Hi to all, I have a problem recovering a domain with a revers-zone. I'm using the following setup (but it's the same with oder Samba versions): - Debian 11 - 4.15.5 packages from louis - original DC-name addc-01 - new DC to recover the domain an NEW VM namend recover-dc1 the new DC is also Debian 11 an louis packages I do the recovery with: samba-tool domain backup restore --backup-file /root/samba-backup-2022-01-29T14-32-38.732614.tar.bz2 --targetdir=/var/lib/samba --newservername=recover-dc1 Then I did: - cp /var/lib/samba/etc/smb.conf /etc/samba/smb.conf - cp /var/lib/samba/private/krb5.conf /etc (set the dc-name in the last line) - samba-tool ntacl sysvolreset - add "dns" to "server services" in smb.conf - then a samba_upgradedns - restart samba-ad-dc - check name resolution and the SRV-records. Everything worked fine with the internal DNS - then samba_upgradedns --dns-backend=BIND9_DLZ - remove "dns" from the "server services" in smb.conf - switch to bind9 with samba_upgradedns --dns-backend=BIND9_DLZ - restart samba-ad-dc and bind9 Then I got the messages: Loading 'AD DNS Zone' using driver dlopen samba_dlz: started for DN DC=example,DC=net samba_dlz: starting configure samba_dlz: configured writeable zone 'example.net' zone 56.168.192.in-addr.arpa/NONE: has no NS records samba_dlz: Failed to configure zone '56.168.192.in-addr.arpa' loading configuration: bad zone I switched back to the internal DNS and checked the zone with "dig": First the forward-zone: -------------- root@recover-dc1:~# dig ns example.net ; <<>> DiG 9.16.22-Debian <<>> ns example.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5882 ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;example.net. IN NS ;; ANSWER SECTION: example.net. 900 IN NS recover-dc1.example.net. ;; AUTHORITY SECTION: example.net. 3600 IN SOA recover-dc1.example.net. hostmaster.example.net. 68 900 600 86400 3600 ;; Query time: 0 msec ;; SERVER: 192.168.56.103#53(192.168.56.103) ;; WHEN: Mon Feb 07 17:39:17 CET 2022 ;; MSG SIZE rcvd: 102 -------------- Then the reverse zone: ---------------------- root@recover-dc1:~# dig ns 56.168.192.in-addr.arpa ; <<>> DiG 9.16.22-Debian <<>> ns 56.168.192.in-addr.arpa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53249 ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;56.168.192.in-addr.arpa. IN NS ;; AUTHORITY SECTION: 56.168.192.in-addr.arpa. 3600 IN SOA recover-dc1.example.net. hostmaster.example.net. 9 900 600 86400 3600 ;; Query time: 0 msec ;; SERVER: 192.168.56.103#53(192.168.56.103) ;; WHEN: Mon Feb 07 17:39:59 CET 2022 ;; MSG SIZE rcvd: 111 ---------------------- No NS-record. I added a NS-record: samba-tool dns add recover-dc1 56.168.192.in-addr.arpa @ NS recover-dc1.example.net -U administrator switched back to bind9 and everything was working. The problem with the missing NS-record in revers-zones also exists if the first DC where the revers-zone was created will be demoted. The bind9 will not start because of the missing NS-record. For me it to solve the problem it would be good if the DC which is holding the FSMO-roles would always put as NS-record to all revers-zones. The promlem only exits with bind9 as DNS-server and only in the reverse-zones.