[Samba] Transfer of FSMO roles

John Gardeniers jgardeniers at objectmastery.com
Wed Aug 26 21:28:54 UTC 2015 

Hi Rowland,

It's all academic now, as the attempt to move the roles and remove the 
original DC left both DCs broken, so I have to start again from scratch 
and this time I won't start with a DC that I later want to remove.

regards,
John


On 26/08/15 18:18, Rowland Penny wrote:
> On 25/08/15 22:44, John Gardeniers wrote:
>> Hi Rowland,
>>
>> Yes, I did move all the roles and , yes, I did read the wiki, which 
>> is where I learned which commands to run. I moved the other two roles 
>> separately but as that has absolutely nothing to do with the 
>> questions I didn't see any great need to mention it.
>>
>> Just to clarify, the questions I am asking are:
>>
>> Why is one command showing that the roles have been moved and another 
>> telling me that they didn't? Which one is correct? How can I make 
>> them agree? Does it even matter that they don't agree?
>>
>> I need to remove the original DC, so I'd like to have some level of 
>> confidence about this.
>>
>> regards,
>> John
>>
>>
>> On 25/08/15 16:57, Rowland Penny wrote:
>>> On 25/08/15 03:46, John Gardeniers wrote:
>>>> I just transferred all the FSMO roles from DC-MIGRATE to DC1:
>>>
>>> Unfortunately, no you didn't, if you have read the wiki page, you 
>>> will now know there are 7 FSMO roles.
>>>
>>>>
>>>> [root at dc1 ~]# samba-tool fsmo transfer --role=all
>>>> FSMO transfer of 'rid' role successful
>>>> FSMO transfer of 'pdc' role successful
>>>> FSMO transfer of 'naming' role successful
>>>> FSMO transfer of 'infrastructure' role successful
>>>> FSMO transfer of 'schema' role successful
>>>>
>>>> I then double checked as follows:
>>>>
>>>> [root at dc1 ~]# samba-tool fsmo show
>>>> InfrastructureMasterRole owner: CN=NTDS 
>>>> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>>> RidAllocationMasterRole owner: CN=NTDS 
>>>> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>>> PdcEmulationMasterRole owner: CN=NTDS 
>>>> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>>> DomainNamingMasterRole owner: CN=NTDS 
>>>> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>>> SchemaMasterRole owner: CN=NTDS 
>>>> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>>>
>>>> Looks good but when I run this:
>>>>
>>>> [root at dc1 ~]# ldbsearch --cross-ncs -H 
>>>> /var/lib/samba/private/sam.ldb -b 
>>>> "CN=Infrastructure,DC=DomainDnsZones,DC=omtest,DC=com" -s base 
>>>> fsmoroleowner
>>>> # record 1
>>>> dn: CN=Infrastructure,DC=DomainDnsZones,DC=omtest,DC=com
>>>> fSMORoleOwner: CN=NTDS 
>>>> Settings,CN=DC-MIGRATE,CN=Servers,CN=Default-First-Site
>>>>  -Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>>>
>>>> You'll notice that this time it still lists DC-MIGRATE as the role 
>>>> owner (I didn't bother running this for the other roles). I re-ran 
>>>> the command again half an hour later, thinking that perhaps this 
>>>> just need a little time to settle, but got the same results.
>>>>
>>>> Does this indicate a problem that I need to resolve? If so, how do 
>>>> I resolve it?
>>>>
>>>
>>> Yes, you have a problem, to resolve it, you can either wait until 
>>> 4.3.0 comes out and then upgrade, you will then be able to transfer 
>>> all 7 roles, or (I never said this) download the latest 4.3.0rc 
>>> tarball use the fsmo.py on your machine.
>>>
>>>
>>>> Incidentally, the link for " FSMO role management using the Windows 
>>>> GUI" on
>>>> https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_(FSMO)_roles 
>>>> is broken.
>>>
>>> Fixed
>>>
>>> Rowland
>>>>
>>>> regards,
>>>> John
>>>>
>>>
>>>
>>
>
> You are using a samba4 version less than 4.3.0 and as such 'samba-tool 
> fsmo' only knows about the 5 main FSMO roles, so it can only show, 
> transfer or seize these. There are another 2 FSMO roles, the DNS 
> infrastructure roles, which you are now telling us that you have moved 
> manually. From samba 4.3.0, 'samba-tool fsmo' will show, transfer and 
> seize all 7 FSMO roles, from the information, so if you use 'fsmo.py' 
> from 4.3.0, you should be able to see if all the roles have transferred.
>
> If you don't want to use the latest 'fsmo.py', see here:
>
> https://wiki.samba.org/index.php/Transfering_/_seizing_FSMO_roles
>
> Rowland
>

More information about the samba mailing list