If the default user container (CN=Users) has been redirected to another organizational unit samba_upgradedns fails as it's looking for DnsAdmins in the wrong OU. A change was introduced with 0db57db80a59e2ecfb1c626f66a72987d9fedcef that changed how this was handled. It's my understanding that DnsAdmins is always in the CN=Users organizational unit unless explicitly moved elsewhere (which would trigger #11695). I see a couple of options to handle this; 1. Revert to the way it was handled previously which I believe is more correct 2. Add an option to specify the base DN to samba_upgradedns 3. Search the entire forest after DnsAdmins, this would have the added benefit of resolving #11695. Although I don't know in which scenario one would want to move DnsAdmins to another OU. # /usr/local/samba/sbin/samba_upgradedns --dns-backend=BIND9_DLZ lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf Reading domain information lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf Traceback (most recent call last): File "/usr/local/samba/sbin/samba_upgradedns", line 294, in <module> paths, lp.configfile, lp) File "/usr/local/samba/lib64/python3.6/site-packages/samba/provision/__init__.py", line 336, in find_provision_key_parameters dns_admins_sid = get_dnsadmins_sid(samdb, names.domaindn) File "/usr/local/samba/lib64/python3.6/site-packages/samba/provision/sambadns.py", line 75, in get_dnsadmins_sid res = samdb.search(base=base_dn, scope=ldb.SCOPE_BASE, attrs=["objectSid"]) _ldb.LdbError: (32, 'No such Base DN: CN=DnsAdmins,OU=MyUsers,DC=example,DC=com')