[Samba] Errors transferring forestdns and domaindns FSMO roles

Taylor Hammerling thammerling at tcsbasys.com
Tue Dec 12 17:56:08 UTC 2017 

I am attempting to transfer the all FSMO roles from an old DC to our new DC.
Both DCs are running Samba 4.7.3.  I have transferred the Schma,
Infrastructure, RID, PDC and Naming roles without issue.

unfortunately, the forestdns and domaindns roles are giving me grief.

Here is the output of the commands

root at dc1:~# samba-tool fsmo transfer --role=forestdns
ldb_wrap open of secrets.ldb
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
resolve_lmhosts: Attempting lmhosts lookup for name
7da1efbb-3b68-4249-ab03-e09c3ffc0d1a._msdcs.tcsbasys.com<0x20>
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
ERROR: Failed to delete role 'forestdns': LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object
CN=Infrastructure,DC=ForestDnsZones,DC=tcsbasys,DC=com has no write
property access
> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 111,
in transfer_dns_role
    samdb.modify(m)
root at dc1:~#


root at dc1:~# samba-tool fsmo transfer --role=domaindns
ldb_wrap open of secrets.ldb
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
resolve_lmhosts: Attempting lmhosts lookup for name
7da1efbb-3b68-4249-ab03-e09c3ffc0d1a._msdcs.tcsbasys.com<0x20>
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
ERROR: Failed to delete role 'domaindns': LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object
CN=Infrastructure,DC=DomainDnsZones,DC=tcsbasys,DC=com has no write
property access
> <>
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 111,
in transfer_dns_role
    samdb.modify(m)
root at dc1:~#


as always, any help you can provide would be immensely appreciated!




-- 
*Taylor Hammerling* |  *IT Manager*
2800 Laura Lane | Middleton, WI 53562
*O *(608) 669-9070 *| C *(608) 512-7849
tcsbasys.com | ubiquistat.com

More information about the samba mailing list