[Samba 4] FSMO roles change research

Michael Adam obnox at samba.org
Thu Jan 21 14:19:24 MST 2010

Hi Nadya,

this is very useful stuff indeed!
I was wondering how to safely transfer fsmo roles lately.
Thanks for sharing your findings.
I am looking forward to seeing and testing your tools.

Cheers - Michael

Nadezhda Ivanova wrote:
> Hi Team,
> I have done some research on how FSMO Roles changes works in AD in order to implement commands that invoke role change, as a means for testing Samba 4. I used the following setup:
> Server1 - first domain controller and owner of all roles except infrastructure (as it is also the Global Catalog)
> Server2 - second DC, only infrastructure master
> WinXp1 - a workstation with management tools installed. Needed to run NTDSutil, the utility for fsmo role maintenance. 
> There are two ways to change a FSMO role owner:
> - transfer - this is the safe way to do it and should always be used if the current role owner is still alive. It causes data held by the current owner to be synchronized with the new one to provide reliable operation after change.
> - seize - to be used only if the current owner is dead. It forces the new DC to assume the role without sync. After that the previous owner in the cases of RID and Schema must NOT be reactivated or we are in a world of trouble.
> To initiate transfer, the client (ntdsutil) sends an ldapmodify request on RootDSE become(role)Master attribute of the server we want to be the new master, say Server2. This causes Server2 to send a GetNCChanges extended op to Server1 to safely transfer the role. (didn't bother to decrypt yet, I am only interested in the management part so far)
> To initiate seize, the client attempts a search on the current owner's RootDSE to make sure it's dead, and then directly modifies the fsmoRoleOwner attribute of the corresponding partition.
> Python tool to perform these operations to be done shortly.
> Regards,
> Nadya

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100121/d5af41c6/attachment.pgp>

More information about the samba-technical mailing list