[Samba] transfer FSMO roles from Windows DC

[Landau Daniil]

I have the Active Directory domain with Windows 2008 R2 domain controller and Samba domain controller on CentOS 7. Samba is 4.3.5 (self-compiled). Forest and domain levels are Windows 2008 R2.
After joining Samba to the domain as the domain controller there were no DC=ForestDnsZones and DC=DomainDnsZones records on "OUTBOUND NEIGHBORS". I fixed it with ntdsutil, as it's written here (https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting).

My goal now is to remove Windows DC from the domain and leave Samba as the only domain controller.
At this time I can't find the way to transfer ForestDNS and DomainDNS FSMO roles from Windows DC to Samba (other roles transferred successfully).
(dc01 - is a Windows DC, linux01 - Samba DC)

[root at linux01 ~]# samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS Settings,CN=LINUX01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd
InfrastructureMasterRole owner: CN=NTDS Settings,CN=LINUX01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd
RidAllocationMasterRole owner: CN=NTDS Settings,CN=LINUX01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=LINUX01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd
DomainNamingMasterRole owner: CN=NTDS Settings,CN=LINUX01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd
ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd

If I try to transfer domaindns and forestdns roles samba-tool fails (with different errors ) and "samba-tool fsmo show" fails permanently after that:

[root at linux01 ~]# samba-tool fsmo transfer --role=domaindns -Uadministrator
Password for [COMPANY1\administrator]:
ERROR: Failed to add role 'domaindns': LDAP error 53 LDAP_UNWILLING_TO_PERFORM -  <000020AE: SvcErr: DSID-03152965, problem 5003 (WILL_NOT_PERFORM), data 0
> <>

[root at linux01 ~]# samba-tool fsmo transfer --role=domaindns -Uadministrator
Password for [COMPANY1\administrator]:
ERROR: Failed to delete role 'domaindns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE -  <00002085: AtrErr: DSID-03151EF2, #1:
        0: 00002085: DSID-03151EF2, problem 1001 (NO_ATTRIBUTE_OR_VAL), data 0, Att 90171 (fSMORoleOwner):len 270
> <>

[root at linux01 ~]# samba-tool fsmo transfer --role=forestdns -Uadministrator
Password for [COMPANY1\administrator]:
ERROR: Failed to add role 'forestdns': LDAP error 53 LDAP_UNWILLING_TO_PERFORM -  <000020AE: SvcErr: DSID-03152965, problem 5003 (WILL_NOT_PERFORM), data 0
> <>

[root at linux01 ~]# samba-tool fsmo transfer --role=forestdns -Uadministrator
Password for [COMPANY1\administrator]:
ERROR: Failed to delete role 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE -  <00002085: AtrErr: DSID-03151EF2, #1:
        0: 00002085: DSID-03151EF2, problem 1001 (NO_ATTRIBUTE_OR_VAL), data 0, Att 90171 (fSMORoleOwner):len 270

[root at linux01 ~]# samba-tool fsmo show
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 396, in run
    domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 43, in get_fsmo_roleowner
    master_owner = res[0]["fSMORoleOwner"][0]

I tried Samba 4.4.0rc5 with same result. I also tried this process on Samba-only AD domain and transfer worked correctly.
What is the correct way to transfer DomainDnsZonesMasterRole and ForestDnsZonesMasterRole to Samba?


Kind regards,

Daniil Landau