[Samba] Transfer of FSMO Roles - and cleanup

Rowland Penny rowlandpenny at googlemail.com
Mon Nov 24 13:34:45 MST 2014 

On 24/11/14 18:55, Sketch wrote:
> On Fri, 21 Nov 2014, Rowland Penny wrote:
>
>> I then siezed the 5 roles on the second DC and shut down the first.
>>
>> root at debdc2:~# ldbsearch -H /var/lib/samba/private/sam.ldb 
>> --cross-ncs --show-binary -b dc=internal,dc=example,dc=com 
>> fSMORoleOwner | grep 'fSMORoleOwner'
>
> Not to hijack the original thread, but when I run this command, I only 
> get the 5 roles seen in samba-tool.  However, I had previously removed 
> my original 2 DCs one-by-one and replaced them with new ones.  I did 
> not transfer roles, but later siezed them, as you were just 
> suggesting.  I had some issues with the siezing/transfer, but they 
> were so long ago I don't remember the specifics.
>
>> The only problem that I can see is that AD will still be peppered 
>> with the first DC, but I think that I have a script for this as well.
>
> I noticed this as well, and later went and removed all of the old 
> references to the old original DC which was still in several places in 
> LDAP.  I wonder if two of these that I removed could have been the two 
> "hidden" FSMO roles which no longer show up in the above search?
>
> I tried using ldbedit, and it doesn't show me an fSMORoleOwner field 
> at all.  I tried adding a new one to match the other 5 roles, but it 
> complains that the attribute alread exists.
>
> # ldbedit -e emacs --url=/var/lib/samba/private/sam.ldb --cross-ncs 
> --show-binary -b "CN=Infrastructure,DC=ForestDnsZones,DC=example,DC=com"
> failed to modify CN=Infrastructure,DC=ForestDnsZones,DC=example,DC=com 
> - SINGLE-VALUE attribute fSMORoleOwner on 
> CN=Infrastructure,DC=ForestDnsZones,DC=ad,DC=example,DC=com specified 
> more than once
>
> So if it already exists, why can't I see it?
>
> What leads me to look at this is I have two DCs which seem to perform 
> flawlessly, but I am unable to add a third (on multiple machines).  It 
> seems to get added to AD, but then the existing DCs are unable to talk 
> to it for some reason.  It complains about out of memory errors, but 
> this machine has 32GB of RAM with 30GB free.., so I wonder if it might 
> be due to something in LDAP being broken.
>
OK, if I run this command on both my DC's:

ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs --show-binary -b 
dc=example,dc=com fSMORoleOwner | grep 'fSMORoleOwner'

I get the same result on both DC's:

fSMORoleOwner: CN=NTDS 
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=example,dc=com
fSMORoleOwner: CN=NTDS 
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=example,dc=com
fSMORoleOwner: CN=NTDS 
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=example,dc=com
fSMORoleOwner: CN=NTDS 
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=example,dc=com
fSMORoleOwner: CN=NTDS 
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=example,dc=com
fSMORoleOwner: CN=NTDS 
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=example,dc=com
fSMORoleOwner: CN=NTDS 
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=example,dc=com

This, as you can see, shows 7 FSMO role owners

If I run the command this way:

ldbsearch -H /var/lib/samba/private/sam.ldb --show-binary -b 
dc=example,dc=com fSMORoleOwner | grep 'fSMORoleOwner'

I can only see 3 FSMO role owners

fSMORoleOwner: CN=NTDS 
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=example,dc=com
fSMORoleOwner: CN=NTDS 
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=example,dc=com
fSMORoleOwner: CN=NTDS 
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,dc=example,dc=com

So if you are seeing 5, and cannot add a dns role owner, I can only 
presume that there are others missing, you should have:

dn: dc=example,dc=com
dn: CN=RID Manager$,CN=System,dc=example,dc=com
dn: CN=Infrastructure,dc=example,dc=com
dn: CN=Schema,CN=Configuration,dc=example,dc=com
dn: CN=Partitions,CN=Configuration,dc=example,dc=com
dn: CN=Infrastructure,DC=ForestDnsZones,dc=example,dc=com
dn: CN=Infrastructure,DC=DomainDnsZones,dc=example,dc=com

Rowland

More information about the samba mailing list