[Samba] FSMO Roles / DC Deletion Errors

Mike Ray mray at xes-inc.com
Fri Mar 8 12:00:33 MST 2013 

Hi all- 

I've been polishing my Samba4 AD set-up as we get close to deploying it the office. However, one thing that I'm having issues with is FSMO roles and DCs. The gist of the situation is that I can not demote the original DC. Both DCs are implemented with Samba4, running the same version (4.0.3) and have replication working* 

Here is a summary of everything I've noticed: 
· samba-tool fsmo transfer does not work: 
running it without specifying anything returns a success command, but no roles are transferred off the DC 
running it and specifying another DC with the -H flag yields this error: 
ERROR(ldb): uncaught exception - ldb_search: invalid basedn '(null)' 
running it with the -H and -b yields the error: 
samba-tool fsmo transfer: error: no such option: -b 
· samba-tool fsmo seize *appears* to work: 
running it with any one role gives the following output: 
Attempting transfer... 
FSMO transfer of 'pdc' role successful 
ERROR: Failed to initiate role seize of 'pdc' role: objectclass: modify message must have elements/attributes! 
checking with samba-tool fsmo show *does* show that the role has been transferred 
however, the error prevents --role=all from working as it hits the error and stops execution 
· windows MMC snapins (e.g. Users and Computers) *do* reflect changes made on role owners 
· windows utilities (e.g. ntdsutil) *do* reflect changes made on role owners 
· both DCs agree on who has what role with samba-tool fsmo show 

Now the issue: 

After transferring all 5 roles from dc1 to dc2 and verifying that both of them agree, I want to remove dc1, so I attempt to demote dc1: 
samba-tool domain demote -UAdministrator 
This returns the following: 
ERROR: Current DC is still the owner of 2 role(s), use the role command to transfer roles to another DC 

What are the 2 hidden roles it has or thinks it has? 

If I try to delete it from the windows side using Users and Computers, after ticking the box that says 'yes, I can't dcpromo, it's permanently offline', I receive the following error: 
"Windows cannot delete object LDAP://dc2.[...]/CN=DC1,OU=Domain Controllers,DC=[...],DC=[...] because: The specified module could not be found." 

Why is it referred to as a module? 
In any case, using ldbedit on DC1, I did find that exact DN, so it is there. 

I can't use ldbdel to remove the DC as it refuses the operation (probably reasonably so). 

I think it might be an issue with just the *original* DC because I did this exact process with dc2 (the DC created via replication) and it returns this on samba-tool domain demote: 
Using dc1.[...] as partner server for the demotion 
Password for [[...]\Administrator]: 
Desactivating inbound replication 
Asking partner server dc1.[...] to synchronize from us 
Changing userControl and container 
Demote successfull 

So what could possibly be wrong with the original DC? 

As I poked around on this error, I also found this: https://bugzilla.samba.org/show_bug.cgi?id=9461 
So is anyone using the test branch and can verify this bug is fixed in that version? 



*replication is working 100% but I do see this error: 
Warning: No NC replicated for Connection! 
>From back when I was setting up replication, I poked around and from what I understood, it was a glitch and not an issue 

Any insights would be great, 
Thanks, 
-Mike Ray

More information about the samba mailing list