[Samba] Failed Xfer of domain and forest fsmo

Rowland penny rpenny at samba.org
Fri Jul 19 20:23:26 UTC 2019

On 19/07/2019 21:14, Robert A Wooldridge via samba wrote:
> On 07/19/2019 03:08 PM, Rowland penny via samba wrote:
>> On 19/07/2019 20:41, Robert A Wooldridge via samba wrote:
>>> I have transferred all fsmo's except domain and forest.  When I 
>>> attempt either one of these I get this error:
>>> samba-tool fsmo transfer --role=forestdns
>>> ERROR: Failed to delete role 'forestdns': LDAP error 50 
>>> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: SecErr: DSID-03151D80, 
>>> problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>>> > <>
>>> Any ideas on how to overcome this?
>> If you run: samba-tool fsmo transfer --help
>> Amongst the output is this:
>>   --role=ROLE           The FSMO role to seize or transfer.
> The role I specified is forestdns.
>> .....................
>>                                  .................
>>                                  ...........
>>                                  above  You must provide an Admin 
>> user and password.
> After I provided the user and password, it failed but when I queried 
> for role assignments it says the forestdns is unassigned. So I did a 
> seize and this worked.  Do I have to shutdown the DC that was the 
> primary before?
No, it is just a setting, as long as only one DC holds a particular FSMO 
role, you shouldn't have a problem.

I must fix that code, it should check if an admin user and password is 
supplied if you are transferring all the roles or just the 
domaindns/forestdns roles and exit if they are not supplied.


More information about the samba mailing list