With internal DNS server (bind DLZ not tested but maybe impacted too), I noticed that samba is not able to perfom it's own dns updates (samba_dnsupdate) because of failed verfication of the signature. Using verbose mode I saw that nsupdate is trying to get a ticket for DNS/DC2 (where DC2 is the name of the windows DC) it seems that it comes from the SOA records where the MNAME is dc2.samba.corp (when querying dns on the DC server). After some investigation it seems that after dcpromo the Windows DC sends Dynamic update to change the content of the SOA and the zone. I think that the change should be acknowledged by the other DC but shouldn't modify the MNAME attribute.
What does windows do in that case? I'm not sure what the acls look like on the SOA records.
mat@mpatou-t420:/usr/local/src/samba [(iolab2012)]$ host -t soa w2k3.home.matws.net 172.16.100.244 Using domain server: Name: 172.16.100.244 Address: 172.16.100.244#53 Aliases: w2k3.home.matws.net has SOA record s1-w2k8r2.w2k3.home.matws.net. chapo3.w2k3.home.matws.net. 69 900 600 86400 3600 mat@mpatou-t420:/usr/local/src/samba [(iolab2012)]$ host -t soa w2k3.home.matws.net 172.16.100.131 Using domain server: Name: 172.16.100.131 Address: 172.16.100.131#53 Aliases: w2k3.home.matws.net has SOA record s1-w2k3.w2k3.home.matws.net. chapo3.w2k3.home.matws.net. 69 900 600 86400 3600 mat@mpatou-t420:/usr/local/src/samba [(iolab2012)]$ host -t soa w2k3.home.matws.net 172.16.100.132 Using domain server: Name: 172.16.100.132 Address: 172.16.100.132#53 Aliases: w2k3.home.matws.net has SOA record s2-w2k3.w2k3.home.matws.net. chapo3.w2k3.home.matws.net. 69 900 600 86400 3600 Windows always returns the name of the queried DC in the mname I suspect DLZ has the same issue.
should be working with 4.7