[Samba] Lost DC with FSMO-Rolls (solved)

Stefan Kania stefan at kania-online.de
Wed Nov 5 13:22:55 MST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Now I got the "naming" role back to work. With:
 samba-tool fsmo seize --role=naming --force

The option "-force" is not trying to transfer the role first but seize
the role without transfer first. Now I got all roles back on a working
DC. Now I only have to reinstall the second DC again.
It was a log day.
Thank you all for your help

Stefan
Am 05.11.2014 um 21:01 schrieb Rowland Penny:
> On 05/11/14 19:37, Stefan Kania wrote: some more informations: when
> I do a : "samba-tool dbcheck --fix --cross-ncs"
> 
> I get the following:
> 
> root at SVL-V-AD1:~# samba-tool dbcheck --fix --cross-ncs Checking
> 3747 objects ERROR: fSMORoleOwner not found for role 
> CN=Partitions,CN=Configuration,DC=egf,DC=ntd Sieze role
> CN=Partitions,CN=Configuration,DC=egf,DC=ntd onto current DC by
> adding fSMORoleOwner=CN=NTDS 
> Settings,CN=SVL-V-AD1,CN=Servers,CN=Vertrieb,CN=Sites,CN=Configuration,DC=egf,DC=ntd
>
>  [y/N/all/none] y Failed to sieze role
> CN=Partitions,CN=Configuration,DC=egf,DC=ntd onto current DC by
> adding fSMORoleOwner=CN=NTDS 
> Settings,CN=SVL-V-AD1,CN=Servers,CN=Vertrieb,CN=Sites,CN=Configuration,DC=egf,DC=ntd
>
>  : (20, 'SINGLE-VALUE attribute fSMORoleOwner on 
> CN=Partitions,CN=Configuration,DC=egf,DC=ntd specified more than
> once') Checked 3747 objects (1 errors)
> 
> I checked the Object with ldbsearch and got the following:
> 
> root at SVL-V-AD1:~# ldbsearch --url=/var/lib/samba/private/sam.ldb
> -b "CN=Partitions,CN=Configuration,DC=egf,DC=ntd"
> 
> # record 6 dn: CN=Partitions,CN=Configuration,DC=egf,DC=ntd 
> objectClass: top objectClass: crossRefContainer cn: Partitions 
> instanceType: 4 whenCreated: 20141027112453.0Z whenChanged:
> 20141027112456.0Z uSNCreated: 3162 uSNChanged: 3162 
> showInAdvancedViewOnly: TRUE name: Partitions objectGUID:
> 8e7d5bd0-d15f-4f08-ae26-33931aedb98d systemFlags: -2147483648 
> objectCategory: 
> CN=Cross-Ref-Container,CN=Schema,CN=Configuration,DC=egf,DC=ntd 
> msDS-Behavior-Version: 2 distinguishedName:
> CN=Partitions,CN=Configuration,DC=egf,DC=ntd
> 
> There is no attribut "fSMORoleOwner". I checkes it on a working DC
> in another domain. In this domain the attribut is listed in
> CN=Partitions
> 
> Then I tried it the hard way with ldbedit:
> 
> root at SVL-V-AD1:~# ldbedit --url=/var/lib/samba/private/sam.ldb  -b 
> "CN=Partitions,CN=Configuration,DC=egf,DC=ntd" failed to modify
> CN=Partitions,CN=Configuration,DC=egf,DC=ntd - SINGLE-VALUE
> attribute fSMORoleOwner on 
> CN=Partitions,CN=Configuration,DC=egf,DC=ntd specified more than
> once
> 
> As you can see, ldbedit gives the same errormessage. But there is
> no other entry with an attribute "fSMORoleOwner"
> 
> I don't know what to do next
> 
> Any help?
> 
> Stefan
> 
> 
> Am 05.11.2014 um 17:54 schrieb Stefan Kania:
>>>> Hello,
>>>> 
>>>> I lost my DC with all fsmo-roles. I try to "seize" the roles
>>>> to another DC. It worked four out of five roles:
>>>> 
>>>> root at SVL-V-AD1:~# samba-tool fsmo seize --role=rid
>>>> Attempting transfer... Transfer unsuccessful, seizing... FSMO
>>>> seize of 'rid' role successful
>>>> 
>>>> root at SVL-V-AD1:~# samba-tool fsmo seize --role=pdc
>>>> Attempting transfer... Transfer unsuccessful, seizing... FSMO
>>>> seize of 'pdc' role successful
>>>> 
>>>> root at SVL-V-AD1:~# samba-tool fsmo seize
>>>> --role=infrastructure Attempting transfer... Transfer
>>>> unsuccessful, seizing... FSMO seize of 'infrastructure' role
>>>> successful
>>>> 
>>>> root at SVL-V-AD1:~# samba-tool fsmo seize --role=schema
>>>> Attempting transfer... Transfer unsuccessful, seizing... FSMO
>>>> seize of 'schema' role successful
>>>> 
>>>> But it faild foir the role "naming":
>>>> 
>>>> root at SVL-V-AD1:~# samba-tool fsmo seize --role=naming
>>>> Attempting transfer... ERROR(ldb): uncaught exception -
>>>> Failed FSMO transfer: NT_STATUS_CONNECTION_REFUSED File 
>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>>> line 175, in _run return self.run(*args, **kwargs) File 
>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
>>>> 160, in run self.seize_role(role, samdb, force) File 
>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
>>>> 126, in seize_role transfer_role(self.outf, role, samdb)
>>>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py",
>>>> line 53, in transfer_role samdb.modify(m)
>>>> 
>>>> After that "samba-tool fsmo show " gives the following
>>>> error:
>>>> 
>>>> root at SVL-V-AD1:~# samba-tool fsmo show ERROR(<type 
>>>> 'exceptions.KeyError'>): uncaught exception - 'No such
>>>> element' File
>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
>>>> line 175, in _run return self.run(*args, **kwargs) File 
>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
>>>> 207, in run self.namingMaster = res[0]["fSMORoleOwner"][0]
>>>> 
>>>> What can I do, to get all roles back to work?
>>>> 
>>>> Stefan
>>>> 
>>>> 

