[Samba] transferring FSMO to new DC failing with domaindns and forestdns

[Rowland Penny]

On Mon, 23 Jun 2025 21:57:23 +1200
Daniel Christie via samba <samba at lists.samba.org> wrote:

> I have 2 samba DCs, wanting to migrate fully from DC1 to DC2.
> So far all seems to have gone well. amd right now I am having an
> issue with transferring the FSMO roles to the new DC. my first
> correct attempt went like this
> 
> *localadmin at dc2:~$ sudo samba-tool fsmo transfer --role=all*
> *FSMO transfer of 'rid' role successful*
> *FSMO transfer of 'pdc' role successful*
> *FSMO transfer of 'naming' role successful*
> *FSMO transfer of 'infrastructure' role successful*
> *FSMO transfer of 'schema' role successful*
> *ERROR: Failed to add role 'domaindns': LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object
> CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com has no
> write property access*
> *> <>*
> 
> After that i figured out (i think) how to define the user that needs
> to run the transfer process for those 2 naming contexts, so i ran
> again and then got another error
> 
> *localadmin at dc2:~$ sudo samba-tool fsmo transfer --role=all -U
> adm_daniel* *This DC already has the 'rid' FSMO role*
> *This DC already has the 'pdc' FSMO role*
> *This DC already has the 'naming' FSMO role*
> *This DC already has the 'infrastructure' FSMO role*
> *This DC already has the 'schema' FSMO role*
> *Password for [DOMAIN\administrator]:*
> *ERROR: Failed to add role 'domaindns': LDAP error 16
> LDAP_NO_SUCH_ATTRIBUTE -  <attribute 'fSMORoleOwner': no matching
> attribute value while deleting attribute on
> 'CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com'> <>*
> 

Lets start by checking for the 'missing' attribute, what does this
search return:

sudo ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -P -b
'CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com' -s sub
'(fSMORoleOwner=*)' fSMORoleOwner

Rowland