SKIP HACK metze ... out.sddl
Note: the nTSecurityDescriptor on the *DnsZones partitions, doesn't match what
samba generates...
We should have the following:
ForestDnsZones = ObjectOwner:SY, ObjectGroup:BA, DomainControllers:ED
DomainDnsZones (toplevel) = ObjectOwner:SY, ObjectGroup:BA, DomainControllers:DD
DomainDnsZones (subdomain) = ObjectOwner:FirstDCAccount, ObjectGroup:SubdomainControllers, DomainControllers:SubdomainControllers
It's important to get this right before people start using subdomains,
as samba-tool dbcheck based fixes would be complex...