone' using driver dlopen Jul 23 23:03:30 dc1 named[10886]: samba_dlz: started for DN DC=foo,DC=bar Jul 23 23:03:30 dc1 named[10886]: samba_dlz: starting configure Jul 23 23:03:30 dc1 named[10886]: samba_dlz b9_format: unhandled record type 65282 Jul 23 23:03:30 dc1 named[10886]: samba_dlz b9_format: unhandled record type 65282 Jul 23 23:03:30 dc1 named[10886]: samba_dlz: configured writeable zone '1.168.192.in-addr.arpa' Jul 23 23:03:30 dc1 named[10886]: samba_dlz b9_format: unhandled record type 65281 Jul 23 23:03:30 dc1 named[10886]: samba_dlz b9_format: unhandled record type 65281 Jul 23 23:03:30 dc1 named[10886]: samba_dlz: configured writeable zone '_msdcs.foo.bar' Jul 23 23:03:30 dc1 named[10886]: samba_dlz b9_format: unhandled record type 65281 Jul 23 23:03:30 dc1 named[10886]: zone foo.bar/NONE: has 0 SOA records Jul 23 23:03:30 dc1 named[10886]: zone foo.bar/NONE: has no NS records Jul 23 23:03:30 dc1 named[10886]: samba_dlz: Failed to configure zone 'foo.bar' Jul 23 23:03:30 dc1 named[10886]: loading configuration: bad zone Jul 23 23:03:30 dc1 named[10886]: exiting (due to fatal error) Jul 23 23:03:30 dc1 named[10886]: samba_dlz: shutting down Jul 23 23:03:30 dc1 systemd: named.service: control process exited, code=exited status=1 Jul 23 23:03:30 dc1 systemd: Failed to start Berkeley Internet Name Domain (DNS). ============== Compare with successful named start once the WINS Forwarding was turned off on Windows PDC and the zone was replicated: Jul 23 23:13:15 dc1 named[11029]: starting BIND 9.9.4-RedHat-9.9.4-29.el7_2.3 -u named Jul 23 23:13:15 dc1 named[11029]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' Jul 23 23:13:15 dc1 named[11029]: ---------------------------------------------------- Jul 23 23:13:15 dc1 named[11029]: BIND 9 is maintained by Internet Systems Consortium, Jul 23 23:13:15 dc1 named[11029]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Jul 23 23:13:15 dc1 named[11029]: corporation. Support and training for BIND 9 are Jul 23 23:13:15 dc1 named[11029]: available at https://www.isc.org/support Jul 23 23:13:15 dc1 named[11029]: ---------------------------------------------------- Jul 23 23:13:15 dc1 named[11029]: adjusted limit on open files from 4096 to 1048576 Jul 23 23:13:15 dc1 named[11029]: found 4 CPUs, using 4 worker threads Jul 23 23:13:15 dc1 named[11029]: using 4 UDP listeners per interface Jul 23 23:13:15 dc1 named[11029]: using up to 4096 sockets Jul 23 23:13:15 dc1 named[11029]: loading configuration from '/etc/named.conf' Jul 23 23:13:15 dc1 named[11029]: reading built-in trusted keys from file '/etc/named.iscdlv.key' Jul 23 23:13:15 dc1 named[11029]: using default UDP/IPv4 port range: [1024, 65535] Jul 23 23:13:15 dc1 named[11029]: using default UDP/IPv6 port range: [1024, 65535] Jul 23 23:13:15 dc1 named[11029]: listening on IPv4 interface lo, 127.0.0.1#53 Jul 23 23:13:15 dc1 named[11029]: listening on IPv4 interface eno1, 192.168.1.41#53 Jul 23 23:13:15 dc1 named[11029]: listening on IPv6 interface lo, ::1#53 Jul 23 23:13:15 dc1 named[11029]: generating session key for dynamic DNS Jul 23 23:13:15 dc1 named[11029]: sizing zone task pool based on 6 zones Jul 23 23:13:15 dc1 named[11029]: Loading 'AD DNS Zone' using driver dlopen Jul 23 23:13:16 dc1 named[11029]: samba_dlz: started for DN DC=foo,DC=bar Jul 23 23:13:16 dc1 named[11029]: samba_dlz: starting configure Jul 23 23:13:16 dc1 named[11029]: samba_dlz b9_format: unhandled record type 65282 Jul 23 23:13:16 dc1 named[11029]: samba_dlz b9_format: unhandled record type 65282 Jul 23 23:13:16 dc1 named[11029]: samba_dlz: configured writeable zone '1.168.192.in-addr.arpa' Jul 23 23:13:16 dc1 named[11029]: samba_dlz: configured writeable zone '_msdcs.foo.bar' Jul 23 23:13:16 dc1 named[11029]: samba_dlz: configured writeable zone 'foo.bar' Jul 23 23:13:16 dc1 named[11029]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind' Jul 23 23:13:16 dc1 named[11029]: zone 'version.bind' allows updates by IP address, which is insecure Jul 23 23:13:16 dc1 named[11029]: zone 'hostname.bind' allows updates by IP address, which is insecure Jul 23 23:13:16 dc1 named[11029]: zone 'authors.bind' allows updates by IP address, which is insecure Jul 23 23:13:16 dc1 named[11029]: zone 'id.server' allows updates by IP address, which is insecure Jul 23 23:13:16 dc1 named[11029]: command channel listening on 127.0.0.1#953 Jul 23 23:13:16 dc1 named[11029]: command channel listening on ::1#953 Jul 23 23:13:16 dc1 named[11029]: managed-keys-zone: loaded serial 29 Jul 23 23:13:16 dc1 named[11029]: zone 0.in-addr.arpa/IN: loaded serial 0 Jul 23 23:13:16 dc1 named[11029]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Jul 23 23:13:16 dc1 named[11029]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Jul 23 23:13:16 dc1 named[11029]: zone localhost/IN: loaded serial 0 Jul 23 23:13:16 dc1 named[11029]: zone localhost.localdomain/IN: loaded serial 0 Jul 23 23:13:16 dc1 named[11029]: all zones loaded Jul 23 23:13:16 dc1 named[11029]: running Jul 23 23:13:16 dc1 systemd: Started Berkeley Internet Name Domain (DNS).
This isn't a Samba bug, on the Microsoft page linked above it says this: Select the Do not replicate this record check box for this WINS record, if applicable. If you are replicating this zone between DNS servers that do not recognize the WINS or WINS-R resource records, select this check box. This prevents these records from being replicated to these other servers during zone transfers. If this zone will be used in performing zone transfers to BIND servers, this is a critical option because Berkeley Internet Name Domain (BIND) will not recognize WINS records. It appears you cannot use the WINS records with Bind9
Closing this, it isn't anything to do with Samba.
It is important to note that Samba's replication is DRS replication, not zone transfers, so this option wouldn't have any impact. I think the issue is: Jul 23 23:03:30 dc1 named[10886]: zone foo.bar/NONE: has 0 SOA records Jul 23 23:03:30 dc1 named[10886]: zone foo.bar/NONE: has no NS records This special zone doesn't meet the needs of BIND9.