diff --git a/roles/samba-dc/tasks/bind9-dlz.yml b/roles/samba-dc/tasks/bind9-dlz.yml
new file mode 100644
index 0000000..8b120df
--- /dev/null
+++ b/roles/samba-dc/tasks/bind9-dlz.yml
@@ -0,0 +1,12 @@
+- name: ensure bind9 dlz plugin is installed
+  package:
+    name={{ samba_bind_dlz_pkg }}
+    state=present
+
+- name: ensure selinux file contexts are correct
+  sefcontext:
+    target={{ item.path }}
+    setype={{ item.setype }}
+    state=present
+  with_items: '{{ samba_selinux_contexts }}'
+  notify: restore samba file contexts
diff --git a/roles/samba-dc/tasks/main.yml b/roles/samba-dc/tasks/main.yml
index ed3ec3a..d97e2c5 100644
--- a/roles/samba-dc/tasks/main.yml
+++ b/roles/samba-dc/tasks/main.yml
@@ -13,13 +13,9 @@
   tags:
   - install
 
-- name: ensure selinux file contexts are correct
-  sefcontext:
-    target={{ item.path }}
-    setype={{ item.setype }}
-    state=present
-  with_items: '{{ samba_selinux_contexts }}'
-  notify: restore samba file contexts
+- name: ensure bind9 dlz plugin is configured
+  include_tasks: bind9-dlz.yml
+  when: samba_dc_dns_backend|d == 'BIND9_DLZ'
 
 - name: ensure kerberos is configured
   template:
diff --git a/roles/samba-dc/vars/defaults.yml b/roles/samba-dc/vars/defaults.yml
index 0a25c73..f4386d9 100644
--- a/roles/samba-dc/vars/defaults.yml
+++ b/roles/samba-dc/vars/defaults.yml
@@ -5,6 +5,6 @@ samba_dc_packages:
 - ldb-tools
 - openldap-clients
 - samba-dc
-- samba-dc-bind-dlz
 - samba-winbind-clients
 - tdb-tools
+samba_bind_dlz_pkg: samba-dc-bind-dlz