[Samba] Unable to transfer ForestDns/DomainDNS

Rowland penny rpenny at samba.org
Thu Jun 23 15:11:10 UTC 2016 

On 23/06/16 13:37, Jason Waters wrote:
> I'm working my way off of our Windows 2003 R2 Domain Server.  That machine
> is called PDC, sorry really bad planning so many years ago!  So my end goal
> is to have two samba4 domain controllers. They are setup and joined as
> DC's, dc01 and dc02.  I have most of my files off of PDC but would like to
> keep it up for a little longer to make sure I have everything off of there.
>
>
> So I tried transferring all the roles.  The first 5 worked great, the last
> two, ForestDns/DomainDns fail with this error.
>
> root at DC01:~# samba-tool fsmo transfer --role=domaindns -UAdministrator
> Password for [FISHERTHOMPSON\Administrator]:
> ERROR: Failed to delete role 'domaindns': LDAP error 16
> LDAP_NO_SUCH_ATTRIBUTE -  <00002085: AtrErr: DSID-03151B93, #1:
>          0: 00002085: DSID-03151B93, problem 1001 (NO_ATTRIBUTE_OR_VAL),
> data 0, Att 90171 (fSMORoleOwner):len 286
>> <>
> root at DC01:~# samba-tool fsmo transfer --role=forestdns -UAdministrator
> Password for [FISHERTHOMPSON\Administrator]:
> ERROR: Failed to delete role 'forestdns': LDAP error 16
> LDAP_NO_SUCH_ATTRIBUTE -  <00002085: AtrErr: DSID-03151B93, #1:
>          0: 00002085: DSID-03151B93, problem 1001 (NO_ATTRIBUTE_OR_VAL),
> data 0, Att 90171 (fSMORoleOwner):len 286
>> <>
>
> Ideally I would get the transfer to just work, but if I can't do that then
> I have a question about the path forward.  Since I would like to keep the
> PDC up, do I run dcpromo on PDC(Win2003) and get it out of the domain and
> then do the samba-tool fsmo seize, or the other way around?  Or doesn't it
> matter?  My concern is the big scary messages about NEVER EVER start the
> machine again that you seized the fsmo from for fear of your entire AD
> blowing up and zombie apocalypse starting.  But I thought once you run the
> dcpromo and demote the DC active directory is gone and then it won't break
> AD on the good domain.
>
> So if you could
>
> 1.  Help me resolve my issue so I can do the transfer, that would be
> awesome.
>
> 2. If that doesn't work, tell me the correct order of seize and dcpromo.
>
> Thanks for the help!
>
> Jason
> irc: jch2os
>
>
> Some information about the samba dc's
>
> Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-88-generic x86_64)
>
> root at DC01:~# samba-tool domain level show
> Domain and forest function level for domain 'DC=fisherthompson,DC=local'
>
> Forest function level: (Windows) 2003
> Domain function level: (Windows) 2003
> Lowest function level of a DC: (Windows) 2003
>
>
> root at DC01:~# dpkg -l |grep samba
> ii  python-samba                        2:4.3.9+dfsg-0ubuntu0.14.04.3
>   amd64        Python bindings for Samba
> ii  samba                               2:4.3.9+dfsg-0ubuntu0.14.04.3
>   amd64        SMB/CIFS file, print, and login server for Unix
> ii  samba-common                        2:4.3.9+dfsg-0ubuntu0.14.04.3
>   all          common files used by both the Samba server and client
> ii  samba-common-bin                    2:4.3.9+dfsg-0ubuntu0.14.04.3
>   amd64        Samba common files used by both the server and the client
> ii  samba-dsdb-modules                  2:4.3.9+dfsg-0ubuntu0.14.04.3
>   amd64        Samba Directory Services Database
> ii  samba-libs:amd64                    2:4.3.9+dfsg-0ubuntu0.14.04.3
>   amd64        Samba core libraries
> ii  samba-vfs-modules                   2:4.3.9+dfsg-0ubuntu0.14.04.3
>   amd64        Samba Virtual FileSystem plugins
> root at DC01:~# samba-tool fsmo show
> SchemaMasterRole owner: CN=NTDS
> Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fisherthompson,DC=local
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fisherthompson,DC=local
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fisherthompson,DC=local
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fisherthompson,DC=local
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fisherthompson,DC=local
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fisherthompson,DC=local
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fisherthompson,DC=local

The error seems to say it all: 'LDAP_NO_SUCH_ATTRIBUTE' at this point 
fsmo.py is trying to delete the 'fsMORoleOwner' attribute and its 
contents, but for some reason it is saying it isn't there.

Can you run this command on the DC you are trying to transfer the FSMO 
roles to:

ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b 
"CN=Infrastructure,DC=DomainDnsZones,DC=fisherthompson,DC=local" -s base 
fsmoroleowner

It should produce something like this:

root at dc1:~# ldbsearch --cross-ncs -H /usr/local/samba/private/sam.ldb -b 
"CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com" -s 
base fsmoroleowner
# record 1
dn: CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
fSMORoleOwner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,C
  N=Sites,CN=Configuration,DC=samdom,DC=example,DC=com

# returned 1 records
# 1 entries
# 0 referrals

Rowland

More information about the samba mailing list