[Samba] Samba 4 fsmo-handling on crashed dc-server

Marc Muehlfeld mmuehlfeld at samba.org
Tue Aug 26 12:14:40 MDT 2014

Hello Peter,

Am 26.08.2014 17:47, schrieb Peter Grotz - Obel und Partner GbR:
> we have two dcs in one domain which is located in separate subnets. These
> subnets are connected by a routed vpn.
> How must I handle fsmo roles when one of these dcs fails and will maybe be
> repaired and reconnected?
> A transfer of the fsmo roles is not possible until the dc is 
> repaired, so should the fsmos be seized from the other dc? Can 
> anybody give me a hint how to handle this situation?

There are different situations:

1.) The crashed DC owns none of the FSMO roles: You have nothing to do
if the repaired DC comes back.

2.) The crashed DC has at least one of the FSMO roles:

2.a.) the DC can be repaired: You have nothing to do. You _must not_
seize the roles in the meantime!

2.b.) the DC can't be repaired: You seize the roles on one of the
remaining DCs. But you must ensure that the DC really never comes back!
Otherwise two DCs are owning the same roles, what could have serious
consequences. You have to remove the DC from the domain. But demoting is
currently only possible for DCs, that are still working. Demoting
foreign DCs is broken: https://bugzilla.samba.org/show_bug.cgi?id=10595


PS: I had put the extension of the FSMO documentation on my to-do list.
We're having often questions about FSMO meanwhile.

More information about the samba mailing list