[Samba] transferring FSMO to new DC failing with domaindns and forestdns

Daniel Christie dchristienz at gmail.com
Tue Jun 24 11:38:53 UTC 2025


Today I retried samba-tool to transfer but still same error...
then I tried to update the attribute within adsiedit again and that worked,
and can confirm the roles show correctly as being on the new server with
the smaba-tool fsmo show command. Is there anything else I need to worry
about since I did this in adsiedit or is that effectively the same as
changing from samba-tool?

On Mon, 23 Jun 2025 at 22:54, Daniel Christie <dchristienz at gmail.com> wrote:

> *sudo ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -P -b
> 'CN=infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com' -s s*
> *ub '(fSMORoleOwner=*)' fSMORoleOwner*
> # record 1
> dn: CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com
> fSMORoleOwner: CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=site,CN=Sites,CN=Configu
>  ration,DC=home,DC=domain,DC=com
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> On Mon, 23 Jun 2025 at 22:33, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Mon, 23 Jun 2025 21:57:23 +1200
>> Daniel Christie via samba <samba at lists.samba.org> wrote:
>>
>> > I have 2 samba DCs, wanting to migrate fully from DC1 to DC2.
>> > So far all seems to have gone well. amd right now I am having an
>> > issue with transferring the FSMO roles to the new DC. my first
>> > correct attempt went like this
>> >
>> > *localadmin at dc2:~$ sudo samba-tool fsmo transfer --role=all*
>> > *FSMO transfer of 'rid' role successful*
>> > *FSMO transfer of 'pdc' role successful*
>> > *FSMO transfer of 'naming' role successful*
>> > *FSMO transfer of 'infrastructure' role successful*
>> > *FSMO transfer of 'schema' role successful*
>> > *ERROR: Failed to add role 'domaindns': LDAP error 50
>> > LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object
>> > CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com has no
>> > write property access*
>> > *> <>*
>> >
>> > After that i figured out (i think) how to define the user that needs
>> > to run the transfer process for those 2 naming contexts, so i ran
>> > again and then got another error
>> >
>> > *localadmin at dc2:~$ sudo samba-tool fsmo transfer --role=all -U
>> > adm_daniel* *This DC already has the 'rid' FSMO role*
>> > *This DC already has the 'pdc' FSMO role*
>> > *This DC already has the 'naming' FSMO role*
>> > *This DC already has the 'infrastructure' FSMO role*
>> > *This DC already has the 'schema' FSMO role*
>> > *Password for [DOMAIN\administrator]:*
>> > *ERROR: Failed to add role 'domaindns': LDAP error 16
>> > LDAP_NO_SUCH_ATTRIBUTE -  <attribute 'fSMORoleOwner': no matching
>> > attribute value while deleting attribute on
>> > 'CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com'> <>*
>> >
>>
>> Lets start by checking for the 'missing' attribute, what does this
>> search return:
>>
>> sudo ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -P -b
>> 'CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com' -s sub
>> '(fSMORoleOwner=*)' fSMORoleOwner
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>


More information about the samba mailing list