[Samba] Errors transferring forestdns and domaindns FSMO roles

Taylor Hammerling thammerling at tcsbasys.com
Tue Dec 12 18:19:51 UTC 2017 

Thanks Rowland, I figured it out just before you sent this email thanks to
this old mailing list entry

https://lists.samba.org/archive/samba/2017-January/206177.html

the role transfer still throws an error (just as the person in the january
entry saw) but the role got transferred.

On Tue, Dec 12, 2017 at 12:08 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Tue, 12 Dec 2017 11:56:08 -0600
> Taylor Hammerling via samba <samba at lists.samba.org> wrote:
>
> > I am attempting to transfer the all FSMO roles from an old DC to our
> > new DC. Both DCs are running Samba 4.7.3.  I have transferred the
> > Schma, Infrastructure, RID, PDC and Naming roles without issue.
> >
> > unfortunately, the forestdns and domaindns roles are giving me grief.
> >
> > Here is the output of the commands
> >
> > root at dc1:~# samba-tool fsmo transfer --role=forestdns
> > ldb_wrap open of secrets.ldb
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > 7da1efbb-3b68-4249-ab03-e09c3ffc0d1a._msdcs.tcsbasys.com<0x20>
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > ERROR: Failed to delete role 'forestdns': LDAP error 50
> > LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object
> > CN=Infrastructure,DC=ForestDnsZones,DC=tcsbasys,DC=com has no write
> > property access
> > > <>
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
> > 111, in transfer_dns_role
> >     samdb.modify(m)
> > root at dc1:~#
> >
> >
> > root at dc1:~# samba-tool fsmo transfer --role=domaindns
> > ldb_wrap open of secrets.ldb
> > lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> > resolve_lmhosts: Attempting lmhosts lookup for name
> > 7da1efbb-3b68-4249-ab03-e09c3ffc0d1a._msdcs.tcsbasys.com<0x20>
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'naclrpc_as_system' registered
> > GENSEC backend 'sasl-EXTERNAL' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'ntlmssp_resume_ccache' registered
> > GENSEC backend 'http_basic' registered
> > GENSEC backend 'http_ntlm' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > ERROR: Failed to delete role 'domaindns': LDAP error 50
> > LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object
> > CN=Infrastructure,DC=DomainDnsZones,DC=tcsbasys,DC=com has no write
> > property access
> > > <>
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
> > 111, in transfer_dns_role
> >     samdb.modify(m)
> > root at dc1:~#
> >
> >
> > as always, any help you can provide would be immensely appreciated!
> >
> >
> >
> >
>
> If you run 'samba-tool fsmo transfer --help', you will find this
> amongst the output:
>
>   --role=ROLE           The FSMO role to seize or transfer.
>                         rid=RidAllocationMasterRole
> schema=SchemaMasterRole
>                         pdc=PdcEmulationMasterRole
>                         naming=DomainNamingMasterRole
>                         infrastructure=InfrastructureMasterRole
>                         domaindns=DomainDnsZonesMasterRole
>                         forestdns=ForestDnsZonesMasterRole  all=all of the
>                         above  You must provide an Admin user and password.
>
> Does the last line give you a hint ;-)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
*Taylor Hammerling* |  *IT Manager*
2800 Laura Lane | Middleton, WI 53562
*O *(608) 669-9070 *| C *(608) 512-7849
tcsbasys.com | ubiquistat.com

More information about the samba mailing list