[Samba] Transfer of FSMO Roles - and cleanup
Sketch
smblist at rednsx.org
Mon Nov 24 11:55:36 MST 2014
On Fri, 21 Nov 2014, Rowland Penny wrote:
> I then siezed the 5 roles on the second DC and shut down the first.
>
> root at debdc2:~# ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs
> --show-binary -b dc=internal,dc=example,dc=com fSMORoleOwner | grep
> 'fSMORoleOwner'
Not to hijack the original thread, but when I run this command, I only get
the 5 roles seen in samba-tool. However, I had previously removed my
original 2 DCs one-by-one and replaced them with new ones. I did not
transfer roles, but later siezed them, as you were just suggesting. I had
some issues with the siezing/transfer, but they were so long ago I don't
remember the specifics.
> The only problem that I can see is that AD will still be peppered with the
> first DC, but I think that I have a script for this as well.
I noticed this as well, and later went and removed all of the old
references to the old original DC which was still in several places in
LDAP. I wonder if two of these that I removed could have been the two
"hidden" FSMO roles which no longer show up in the above search?
I tried using ldbedit, and it doesn't show me an fSMORoleOwner field at
all. I tried adding a new one to match the other 5 roles, but it
complains that the attribute alread exists.
# ldbedit -e emacs --url=/var/lib/samba/private/sam.ldb --cross-ncs
--show-binary -b "CN=Infrastructure,DC=ForestDnsZones,DC=example,DC=com"
failed to modify CN=Infrastructure,DC=ForestDnsZones,DC=example,DC=com - SINGLE-VALUE attribute fSMORoleOwner on CN=Infrastructure,DC=ForestDnsZones,DC=ad,DC=example,DC=com specified more than once
So if it already exists, why can't I see it?
What leads me to look at this is I have two DCs which seem to perform
flawlessly, but I am unable to add a third (on multiple machines). It
seems to get added to AD, but then the existing DCs are unable to talk to
it for some reason. It complains about out of memory errors, but this
machine has 32GB of RAM with 30GB free.., so I wonder if it might be due
to something in LDAP being broken.
More information about the samba
mailing list