Comment 5 for bug 1572824

Here is my current samba AD DC config, after removing the signing option:

# Global parameters
[global]
        workgroup = SAMDOM
        realm = samdom.example.com
        netbios name = FILESERV2
        server role = active directory domain controller
        server services = -dns

        os level = 70

        idmap_ldb:use rfc2307 = yes
        allow dns updates = nonsecure
        #dns forwarder = 192.168.6.3
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
        panic action = /usr/share/samba/panic-action %d

[netlogon]
        path = /var/lib/samba/sysvol/samdom.example.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

Very simple, as you can see. I use bind9.9 and samba_dlz, and DNS resolution has worked perfectly for over a year.