[Samba] Unable to transfer dns fsmo roles to new DC

Rowland Penny rpenny at samba.org
Wed Nov 10 17:12:48 UTC 2021 

On Wed, 2021-11-10 at 17:51 +0100, Christian via samba wrote:
> Hello all,
> 
> I just try to add some new DCs to an old single DC samba4 domain. 
> Because we want to remove the old DC we try to transfer all FSMO
> roles 
> to one of the new DCs.
> 
> The old Server was named svr9 (samba version 4.1.17) and the new one
> is 
> named madc1 (samba version 4.11.6-Ubuntu)
> 
> When i try to transfer the dns fsmo roles i get the following error:
> 
> root at madc1:~# samba-tool fsmo transfer --username=Administrator 
> --role=domaindns
> Password for [MyDom\Administrator]:
> ERROR: Failed to add role 'domaindns': LDAP error 16 
> LDAP_NO_SUCH_ATTRIBUTE -  <attribute 'fSMORoleOwner': no matching 
> attribute value while deleting attribute on 
> 'CN=Infrastructure,DC=DomainDnsZones,DC=ad,DC=mydom,DC=de'> <>
> 
> 
> All other fsmo roles got transfered to the new dc without problems:
> 
> root at madc1:~# samba-tool fsmo show
> SchemaMasterRole owner: CN=NTDS 
> Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC
> =ad,DC=mydom,DC=de
> InfrastructureMasterRole owner: CN=NTDS 
> Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC
> =ad,DC=mydom,DC=de
> RidAllocationMasterRole owner: CN=NTDS 
> Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC
> =ad,DC=mydom,DC=de
> PdcEmulationMasterRole owner: CN=NTDS 
> Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC
> =ad,DC=mydom,DC=de
> DomainNamingMasterRole owner: CN=NTDS 
> Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC
> =ad,DC=mydom,DC=de
> DomainDnsZonesMasterRole owner: CN=NTDS 
> Settings,CN=SVR9,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC=
> ad,DC=mydom,DC=de
> ForestDnsZonesMasterRole owner: CN=NTDS 
> Settings,CN=SVR9,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC=
> ad,DC=mydom,DC=de
> 
> 
> On the old Server i don't see the dns roles when running samba-tool
> fsmo 
> show:
> 
> root at svr9:/usr/local/samba4# samba-tool fsmo show
> InfrastructureMasterRole owner: CN=NTDS 
> Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC
> =ad,DC=mydom,DC=de
> RidAllocationMasterRole owner: CN=NTDS 
> Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC
> =ad,DC=mydom,DC=de
> PdcEmulationMasterRole owner: CN=NTDS 
> Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC
> =ad,DC=mydom,DC=de
> DomainNamingMasterRole owner: CN=NTDS 
> Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC
> =ad,DC=mydom,DC=de
> SchemaMasterRole owner: CN=NTDS 
> Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC
> =ad,DC=mydom,DC=de
> 
> On the old DC everything looks ok to me on the first look:
> 
> ldbsearch --cross-ncs -H /usr/local/samba4/private/sam.ldb 
> '(fsmoroleowner=*)' | grep 'dn:'
> 
> dn: CN=Schema,CN=Configuration,DC=ad,DC=mydom,DC=de
> dn: CN=Partitions,CN=Configuration,DC=ad,DC=mydom,DC=de
> dn: CN=Infrastructure,DC=DomainDnsZones,DC=ad,DC=mydom,DC=de
> dn: CN=Infrastructure,DC=ForestDnsZones,DC=ad,DC=mydom,DC=de
> dn: DC=ad,DC=mydom,DC=de
> dn: CN=RID Manager$,CN=System,DC=ad,DC=mydom,DC=de
> dn: CN=Infrastructure,DC=ad,DC=mydom,DC=de
> 
> ldbsearch --cross-ncs -H /usr/local/samba4/private/sam.ldb -b 
> 'DC=DomainDnsZones,DC=ad,DC=mydom,DC=de' -s sub '(cn=Infrastructure)'
> 
> # record 1
> dn: CN=Infrastructure,DC=DomainDnsZones,DC=ad,DC=mydom,DC=de
> objectClass: top
> objectClass: infrastructureUpdate
> cn: Infrastructure
> instanceType: 4
> whenCreated: 20140807081632.0Z
> whenChanged: 20140807081632.0Z
> uSNCreated: 3625
> showInAdvancedViewOnly: TRUE
> name: Infrastructure
> objectGUID: 64d605b9-919b-4905-8f44-854cd48fde2c
> systemFlags: -1946157056
> objectCategory: 
> CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=ad,DC=m
>   ydom,DC=de
> isCriticalSystemObject: TRUE
> fSMORoleOwner: CN=NTDS 
> Settings,CN=SVR9,CN=Servers,CN=Mannheim,CN=Sites,CN=Con
>   figuration,DC=ad,DC=mydom,DC=de
> uSNChanged: 3634
> distinguishedName: CN=Infrastructure,DC=DomainDnsZones,DC=ad,DC=mydom
>   ,DC=de
> 
> # returned 1 records
> # 1 entries
> # 0 referrals
> 
> ldbsearch --cross-ncs -H /usr/local/samba4/private/sam.ldb -b 
> 'DC=ForestDnsZones,DC=ad,DC=mydom,DC=de' -s sub '(cn=Infrastructure)'
> # record 1
> dn: CN=Infrastructure,DC=ForestDnsZones,DC=ad,DC=mydom,DC=de
> objectClass: top
> objectClass: infrastructureUpdate
> cn: Infrastructure
> instanceType: 4
> whenCreated: 20140807081632.0Z
> whenChanged: 20140807081632.0Z
> uSNCreated: 3629
> showInAdvancedViewOnly: TRUE
> name: Infrastructure
> objectGUID: 28e8ede3-36e1-4561-87a9-5effd0101fb4
> systemFlags: -1946157056
> objectCategory: 
> CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=ad,DC=m
>   ydom,DC=de
> isCriticalSystemObject: TRUE
> fSMORoleOwner: CN=NTDS 
> Settings,CN=SVR9,CN=Servers,CN=Mannheim,CN=Sites,CN=Con
>   figuration,DC=ad,DC=mydom,DC=de
> uSNChanged: 3635
> distinguishedName: CN=Infrastructure,DC=ForestDnsZones,DC=ad,DC=mydom
>   ,DC=de
> 
> # returned 1 records
> # 1 entries
> # 0 referrals
> 
> 
> Is this because of the really old samba version on the old DC?

Could be, 4.1.17 is very old and now 4.11.6 is just old as far as Samba
is concerned :-D

> How can i transfer those fsmo roles to the new DC?

Try seizing them to a new DC (you will have to use '--force'), but only
do this if the old DC is being removed.

Rowland

More information about the samba mailing list