[Samba] Problem to demote samba4 dc

[Rowland Penny]

On 17/10/14 16:21, Adam Tauno Williams wrote:
>>> ERROR: Current DC is still the owner of 2 role(s), use the role
>>> command to transfer roles to another DC
>>> When check the fsmo roles status via "samba-tool fsmo show" it
>>> confirms that the Samba 4 DC doesn't own anything.
>> I'm experiencing the same. Did you find a solution?
> As am I.  I have added newer Samba DCs and want to kick off the old
> orignal DC.  But I cannot as it still holds those two mystery roles.
> All normal FSMO roles have been transfered to another DC
>
> I believe it relates to the use of 'internal' DNS, I have found other
> messages relating to that.  But never a solution.
>
> I guess I will try the forcibly-remove VBS.
>
OK, the comments about DNS got me thinking as this problem hit me once 
before. I ran:

ldbedit -e nano -H /var/lib/samba/private/sam.ldb --cross-ncs

and did a search for fsmo, this resulted in several DN's that contained 
the attribute 'fSMORoleOwner' , these all contained:

CN=NTDS 
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com

The DN's that contained the attribute were:

dn: DC=example,DC=com # PDC Emulator
dn: CN=Schema,CN=Configuration,DC=example,DC=com # Schema Master
dn: CN=Partitions,CN=Configuration,DC=example,DC=com # Domain Naming
dn: CN=RID Manager$,CN=System,DC=example,DC=com # Relative ID (RID) Master
dn: CN=Infrastructure,DC=example,DC=com # Infrastructure Master

The comments are what I believe to be the roles for the DN.

I also found two other DN's:

dn: CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=com
dn: CN=Infrastructure,DC=ForestDnsZones,DC=example,DC=com

These would appear to be part of the infrastructure role, but I think 
that these are the two roles that don't get transferred, so before you 
try to forcibly remove the DC, you could try changing the attributes 
contents with ldbmodify or ldbedit.

Rowland