[Samba] How to properly demote a W2003 from Samba4?

Rowland Penny rowlandpenny at googlemail.com
Mon May 18 02:10:06 MDT 2015 

On 18/05/15 08:58, Sam wrote:
> Disturbing...
> Every where I read I see only 5 roles to transfer in windows 2003 
> server :
>
>  * /transfer PDC/
>  * /transfer RID master/
>  * /transfer infrastructure master/
>  * /transfer naming master/
>  * /transfer schema master/
>
> How to transfer the 2 other "roles"?
> Thanks.
>
>
>
> Le 15/05/2015 18:03, Andrey Repin a écrit :
>> Greetings, Sam!
>>
>>>>> Hello all,
>>>>> I'm always trying to migrate from W2000 server to Samba 4.
>>>>> For doing this, I tried this :
>>>>> - install a W2003 server with AD and DNS services, join it to W2000,
>>>>> transfer roles and after demote the old W2000 -> done
>>>>> - install a Sernet Samba4 with Bind9, join W2003, transfer roles 
>>>>> -> done
>>>>> At this point the sync process is working in two way, I can manage 
>>>>> DNS
>>>>> and AD with rsat tool even directly on the Samba4 server... Which was
>>>>> hard to do this to work properly! ;)
>>>>> Now I can't demote the W2003 server, the only way I find is to use
>>>>> "dcpromo.exe /froceremoval" command... ( the alone "dcpromo.exe" 
>>>>> command
>>>>> don't work... )
>>>>> But now Samba4 always trying to contact the w2003 server and I can't
>>>>> clean the dns and active directory, I've some error for example in
>>>>> "domain controllers" section of the AD...
>>>>> if I try "samba-tool domain level raise --domain-level=2008_R2" I 
>>>>> read
>>>>> "ERROR: Domain function level can't be higher than the lowest 
>>>>> function
>>>>> level of a DC!"
>>>>> So how to do a clean demote process even manualy? ( I can't set up a
>>>>> fresh new AD because I have too many users profile to move...)
>>>>> Thanks for helping! :)
>>>> Did you transfer all seven roles?
>>> Hello Andrey,
>>> Yes, I transfered all the available roles with the Ntdsutil command.
>>> and samba-tool fsmo show return all roles.
>>> regards
>> For your future reference, "All" is not a number.
>> samba-tool only aware of five roles to the best of my knowledge, 
>> unless it has
>> been fixed already.
>>
>>
>

I was expecting this, all the available tools seem to think that there 
are only 5 fsmo roles, but there are definitely 7, the two that get 
missed are:

CN=Infrastructure,DC=DomainDnsZones,domain_dn
CN=Infrastructure,DC=ForestDnsZones, domain_dn

Would you be interested in trying out a new version of fsmo.py (a part 
of samba-tool) that I have altered ?
This shows all 7 fsmo roles and transfers/siezes all the roles, if you 
do decide to use it, you use it at your own risk and I would suggest you 
try it first on a copy of your DC.

Rowland

More information about the samba mailing list