[Samba] Transfer FSMO roles to a new DC
Rommel Rodriguez Toirac
rommelrt at nauta.cu
Fri Oct 29 17:57:15 UTC 2021
El 29 de octubre de 2021 13:39:02 GMT-04:00, Rowland Penny via samba <samba at lists.samba.org> escribió:
>On Fri, 2021-10-29 at 13:23 -0400, Rommel Rodriguez Toirac via samba
>wrote:
>> El 29 de octubre de 2021 13:09:29 GMT-04:00, Rowland Penny via samba
>> <samba at lists.samba.org> escribió:
>> > On Fri, 2021-10-29 at 12:36 -0400, Rommel Rodriguez Toirac via
>> > samba
>> > wrote:
>> > > Hello all;
>> > >
>> > > I have join a new domain controller [gtmad2](Ubuntu with samba4
>> > > version 4.14.8) to a Samba4 Domain (main DC version 4.14.3 in
>> > > CentOS8)[gtmad1].
>> > > I want to replace the samba-4.14.3 (CentOS8)[host name gtmad1]
>> > > and I
>> > > have transferered the FSMO roles to the new one samba-4.14.8
>> > > (Ubuntu
>> > > 20.04)[hostname gtmad2]
>> > >
>> > > Here the transfer commands:
>> > >
>> > > root at gtmad2:~# samba-tool fsmo transfer --role=rid
>> > > FSMO transfer of 'rid' role successful
>> > > root at gtmad2:~# samba-tool fsmo transfer --role=pdc
>> > > FSMO transfer of 'pdc' role successful
>> > > root at gtmad2:~# samba-tool fsmo transfer --role=infrastructure
>> > > FSMO transfer of 'infrastructure' role successful
>> > > root at gtmad2:~# samba-tool fsmo transfer --role=schema
>> > > FSMO transfer of 'schema' role successful
>> > > root at gtmad2:~# samba-tool fsmo transfer --role=naming
>> > > FSMO transfer of 'naming' role successful
>> > > root at gtmad2:~# samba-tool fsmo transfer --role=domaindns
>> > > -UAdministrator
>> > > Password for [ATGTM00\Administrator]:
>> > > FSMO transfer of 'domaindns' role successful
>> > > root at gtmad2:~# samba-tool fsmo transfer --role=forestdns
>> > > -UAdministrator
>> > > Password for [ATGTM00\Administrator]:
>> > > FSMO transfer of 'forestdns' role successful
>> > >
>> > > All transfer were successful, but when I check I have a
>> > > problem.
>> > > From the new DC [gtmad2] still look the other DC [gtmad1] as
>> > > owner
>> > > of the FSMO roles and from gtmad1 it look to gtmad2 like the FSMO
>> > > roles owner.
>> > >
>> > > root at gtmad2:~# samba-tool fsmo
>> > > show
>> > > SchemaMasterRole owner: CN=NTDS
>> > > Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> > > InfrastructureMasterRole owner: CN=NTDS
>> > > Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> > > RidAllocationMasterRole owner: CN=NTDS
>> > > Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> > > PdcEmulationMasterRole owner: CN=NTDS
>> > > Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> > > DomainNamingMasterRole owner: CN=NTDS
>> > > Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> > > DomainDnsZonesMasterRole owner: CN=NTDS
>> > > Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> > > ForestDnsZonesMasterRole owner: CN=NTDS
>> > > Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> > > root at gtmad2:~#
>> > >
>> > > [root at gtmad1 samba]# samba-tool fsmo show
>> > > ldb_wrap open of secrets.ldb
>> > > SchemaMasterRole owner: CN=NTDS
>> > > Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> > > InfrastructureMasterRole owner: CN=NTDS
>> > > Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> > > RidAllocationMasterRole owner: CN=NTDS
>> > > Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> > > PdcEmulationMasterRole owner: CN=NTDS
>> > > Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> > > DomainNamingMasterRole owner: CN=NTDS
>> > > Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> > > DomainDnsZonesMasterRole owner: CN=NTDS
>> > > Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> > > ForestDnsZonesMasterRole owner: CN=NTDS
>> > > Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> > > [root at gtmad1 samba]#
>> > >
>> > >
>> > > What could be possible to to be wrong?
>> > > Any ideas?
>> >
>> > Well, that is weird, first thought was faulty replication, but it
>> > has
>> > replicated to the old DC and isn't showing on the new DC.
>> >
>> > I have checked on my DC's and the rid FSMO transferred OK. I would
>> > check if the FSMO roles are still showing as being on two DC's (if
>> > you
>> > have more than two DC's, check those as well). If they are, try
>> > transferring them back and see what happens. If they do transfer
>> > back,
>> > you need to examine gtmad2 to see if there is anything wrong with
>> > that.
>> >
>> > Rowland
>> >
>> >
>> >
>>
>> Thanks Rowland to write me back.
>>
>> The third DC [hostname gtmad] also sees gtmad1 as the owner of the
>> FSMO roles.
>>
>> [root at gtmad ~]# samba-tool fsmo show
>> ldb_wrap open of secrets.ldb
>> SchemaMasterRole has no current owner
>> InfrastructureMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> RidAllocationMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> PdcEmulationMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> DomainNamingMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> DomainDnsZonesMasterRole has no current owner
>> ForestDnsZonesMasterRole has no current owner
>> [root at gtmad ~]#
>
>I would try transferring the roles back to the original DC, then check
>the new DC
>
>>
>>
>> I have to check gtmad2 (the new Domain Controller added to domain).
>> For Eixample? what to check?
>
>The usual dns things, /etc/hostname, etc/hosts, /etc/resolv.conf
>You should also check the database with samba-tool.
>
>If you cannot find anything wrong, I would demote the new DC and start
>again.
>
>Rowland
>
>
>
root at gtmad2:~# cat /etc/hostname
gtmad2
root at gtmad2:~# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# --- BEGIN PVE ---
192.168.41.8 gtmad2.gtm.onat.gob.cu gtmad2
# --- END PVE ---
root at gtmad2:~# cat /etc/resolv.conf
# --- BEGIN PVE ---
search gtm.onat.gob.cu
nameserver 192.168.41.18
this 192.168.41.18 is the IP of the gtmad1, the one from where were transfered the FSMO roles
I ran:
root at gtmad2:~# samba-tool dbcheck --cross-ncs --fix
Checking 4212 objects
NOTE: old (due to rename or delete) DN string component for lastKnownParent in object CN=NTDS Settings\0ADEL:07ab56c3-5d91-4ea6-bc34-2eeb1552e4bb,CN=GTMAD2\0ADEL:06b75e05-8ebe-4d41-ba3b-44a475426af2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu - CN=GTMAD2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
Change DN to <GUID=06b75e05-8ebe-4d41-ba3b-44a475426af2>;CN=GTMAD2\0ADEL:06b75e05-8ebe-4d41-ba3b-44a475426af2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu? [y/N/all/none] y
Fixed old DN string on attribute lastKnownParent
Checked 4212 objects (0 errors)
root at gtmad2:~# samba-tool dbcheck --cross-ncs
Checking 4212 objects
Checked 4212 objects (0 errors)
but no solve the situation
--
Rommel Rodriguez Toirac
rommelrt at nauta.cu
More information about the samba
mailing list