[Samba] Unable to transfer dns fsmo roles to new DC

Christian lnxlists at lownoize.org
Wed Nov 10 16:51:46 UTC 2021 

Hello all,

I just try to add some new DCs to an old single DC samba4 domain. 
Because we want to remove the old DC we try to transfer all FSMO roles 
to one of the new DCs.

The old Server was named svr9 (samba version 4.1.17) and the new one is 
named madc1 (samba version 4.11.6-Ubuntu)

When i try to transfer the dns fsmo roles i get the following error:

root at madc1:~# samba-tool fsmo transfer --username=Administrator 
--role=domaindns
Password for [MyDom\Administrator]:
ERROR: Failed to add role 'domaindns': LDAP error 16 
LDAP_NO_SUCH_ATTRIBUTE -  <attribute 'fSMORoleOwner': no matching 
attribute value while deleting attribute on 
'CN=Infrastructure,DC=DomainDnsZones,DC=ad,DC=mydom,DC=de'> <>


All other fsmo roles got transfered to the new dc without problems:

root at madc1:~# samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS 
Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC=ad,DC=mydom,DC=de
InfrastructureMasterRole owner: CN=NTDS 
Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC=ad,DC=mydom,DC=de
RidAllocationMasterRole owner: CN=NTDS 
Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC=ad,DC=mydom,DC=de
PdcEmulationMasterRole owner: CN=NTDS 
Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC=ad,DC=mydom,DC=de
DomainNamingMasterRole owner: CN=NTDS 
Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC=ad,DC=mydom,DC=de
DomainDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=SVR9,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC=ad,DC=mydom,DC=de
ForestDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=SVR9,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC=ad,DC=mydom,DC=de


On the old Server i don't see the dns roles when running samba-tool fsmo 
show:

root at svr9:/usr/local/samba4# samba-tool fsmo show
InfrastructureMasterRole owner: CN=NTDS 
Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC=ad,DC=mydom,DC=de
RidAllocationMasterRole owner: CN=NTDS 
Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC=ad,DC=mydom,DC=de
PdcEmulationMasterRole owner: CN=NTDS 
Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC=ad,DC=mydom,DC=de
DomainNamingMasterRole owner: CN=NTDS 
Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC=ad,DC=mydom,DC=de
SchemaMasterRole owner: CN=NTDS 
Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC=ad,DC=mydom,DC=de

On the old DC everything looks ok to me on the first look:

ldbsearch --cross-ncs -H /usr/local/samba4/private/sam.ldb 
'(fsmoroleowner=*)' | grep 'dn:'

dn: CN=Schema,CN=Configuration,DC=ad,DC=mydom,DC=de
dn: CN=Partitions,CN=Configuration,DC=ad,DC=mydom,DC=de
dn: CN=Infrastructure,DC=DomainDnsZones,DC=ad,DC=mydom,DC=de
dn: CN=Infrastructure,DC=ForestDnsZones,DC=ad,DC=mydom,DC=de
dn: DC=ad,DC=mydom,DC=de
dn: CN=RID Manager$,CN=System,DC=ad,DC=mydom,DC=de
dn: CN=Infrastructure,DC=ad,DC=mydom,DC=de

ldbsearch --cross-ncs -H /usr/local/samba4/private/sam.ldb -b 
'DC=DomainDnsZones,DC=ad,DC=mydom,DC=de' -s sub '(cn=Infrastructure)'

# record 1
dn: CN=Infrastructure,DC=DomainDnsZones,DC=ad,DC=mydom,DC=de
objectClass: top
objectClass: infrastructureUpdate
cn: Infrastructure
instanceType: 4
whenCreated: 20140807081632.0Z
whenChanged: 20140807081632.0Z
uSNCreated: 3625
showInAdvancedViewOnly: TRUE
name: Infrastructure
objectGUID: 64d605b9-919b-4905-8f44-854cd48fde2c
systemFlags: -1946157056
objectCategory: 
CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=ad,DC=m
  ydom,DC=de
isCriticalSystemObject: TRUE
fSMORoleOwner: CN=NTDS 
Settings,CN=SVR9,CN=Servers,CN=Mannheim,CN=Sites,CN=Con
  figuration,DC=ad,DC=mydom,DC=de
uSNChanged: 3634
distinguishedName: CN=Infrastructure,DC=DomainDnsZones,DC=ad,DC=mydom
  ,DC=de

# returned 1 records
# 1 entries
# 0 referrals

ldbsearch --cross-ncs -H /usr/local/samba4/private/sam.ldb -b 
'DC=ForestDnsZones,DC=ad,DC=mydom,DC=de' -s sub '(cn=Infrastructure)'
# record 1
dn: CN=Infrastructure,DC=ForestDnsZones,DC=ad,DC=mydom,DC=de
objectClass: top
objectClass: infrastructureUpdate
cn: Infrastructure
instanceType: 4
whenCreated: 20140807081632.0Z
whenChanged: 20140807081632.0Z
uSNCreated: 3629
showInAdvancedViewOnly: TRUE
name: Infrastructure
objectGUID: 28e8ede3-36e1-4561-87a9-5effd0101fb4
systemFlags: -1946157056
objectCategory: 
CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=ad,DC=m
  ydom,DC=de
isCriticalSystemObject: TRUE
fSMORoleOwner: CN=NTDS 
Settings,CN=SVR9,CN=Servers,CN=Mannheim,CN=Sites,CN=Con
  figuration,DC=ad,DC=mydom,DC=de
uSNChanged: 3635
distinguishedName: CN=Infrastructure,DC=ForestDnsZones,DC=ad,DC=mydom
  ,DC=de

# returned 1 records
# 1 entries
# 0 referrals


Is this because of the really old samba version on the old DC?
How can i transfer those fsmo roles to the new DC?

Cheers,

Christian

More information about the samba mailing list