[Samba] FSMO transfer problems
Piers Kittel
piers at centrefordeaf.org.uk
Mon Mar 25 20:39:25 UTC 2019
Hello all,
Have joined a new DC to an existing active directory consisting of a
sole DC. So, we now have two domain controllers, the original being
ad.DOMAIN.intranet (192.168.0.17), and the new one being
DOMAIN-ad.DOMAIN.intranet (192.168.0.11). I want the new DC to become
the FSMO role owner, so I followed the instructions here -
https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles.
The first five FSMO roles transferred successfully, but the domaindns
and forestdns both failed to transfer:
root at DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer --role=all
FSMO transfer of 'rid' role successful
FSMO transfer of 'pdc' role successful
FSMO transfer of 'naming' role successful
FSMO transfer of 'infrastructure' role successful
FSMO transfer of 'schema' role successful
ERROR: Failed to delete role 'domaindns': LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object
CN=Infrastructure,DC=DomainDnsZones,DC=DOMAIN,DC=intranet has no write
property access
> <>
So I tried adding the admin login details:
root at DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer
--role=domaindns -U Administrator
Password for [DOMAIN\Administrator]:
ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'module'
object has no attribute 'drs_utils'
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
520, in run
transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
129, in transfer_dns_role
except samba.drs_utils.drsException, e:
Looking online, I found someone fixed this by adding in "import
samba.drs_utils" in the file "fsmo.py" which I've done. Running it
again gets:
root at DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer
--role=domaindns -U Administrator
Password for [DOMAIN\Administrator]:
ERROR: Failed to delete role 'domaindns': LDAP error 16
LDAP_NO_SUCH_ATTRIBUTE - <attribute 'fSMORoleOwner': no matching
attribute value while deleting attribute on
'CN=Infrastructure,DC=DomainDnsZones,DC=DOMAIN,DC=intranet'> <>
However, running "samba-tool fsmo show" show that apparently the role is
now owned by DOMAIN-ad which is the intended outcome. So did the
transfer work? Doing the same for forestdns gave the exact same result:
root at DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer
--role=forestdns -U Administrator
Password for [DOMAIN\Administrator]:
ERROR(<class 'samba.drs_utils.drsException'>): Replication failed -
drsException: DsReplicaSync failed (-1073741643, '{Device Timeout} The
specified I/O operation on %hs was not completed before the time-out
period expired.')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
141, in transfer_dns_role
NC, req_options)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83,
in sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
So checking the FSMO roles show:
root at DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
DomainDnsZonesMasterRole owner: CN=NTDS
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
ForestDnsZonesMasterRole owner: CN=NTDS
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
I can't see if the FSMO roles have definitely been transferred?
root at DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer
--role=all -U Administrator
This DC already has the 'rid' FSMO role
This DC already has the 'pdc' FSMO role
This DC already has the 'naming' FSMO role
This DC already has the 'infrastructure' FSMO role
This DC already has the 'schema' FSMO role
This DC already has the 'domaindns' FSMO role
This DC already has the 'forestdns' FSMO role
Secondly, when running "Active Directory Users and Computers", it
automatically connects to the old DC, and when I try to connect to the
new DC, it just shows "Unavailable" and trying to connect to it anyway
gets "The following Domain Controller could not be contacted:
DOMAIN-ad.DOMAIN.intranet. The server is not operational." - how do I
fix this issue?
Many thanks for your time!
With kind regards - Piers
More information about the samba
mailing list