[Samba] Transfer of FSMO roles

[Rowland Penny]

On 25/08/15 22:44, John Gardeniers wrote:
> Hi Rowland,
>
> Yes, I did move all the roles and , yes, I did read the wiki, which is 
> where I learned which commands to run. I moved the other two roles 
> separately but as that has absolutely nothing to do with the questions 
> I didn't see any great need to mention it.
>
> Just to clarify, the questions I am asking are:
>
> Why is one command showing that the roles have been moved and another 
> telling me that they didn't? Which one is correct? How can I make them 
> agree? Does it even matter that they don't agree?
>
> I need to remove the original DC, so I'd like to have some level of 
> confidence about this.
>
> regards,
> John
>
>
> On 25/08/15 16:57, Rowland Penny wrote:
>> On 25/08/15 03:46, John Gardeniers wrote:
>>> I just transferred all the FSMO roles from DC-MIGRATE to DC1:
>>
>> Unfortunately, no you didn't, if you have read the wiki page, you 
>> will now know there are 7 FSMO roles.
>>
>>>
>>> [root at dc1 ~]# samba-tool fsmo transfer --role=all
>>> FSMO transfer of 'rid' role successful
>>> FSMO transfer of 'pdc' role successful
>>> FSMO transfer of 'naming' role successful
>>> FSMO transfer of 'infrastructure' role successful
>>> FSMO transfer of 'schema' role successful
>>>
>>> I then double checked as follows:
>>>
>>> [root at dc1 ~]# samba-tool fsmo show
>>> InfrastructureMasterRole owner: CN=NTDS 
>>> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>> RidAllocationMasterRole owner: CN=NTDS 
>>> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>> PdcEmulationMasterRole owner: CN=NTDS 
>>> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>> DomainNamingMasterRole owner: CN=NTDS 
>>> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>> SchemaMasterRole owner: CN=NTDS 
>>> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>>
>>> Looks good but when I run this:
>>>
>>> [root at dc1 ~]# ldbsearch --cross-ncs -H 
>>> /var/lib/samba/private/sam.ldb -b 
>>> "CN=Infrastructure,DC=DomainDnsZones,DC=omtest,DC=com" -s base 
>>> fsmoroleowner
>>> # record 1
>>> dn: CN=Infrastructure,DC=DomainDnsZones,DC=omtest,DC=com
>>> fSMORoleOwner: CN=NTDS 
>>> Settings,CN=DC-MIGRATE,CN=Servers,CN=Default-First-Site
>>>  -Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>>
>>> You'll notice that this time it still lists DC-MIGRATE as the role 
>>> owner (I didn't bother running this for the other roles). I re-ran 
>>> the command again half an hour later, thinking that perhaps this 
>>> just need a little time to settle, but got the same results.
>>>
>>> Does this indicate a problem that I need to resolve? If so, how do I 
>>> resolve it?
>>>
>>
>> Yes, you have a problem, to resolve it, you can either wait until 
>> 4.3.0 comes out and then upgrade, you will then be able to transfer 
>> all 7 roles, or (I never said this) download the latest 4.3.0rc 
>> tarball use the fsmo.py on your machine.
>>
>>
>>> Incidentally, the link for " FSMO role management using the Windows 
>>> GUI" on
>>> https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_(FSMO)_roles 
>>> is broken.
>>
>> Fixed
>>
>> Rowland
>>>
>>> regards,
>>> John
>>>
>>
>>
>

You are using a samba4 version less than 4.3.0 and as such 'samba-tool 
fsmo' only knows about the 5 main FSMO roles, so it can only show, 
transfer or seize these. There are another 2 FSMO roles, the DNS 
infrastructure roles, which you are now telling us that you have moved 
manually. From samba 4.3.0, 'samba-tool fsmo' will show, transfer and 
seize all 7 FSMO roles, from the information, so if you use 'fsmo.py' 
from 4.3.0, you should be able to see if all the roles have transferred.

If you don't want to use the latest 'fsmo.py', see here:

https://wiki.samba.org/index.php/Transfering_/_seizing_FSMO_roles

Rowland