[Samba] Transfer FSMO roles to a new DC

Rowland Penny rpenny at samba.org
Fri Oct 29 17:09:29 UTC 2021 

On Fri, 2021-10-29 at 12:36 -0400, Rommel Rodriguez Toirac via samba
wrote:
>  Hello all;
> 
> I have join a new domain controller [gtmad2](Ubuntu with samba4
> version 4.14.8) to a Samba4 Domain (main DC version 4.14.3 in
> CentOS8)[gtmad1].
>  I want to replace the samba-4.14.3 (CentOS8)[host name gtmad1] and I
> have  transferered the FSMO roles to the new one samba-4.14.8 (Ubuntu
> 20.04)[hostname gtmad2]
> 
>  Here the transfer commands:
> 
> root at gtmad2:~# samba-tool fsmo transfer --role=rid             
> FSMO transfer of 'rid' role successful
> root at gtmad2:~# samba-tool fsmo transfer --role=pdc
> FSMO transfer of 'pdc' role successful
> root at gtmad2:~# samba-tool fsmo transfer --role=infrastructure
> FSMO transfer of 'infrastructure' role successful
> root at gtmad2:~# samba-tool fsmo transfer --role=schema        
> FSMO transfer of 'schema' role successful
> root at gtmad2:~# samba-tool fsmo transfer --role=naming
> FSMO transfer of 'naming' role successful
> root at gtmad2:~# samba-tool fsmo transfer --role=domaindns
> -UAdministrator
> Password for [ATGTM00\Administrator]:
> FSMO transfer of 'domaindns' role successful
> root at gtmad2:~# samba-tool fsmo transfer --role=forestdns
> -UAdministrator
> Password for [ATGTM00\Administrator]:
> FSMO transfer of 'forestdns' role successful
> 
>  All transfer were successful, but when I check I have a problem. 
>  From the new DC [gtmad2] still look the other DC [gtmad1] as owner
> of the FSMO roles and from gtmad1 it look to gtmad2 like the FSMO
> roles owner.
> 
> root at gtmad2:~# samba-tool fsmo
> show                                     
> SchemaMasterRole owner: CN=NTDS
> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> root at gtmad2:~#
> 
> [root at gtmad1 samba]# samba-tool fsmo show
> ldb_wrap open of secrets.ldb
> SchemaMasterRole owner: CN=NTDS
> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> [root at gtmad1 samba]#
> 
> 
>  What could be possible to to be wrong?
>  Any ideas?

Well, that is weird, first thought was faulty replication, but it has
replicated to the old DC and isn't showing on the new DC.

I have checked on my DC's and the rid FSMO transferred OK. I would
check if the FSMO roles are still showing as being on two DC's (if you
have more than two DC's, check those as well). If they are, try
transferring them back and see what happens. If they do transfer back,
you need to examine gtmad2 to see if there is anything wrong with that.

Rowland

More information about the samba mailing list