Since MS-AD 2k3, registration of wpad and isatap DNS entries is blocked by default through a registry setting. https://support.microsoft.com/en-us/help/968732/changes-to-dns-server-behavior-after-you-install-the-security-update-f It prevent a rogue workstation joined with the name WPAD or ISATAP to MITM the web traffic of application configured with automatic proxy connection discovery, like internet explorer for example. I guess it is more problem on MS-AD where an authenticated user could join 10 workstations to the domain. On Samba4-AD there is no such protection.