[Samba 4] FSMO roles change research
nadezhda.ivanova at postpath.com
Fri Jan 15 05:17:11 MST 2010
I have done some research on how FSMO Roles changes works in AD in order to implement commands that invoke role change, as a means for testing Samba 4. I used the following setup:
Server1 - first domain controller and owner of all roles except infrastructure (as it is also the Global Catalog)
Server2 - second DC, only infrastructure master
WinXp1 - a workstation with management tools installed. Needed to run NTDSutil, the utility for fsmo role maintenance.
There are two ways to change a FSMO role owner:
- transfer - this is the safe way to do it and should always be used if the current role owner is still alive. It causes data held by the current owner to be synchronized with the new one to provide reliable operation after change.
- seize - to be used only if the current owner is dead. It forces the new DC to assume the role without sync. After that the previous owner in the cases of RID and Schema must NOT be reactivated or we are in a world of trouble.
To initiate transfer, the client (ntdsutil) sends an ldapmodify request on RootDSE become(role)Master attribute of the server we want to be the new master, say Server2. This causes Server2 to send a GetNCChanges extended op to Server1 to safely transfer the role. (didn't bother to decrypt yet, I am only interested in the management part so far)
To initiate seize, the client attempts a search on the current owner's RootDSE to make sure it's dead, and then directly modifies the fsmoRoleOwner attribute of the corresponding partition.
Python tool to perform these operations to be done shortly.
More information about the samba-technical