[Samba] Error while transferring fsmo-roles

thom_schu at gmx.de thom_schu at gmx.de
Fri Aug 4 19:20:45 UTC 2017 

Hello,
I transfered all fsmo-roles from a DC (4.3.11-SerNet, SLES 11 SP3) to another DC (4.6.6-SerNet, SLES 12 SP2).
I had to try a couple of times because of an error "Failed FSMO transfer: NT_STATUS_IO_TIMEOUT"
But then following error happened:

  samba-tool fsmo transfer --role=all

  This DC already has the 'rid' FSMO role
  This DC already has the 'pdc' FSMO role
  This DC already has the 'naming' FSMO role
  This DC already has the 'infrastructure' FSMO role
  FSMO transfer of 'schema' role successful
  ERROR: Failed to delete role 'domaindns': LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object
  CN=Infrastructure,DC=DomainDnsZones,DC=domain,DC=university,DC=de has no write property access


OK, "LDAP_INSUFFICIENT_ACCESS_RIGHTS", another try with credentials:


  samba-tool fsmo transfer --role=all -Uadministrator

  ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'module' object has no attribute 'drs_utils'
    File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
      return self.run(*args, **kwargs)
    File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 515, in run
      "domaindns", samdb)
    File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 129, in transfer_dns_role
      except samba.drs_utils.drsException, e


Same error occurred with the role "forestdns".
In spite of the errors the roles were transfered.

Can I ignore this error or went something wrong ?
"samba-tool fsmo show" says, the owner of all roles is the new DC.

Also with the following check for all roles everything is ok.
ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b "CN=Infrastructure,DC=domain,DC=university,DC=de" -s base fsmoroleowner

The only thing I saw - there is an DNS-entry "Forward-Lookupzones->domain->_msdcs.domain->pdc->_tcp".
Sounds like an entry for the PDC, and there is still the DC which owned the roles.
Do I have to change this manually ?

In a next step I will demote (and reinstall) the DC which owned the roles, maybe this solves any inconsistencies, in case there are some.

Regards

More information about the samba mailing list