[Samba] Transferring FSMO Roles to Server 2008 R2 DC

Thomas Maerz tmaerz at brewerscience.com
Tue Oct 18 17:00:17 UTC 2016 

Hello,

As far as I know, there is no Wiki article for transferring FSMO Roles to Server 2008 R2 DC. This article’s focus is on joining a Server 2012 DC to a Samba4 domain, but it touches on the subject: https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD <https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD>

I would like to suggest a new wiki page be made for transferring FSMO Roles to Server 2008/2008 R2 DC specifically and have some notes to add to what is present in the 2012 joining page.

1. RE: The SysVol replication section: Robocopy based sysvol replication appears to only be for Samba4 —> Windows DC SysVol Replication, so I don’t think it is applicable if the FSMO is a Windows DC
2. RE: The SysVol Share section: The SysVol share doesn’t exist upon successful join of 2008/R2 DC, but the netlogon share also does not exist and this is not addressed in the article
3. RE: FSMO Roles section: This section references Transferring and seizing FSMO_Roles wiki article, which points to https://support.microsoft.com/en-us/kb/324801 to do this the MS way. This only addresses the first 5 roles shown in samba-tool fsmo show. In order to move DomainDnsZonesMasterRole and ForestDnsZonesMasterRole, the following steps are necessary:

To transfer the infrastructure master for application partitions:
Open ADSIEdit. Connect to the server you want to transfer the roles to (it is important, otherwise you'll get an error).
 
For domain DNS zones:
Connect to DC=DomainDnsZones,DC=yourdomain,DC=tld
Open the properties of the object CN=Infrastructure,DC=DomainDnsZones,DC=yourdomain,DC=tld
Change the attribute fSMORoleOwner toCN=NTDSSettings,CN=Name_of_DC,CN=Servers,CN=DRSite,CN=Sites,CN=Configuration,DC=Yourdomain,DC=TLD
For forest DNS zones
Connect to DC=ForestDnsZones,DC=yourdomain,DC=tld and do the same.
Same for any other application partitions if they exist.

Source: https://social.technet.microsoft.com/Forums/windowsserver/en-US/b77a7e5c-590e-4d23-a9cb-8c4c0f403baf/forestdnszones-and-domaindnszones-have-wrong-infrastructure-role-record?forum=winserverDS <https://social.technet.microsoft.com/Forums/windowsserver/en-US/b77a7e5c-590e-4d23-a9cb-8c4c0f403baf/forestdnszones-and-domaindnszones-have-wrong-infrastructure-role-record?forum=winserverDS>

i have tested this process and it works to get all FSMO roles transferred to Windows Server 2008R2 DC.

Thomas Maerz

More information about the samba mailing list