[Samba] Transfer of FSMO Roles

Donaldson Jeff Jeff.Donaldson at ncs.k12.de.us
Fri Nov 21 06:06:26 MST 2014 

Rowland, 

I can't thank you enough. Your help has been invaluable. I plan on doing this over the weekend, but I had one more question. When you say remove the original and never bring it back, that had been my plan all along. So would you suggest not trying to demote it and just rip it out as if it were an orphan? 

Regards,
Jeff

Jeff Donaldson
Technology Director
Newark Charter School
jeff.donaldson at ncs.k12.de.us
(302) 369-2001 ext: 425

________________________________________
From: Rowland Penny <rowlandpenny at googlemail.com>
Sent: Friday, November 21, 2014 5:27 AM
To: Donaldson Jeff; samba at lists.samba.org
Subject: Re: [Samba] Transfer of FSMO Roles

On 21/11/14 01:50, Donaldson Jeff wrote:
> Rowland,
>
> Should I be editing these in sam.ldb? I did a quick search on fSMORoleOwner and only found it three times in sam.ldb. Or should I be looking elsewhere? Thanks, once again, for your help.
>
> Regards,
> Jeff
>
> Jeff Donaldson
> Technology Director
> Newark Charter School
> jeff.donaldson at ncs.k12.de.us
> (302) 369-2001 ext: 425
>
> ________________________________________
> From: samba-bounces at lists.samba.org <samba-bounces at lists.samba.org> on behalf of Rowland Penny <rowlandpenny at googlemail.com>
> Sent: Thursday, November 20, 2014 2:17 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Transfer of FSMO Roles
>
> On 20/11/14 18:24, Donaldson Jeff wrote:
>> Good Afternoon,
>>
>>
>> I've been working towards decommissioning my current PDC and moving Primary Master to a newly built DC. I was able to successfully transfer each of the five FSMO roles (without seizing) to the new server. I can run samba-tool fsmo show on each of my servers and they all return the new DC with each of the five roles. My question is...shouldn't transferring of the DomainNamingMasterRole affect the (SOA) and (NS) settings in DNS automatically?  They are still set to the old server, and if I look in the DomainDnsZones and ForestDnsZones in DNS Manager, they both still show records for the old server. Furthermore, trying to run samba-tool domain demote -Uadministrator on the old server returned that it still owned two roles. It is my understanding that this is a bug and that the old PDC should be pulled out of the domain as if it were an orphan. If that is the case, than how do I go about correcting DNS before I do that? Any help is appreciated. Thanks!
>>
>>
>> Regards,
>>
>> Jeff
>>
>> Jeff Donaldson
>> Technology Director
>> Newark Charter School
>> jeff.donaldson at ncs.k12.de.us
>> (302) 369-2001 ext: 425
> The problem here is that there are 7 FSMO roles on a Samba4 AD DC, but
> samba-tool only seems to know about 5 of them. As you have found out,
> the 2 missing ones are:
>
> CN=Infrastructure,DC=ForestDnsZones,rootdse
>
> CN=Infrastructure,DC=DomainDnsZones,rootdse
>
> If you inspect the 'fSMORoleOwner' attribute on these two objects, I am
> fairly sure that will you find that they are pointing at the old DC, I
> presume if you change this to your new DC, your problem will go away.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
OK, you need to add a couple of options to ldbsearch to see all the FSMO
roles:

  root at dc02:~# ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs
--show-binary -b dc=example,dc=com fSMORoleOwner | grep 'fSMORoleOwner'
fSMORoleOwner: CN=NTDS
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
fSMORoleOwner: CN=NTDS
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
fSMORoleOwner: CN=NTDS
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
fSMORoleOwner: CN=NTDS
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
fSMORoleOwner: CN=NTDS
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
fSMORoleOwner: CN=NTDS
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
fSMORoleOwner: CN=NTDS
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com

There they are, all SEVEN of them!

The ones that samba-tool knows nothing about are: ForestDnsZones &
DomainDnsZones

To view these:

root at dc02:~# ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs
--show-binary -b "CN=Infrastructure,DC=ForestDnsZones,DC=example,DC=com"
fSMORoleOwner

NOTE: The above is all one line.

# record 1
dn: CN=Infrastructure,DC=ForestDnsZones,DC=example,DC=com
fSMORoleOwner: CN=NTDS
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com

root at dc02:~# ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs
--show-binary -b "CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=com"
fSMORoleOwner

# record 1
dn: CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=com
fSMORoleOwner: CN=NTDS
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com

Opening one of the above in ldbedit, produces this:

ldbedit -e nano -H /var/lib/samba/private/sam.ldb --cross-ncs
--show-binary -b "CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=com"

# editing 1 records
# record 1
dn: CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=com
objectClass: top
objectClass: infrastructureUpdate
cn: Infrastructure
instanceType: 4
whenCreated: 20140812094114.0Z
whenChanged: 20140812094116.0Z
uSNCreated: 3459
uSNChanged: 3459
showInAdvancedViewOnly: TRUE
name: Infrastructure
objectGUID: 825b707d-e4c7-4201-9fab-e00135189910
fSMORoleOwner: CN=NTDS
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
systemFlags: -1946157056
objectCategory:
CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=example,DC=com
isCriticalSystemObject: TRUE
distinguishedName: CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=com

I presume if you alter the fSMORoleOwner line to match the new DC, this
will sieze the role, you can get a list of possible role owners with:

root at dc02:~# ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs
"(objectClass=nTDSDSA)" dn | grep 'dn:' | sed 's|dn: ||'

CN=NTDS
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
CN=NTDS
Settings,CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com

I have never tried this, so don't blame me if it messes up your AD, but
I have no reason to believe it will. You may have to remove the original
DC and never bring it back.

Rowland

More information about the samba mailing list