[Samba] transferring FSMO to new DC failing with domaindns and forestdns

Daniel Christie dchristienz at gmail.com
Mon Jun 23 10:54:01 UTC 2025 

*sudo ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -P -b
'CN=infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com' -s s*
*ub '(fSMORoleOwner=*)' fSMORoleOwner*
# record 1
dn: CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com
fSMORoleOwner: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Mears,CN=Sites,CN=Configu
 ration,DC=home,DC=krust,DC=kiwi

# returned 1 records
# 1 entries
# 0 referrals

On Mon, 23 Jun 2025 at 22:33, Rowland Penny via samba <samba at lists.samba.org>
wrote:

> On Mon, 23 Jun 2025 21:57:23 +1200
> Daniel Christie via samba <samba at lists.samba.org> wrote:
>
> > I have 2 samba DCs, wanting to migrate fully from DC1 to DC2.
> > So far all seems to have gone well. amd right now I am having an
> > issue with transferring the FSMO roles to the new DC. my first
> > correct attempt went like this
> >
> > *localadmin at dc2:~$ sudo samba-tool fsmo transfer --role=all*
> > *FSMO transfer of 'rid' role successful*
> > *FSMO transfer of 'pdc' role successful*
> > *FSMO transfer of 'naming' role successful*
> > *FSMO transfer of 'infrastructure' role successful*
> > *FSMO transfer of 'schema' role successful*
> > *ERROR: Failed to add role 'domaindns': LDAP error 50
> > LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object
> > CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com has no
> > write property access*
> > *> <>*
> >
> > After that i figured out (i think) how to define the user that needs
> > to run the transfer process for those 2 naming contexts, so i ran
> > again and then got another error
> >
> > *localadmin at dc2:~$ sudo samba-tool fsmo transfer --role=all -U
> > adm_daniel* *This DC already has the 'rid' FSMO role*
> > *This DC already has the 'pdc' FSMO role*
> > *This DC already has the 'naming' FSMO role*
> > *This DC already has the 'infrastructure' FSMO role*
> > *This DC already has the 'schema' FSMO role*
> > *Password for [DOMAIN\administrator]:*
> > *ERROR: Failed to add role 'domaindns': LDAP error 16
> > LDAP_NO_SUCH_ATTRIBUTE -  <attribute 'fSMORoleOwner': no matching
> > attribute value while deleting attribute on
> > 'CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com'> <>*
> >
>
> Lets start by checking for the 'missing' attribute, what does this
> search return:
>
> sudo ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -P -b
> 'CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com' -s sub
> '(fSMORoleOwner=*)' fSMORoleOwner
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list