[Samba] Transfer the FSMO roles

Norbert Hanke norbert.hanke at gmx.ch
Tue May 2 05:56:44 UTC 2017 

Hi,

I always upgrade my pair of samba DCs that way, first one and when it 
runs stable for a week or so I do the other one.

Depending on the version you need to transfer two more FSMO roles:
samba-tool fsmo transfer --role=domaindns -U administrator
samba-tool fsmo transfer --role=forestdns -U administrator

Make sure that the new DC runs perfectly in sync with the old one, check 
e.g. by Louis van Belle's script on 
https://downloads.van-belle.nl/samba4/samba-check-db-repl.sh , do a 
"samba-tool dbcheck --cross-ncs" on the new DC.

Make sure that the sysvol folder has been properly synchronized to the 
new DC.

Reconfigure client systems to not use the old DC anymore for DNS

Switch the old DC off and check if everything still works, for a few 
hours or days, depending on load.

Then it is time to switch the old DC on one last time and demote it.

After demote you need to clean up left-overs of the old DC in AD, see 
"Verifying the Demotion" in 
https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC , and you might 
as well with RSAT crawl through the whole DNS and remove all references 
to the old DC.

Another "samba-tool dbcheck --cross-ncs" on the new DC will find some 
orphaned entries that can be removed with --fix and than you're 
definitely done with the upgrade.

regards,
Norbert


On 02.05.2017 00:38, Marcio Demetrio Bacci via samba wrote:
> I've been thinking if it's better to make a new Samba 4 DC server instead
> upgrade the old DC and then transfer the FSMO roles to it and shut down the
> old server.
>
> This way the installation would be cleaner and free of any errors of the
> old installation.
>
> I'm using Samba 4.2.1 and the result of command below is:
>
> root at EMPRESA:~# samba-tool fsmo show
>
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=EMPRESA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=com,DC=br
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=EMPRESA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=com,DC=br
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=EMPRESA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=com,DC=br
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=EMPRESA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=com,DC=br
> SchemaMasterRole owner: CN=NTDS
> Settings,CN=EMPRESA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=com,DC=br
>
> Do I need to execute the 5 commands below?
>
> *In the new DC*
> samba-tool fsmo transfer --role=InfrastructureMasterRole
> samba-tool fsmo transfer --role=RidAllocationMasterRole
> samba-tool fsmo transfer --role=PdcEmulationMasterRole
> samba-tool fsmo transfer --role=DomainNamingMasterRole
> samba-tool fsmo transfer --role=SchemaMasterRole
>
> *In the old DC*
> samba-tool domain demote -Uadministrator
>
> Regards,
>
> Márcio Bacci

More information about the samba mailing list