[Samba] Transfer of FSMO Roles - and cleanup
Rowland Penny
rowlandpenny at googlemail.com
Mon Nov 24 14:47:58 MST 2014
On 24/11/14 21:37, Sketch wrote:
> On Mon, 24 Nov 2014, Rowland Penny wrote:
>
>> OK, if I run this command on both my DC's:
>>
>> ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs --show-binary
>> -b dc=example,dc=com fSMORoleOwner | grep 'fSMORoleOwner'
>>
>> I get the same result on both DC's:
> [snip]
>> This, as you can see, shows 7 FSMO role owners
>
> Yep, only 5 here.
>
> fSMORoleOwner: CN=NTDS
> Settings,CN=AUTH-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> fSMORoleOwner: CN=NTDS
> Settings,CN=AUTH-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> fSMORoleOwner: CN=NTDS
> Settings,CN=AUTH-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> fSMORoleOwner: CN=NTDS
> Settings,CN=AUTH-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> fSMORoleOwner: CN=NTDS
> Settings,CN=AUTH-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
>
>> If I run the command this way:
>>
>> ldbsearch -H /var/lib/samba/private/sam.ldb --show-binary -b
>> dc=example,dc=com fSMORoleOwner | grep 'fSMORoleOwner'
>>
>> I can only see 3 FSMO role owners
>
> Yes, I only see 3 for this one.
>
> fSMORoleOwner: CN=NTDS
> Settings,CN=AUTH-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> fSMORoleOwner: CN=NTDS
> Settings,CN=AUTH-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> fSMORoleOwner: CN=NTDS
> Settings,CN=AUTH-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
>
>> So if you are seeing 5, and cannot add a dns role owner, I can only
>> presume that there are others missing, you should have:
>>
>> dn: dc=example,dc=com
>> dn: CN=RID Manager$,CN=System,dc=example,dc=com
>> dn: CN=Infrastructure,dc=example,dc=com
>> dn: CN=Schema,CN=Configuration,dc=example,dc=com
>> dn: CN=Partitions,CN=Configuration,dc=example,dc=com
>> dn: CN=Infrastructure,DC=ForestDnsZones,dc=example,dc=com
>> dn: CN=Infrastructure,DC=DomainDnsZones,dc=example,dc=com
>
> If I do ldbsearch on each of these, the last two are missing a
> fSMORoleOwner field. The question is: how to fix it? I tried to
> manually add it and ldbedit says that the field already exists. What
> other options do I have? I tried setting 'dsdb:schema update allowed
> = yes' in smb.conf just to make sure it wasn't disallowed due to being
> considered a schema update, with no change.
>
>
OK, try modifying it instead, lets say that you want change the
'DomainDnsZones' fSMORoleOwner.
Create an ldif somewhere
dn: CN=Infrastructure,DC=DomainDnsZones,dc=example,dc=com
changetype: modify
replace: fSMORoleOwner
fSMORoleOwner: CN=NTDS
Settings,CN=AUTH-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
then use ldbmodify
ldbmodify -H /var/lib/samba/private/sam.ldb --cross-ncs
/path/to/where/you/put/the/ldif
Rowland
More information about the samba
mailing list