> 
> 
> OK, if I run this on the DC:
> 
> ldbedit -e nano -H /var/lib/samba/private/sam.ldb --cross-ncs
> 
> and search for 'fSMORoleOwner' I get the 7 (yes, there are 7) FSMO
> roles.
> 
> If I don't add '--cross-ncs', I can only see 3.
> 
> dn: DC=example,DC=com fSMORoleOwner: CN=NTDS 
> Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
>
> 
> 
> dn: CN=RID Manager$,CN=System,DC=example,DC=com fSMORoleOwner:
> CN=NTDS 
> Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
>
> 
> 
> dn: CN=Infrastructure,DC=example,DC=com fSMORoleOwner: CN=NTDS 
> Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
>
> 
> 
> dn: CN=Partitions,CN=Configuration,DC=example,DC=com fSMORoleOwner:
> CN=NTDS 
> Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
>
> 
> 
> dn: CN=Schema,CN=Configuration,DC=example,DC=com fSMORoleOwner:
> CN=NTDS 
> Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
>
> 
> 
> dn: CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=com 
> fSMORoleOwner: CN=NTDS 
> Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
>
> 
> 
> dn: CN=Infrastructure,DC=ForestDnsZones,DC=example,DC=com 
> fSMORoleOwner: CN=NTDS 
> Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
>
> 
> 
> Rowland
> 



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlRahx8ACgkQ2JOGcNAHDTbu/ACeKueQfNN1yn0SgSIKB/bZ9jZ1
9usAoIglXEQ/S9YGBp4dNFdqU1Nu4SgT
=yF5l
-----END PGP SIGNATURE-----

More information about the samba mailing list