SKIP HACK metze ... out.sddl

SKIP HACK metze ... out.sddl

Note: the nTSecurityDescriptor on the *DnsZones partitions, doesn't match what
samba generates...

We should have the following:

ForestDnsZones = ObjectOwner:SY, ObjectGroup:BA, DomainControllers:ED

DomainDnsZones (toplevel) = ObjectOwner:SY, ObjectGroup:BA, DomainControllers:DD

DomainDnsZones (subdomain) = ObjectOwner:FirstDCAccount, ObjectGroup:SubdomainControllers, DomainControllers:SubdomainControllers

It's important to get this right before people start using subdomains,
as samba-tool dbcheck based fixes would be complex...