[Samba] Transfer of FSMO Roles - and cleanup

Sketch smblist at rednsx.org
Mon Nov 24 14:37:01 MST 2014


On Mon, 24 Nov 2014, Rowland Penny wrote:

> OK, if I run this command on both my DC's:
>
> ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs --show-binary -b 
> dc=example,dc=com fSMORoleOwner | grep 'fSMORoleOwner'
> 
> I get the same result on both DC's:
[snip]
> This, as you can see, shows 7 FSMO role owners

Yep, only 5 here.

fSMORoleOwner: CN=NTDS Settings,CN=AUTH-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
fSMORoleOwner: CN=NTDS Settings,CN=AUTH-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
fSMORoleOwner: CN=NTDS Settings,CN=AUTH-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
fSMORoleOwner: CN=NTDS Settings,CN=AUTH-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
fSMORoleOwner: CN=NTDS Settings,CN=AUTH-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com

> If I run the command this way:
>
> ldbsearch -H /var/lib/samba/private/sam.ldb --show-binary -b 
> dc=example,dc=com fSMORoleOwner | grep 'fSMORoleOwner'
>
> I can only see 3 FSMO role owners

Yes, I only see 3 for this one.

fSMORoleOwner: CN=NTDS Settings,CN=AUTH-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
fSMORoleOwner: CN=NTDS Settings,CN=AUTH-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
fSMORoleOwner: CN=NTDS Settings,CN=AUTH-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com

> So if you are seeing 5, and cannot add a dns role owner, I can only presume 
> that there are others missing, you should have:
>
> dn:  dc=example,dc=com
> dn:  CN=RID Manager$,CN=System,dc=example,dc=com
> dn:  CN=Infrastructure,dc=example,dc=com
> dn:  CN=Schema,CN=Configuration,dc=example,dc=com
> dn:  CN=Partitions,CN=Configuration,dc=example,dc=com
> dn:  CN=Infrastructure,DC=ForestDnsZones,dc=example,dc=com
> dn:  CN=Infrastructure,DC=DomainDnsZones,dc=example,dc=com

If I do ldbsearch on each of these, the last two are missing 
a fSMORoleOwner field.  The question is: how to fix it?  I tried to 
manually add it and ldbedit says that the field already exists.  What 
other options do I have?  I tried setting 'dsdb:schema update allowed = 
yes' in smb.conf just to make sure it wasn't disallowed due to being 
considered a schema update, with no change.




More information about the samba mailing list