[Samba] Transfer FSMO roles to a new DC

Rommel Rodriguez Toirac rommelrt at nauta.cu
Fri Oct 29 17:23:52 UTC 2021 

El 29 de octubre de 2021 13:09:29 GMT-04:00, Rowland Penny via samba <samba at lists.samba.org> escribió:
>On Fri, 2021-10-29 at 12:36 -0400, Rommel Rodriguez Toirac via samba
>wrote:
>>  Hello all;
>> 
>> I have join a new domain controller [gtmad2](Ubuntu with samba4
>> version 4.14.8) to a Samba4 Domain (main DC version 4.14.3 in
>> CentOS8)[gtmad1].
>>  I want to replace the samba-4.14.3 (CentOS8)[host name gtmad1] and I
>> have  transferered the FSMO roles to the new one samba-4.14.8 (Ubuntu
>> 20.04)[hostname gtmad2]
>> 
>>  Here the transfer commands:
>> 
>> root at gtmad2:~# samba-tool fsmo transfer --role=rid             
>> FSMO transfer of 'rid' role successful
>> root at gtmad2:~# samba-tool fsmo transfer --role=pdc
>> FSMO transfer of 'pdc' role successful
>> root at gtmad2:~# samba-tool fsmo transfer --role=infrastructure
>> FSMO transfer of 'infrastructure' role successful
>> root at gtmad2:~# samba-tool fsmo transfer --role=schema        
>> FSMO transfer of 'schema' role successful
>> root at gtmad2:~# samba-tool fsmo transfer --role=naming
>> FSMO transfer of 'naming' role successful
>> root at gtmad2:~# samba-tool fsmo transfer --role=domaindns
>> -UAdministrator
>> Password for [ATGTM00\Administrator]:
>> FSMO transfer of 'domaindns' role successful
>> root at gtmad2:~# samba-tool fsmo transfer --role=forestdns
>> -UAdministrator
>> Password for [ATGTM00\Administrator]:
>> FSMO transfer of 'forestdns' role successful
>> 
>>  All transfer were successful, but when I check I have a problem. 
>>  From the new DC [gtmad2] still look the other DC [gtmad1] as owner
>> of the FSMO roles and from gtmad1 it look to gtmad2 like the FSMO
>> roles owner.
>> 
>> root at gtmad2:~# samba-tool fsmo
>> show                                     
>> SchemaMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> InfrastructureMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> RidAllocationMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> PdcEmulationMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> DomainNamingMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> DomainDnsZonesMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> ForestDnsZonesMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> root at gtmad2:~#
>> 
>> [root at gtmad1 samba]# samba-tool fsmo show
>> ldb_wrap open of secrets.ldb
>> SchemaMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> InfrastructureMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> RidAllocationMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> PdcEmulationMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> DomainNamingMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> DomainDnsZonesMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> ForestDnsZonesMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> [root at gtmad1 samba]#
>> 
>> 
>>  What could be possible to to be wrong?
>>  Any ideas?
>
>Well, that is weird, first thought was faulty replication, but it has
>replicated to the old DC and isn't showing on the new DC.
>
>I have checked on my DC's and the rid FSMO transferred OK. I would
>check if the FSMO roles are still showing as being on two DC's (if you
>have more than two DC's, check those as well). If they are, try
>transferring them back and see what happens. If they do transfer back,
>you need to examine gtmad2 to see if there is anything wrong with that.
>
>Rowland
> 
>
>


 Thanks Rowland to write me back.

 The third DC [hostname gtmad] also sees gtmad1 as the owner of the FSMO roles.

[root at gtmad ~]# samba-tool fsmo show
ldb_wrap open of secrets.ldb
SchemaMasterRole has no current owner
InfrastructureMasterRole owner: CN=NTDS Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
RidAllocationMasterRole owner: CN=NTDS Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
DomainNamingMasterRole owner: CN=NTDS Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
DomainDnsZonesMasterRole has no current owner
ForestDnsZonesMasterRole has no current owner
[root at gtmad ~]#


 I have to check gtmad2 (the new Domain Controller added to domain). For Eixample? what to check?


-- 
Rommel Rodriguez Toirac
rommelrt at nauta.cu

More information about the samba mailing list