+The default for the --model argument passed to the samba executable has changed
+from 'standard' to 'prefork'. This means a difference in the number of samba
+child processes that are created to handle client connections. The previous
+default would create a separate process for every LDAP or NETLOGON client
+connection. For a network with a lot of persistent client connections, this
+could result in significant memory overhead. Now, with the new default of
+'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of
+worker processes at startup and share the client connections amongst these
+workers. The number of worker processes can be configured by the 'prefork
+children' setting in the smb.conf (the default is 4).
+
+Authentication Logging.
+-----------------------
+
+Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has
+been added to the Authentication JSON log messages. This contains a random
+logon id that is generated for each PAM_AUTH and NTLM_AUTH request and is passed
+to SamLogon, linking the windbind and SamLogon requests.
+
+The serviceDescription of the messages is set to "winbind", the authDescription
+is set to one of:
+ "PASSDB, <command>, <pid>"
+ "PAM_AUTH, <command>, <pid>"
+ "NTLM_AUTH, <command>, <pid>"
+where:
+ <command> is the name of the command makinmg the winbind request i.e. wbinfo
+ <pid> is the process id of the requesting process.
+
+The version of the JSON Authentication messages has been changed to 1.2 from 1.1
+
+LDAP referrals
+--------------
+
+The scheme of returned LDAP referrals now reflects the scheme of the original
+request, i.e. referrals received via ldap are prefixed with "ldap://"
+and those over ldaps are prefixed with "ldaps://"
+
+Previously all referrals were prefixed with "ldap://"
+
+Bind9 logging
+-------------
+
+It is now possible to log the duration of DNS operations performed by Bind9
+This should aid future diagnosis of performance issues, and could be used to
+monitor DNS performance. The logging is enabled by setting log level to
+"dns:10" in smb.conf
+
+The logs are currently Human readable text only, i.e. no JSON formatted output.
+
+Log lines are of the form:
+
+ <function>: DNS timing: result: [<result>] duration: (<duration>)
+ zone: [<zone>] name: [<name>] data: [<data>]
+
+ durations are in microseconds.
+
+Default schema updated to 2012_R2
+---------------------------------
+
+Default AD schema changed from 2008_R2 to 2012_R2. 2012_R2 functional level
+is not yet available. Older schemas can be used by provisioning with the
+'--base-schema' argument. Existing installations can be updated with the
+samba-tool command "domain schemaupgrade".
+
+Samba's replication code has also been improved to handle replication
+with the 2012 schema (the core of this replication fix has also been
+backported to 4.9.11 and will be in a 4.10.x release).
+
+
+100,000 USER and LARGER Samba AD DOMAINS
+========================================
+
+Extensive efforts have been made to optimise Samba for use in
+organisations (for example) targeting 100,000 users, plus 120,000
+computer objects, as well as large number of group memberships.
+
+Many of the specific efforts are detailed below, but the net results
+is to remove barriers to significantly larger Samba deployments
+compared to previous releases.
+
+Reindex performance improvements
+--------------------------------