Note: the added account here is dns-ad01.SAMDOM.EXAMPLE.COM, not dns-ad01 root@ad01:/var/lib/samba/bind-dns# samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS accounts already exist No zone file /var/lib/samba/bind-dns/dns/SAMDOM.EXAMPLE.COM.zone /usr/sbin/samba_upgradedns:338: DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead logger.warn("DNS records will be automatically created") DNS records will be automatically created DNS partitions already exist Adding dns-ad01.SAMDOM.EXAMPLE.COM account BIND version unknown, please modify /var/lib/samba/bind-dns/named.conf manually. See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates Finished upgrading DNS Then update bind config to add dlz.. and restart bind9 test with samba_dnsupdate root@ad01:/var/lib/samba/bind-dns# samba_dnsupdate --all-names dns_tkey_gssnegotiate: TKEY is unacceptable dns_tkey_gssnegotiate: TKEY is unacceptable ... So, I think that the user with a fqdn instead of just hostname is wrong, so I edit sam.ldb root@ad01:~# ldbrename CN=dns-ad01.SAMDOM.EXAMPLE.COM,CN=Users,DC=SAMDOM,DC=EXAMPLE,DC=COM CN=dns-ad01,CN=Users,DC=SAMDOM,DC=EXAMPLE,DC=COM then edit the resulting record: ldbedit CN=dns-ad01,CN=Users,DC=SAMDOM,DC=EXAMPLE,DC=COM and make the following changes: -description: DNS Service Account for ad01.SAMDOM.EXAMPLE.COM -sAMAccountName: dns-ad01.SAMDOM.EXAMPLE.COM -servicePrincipalName: DNS/ad01.SAMDOM.EXAMPLE.COM.samdom.example.com +description: DNS Service Account for ad01 +sAMAccountName: dns-ad01 +servicePrincipalName: DNS/ad01.samdom.example.com and now samba_dnsupdate works.... root@ad01:~# samba_dnsupdate --all-names root@ad01:~# Why is samba_upgradedns using a fully qualified domain name instead of just the hostname when it creates the DNS account? The workaround above is not permanent of course because I think some changes are required in secrets.ldb so that things can get renewed.... hostname appears to return the correct values on the server... root@ad01:~# hostname ad01 root@ad01:~# hostname -s ad01 root@ad01:~# hostname -f ad01.samdom.example.com