Daniel Christie
2025-Jun-23 09:57 UTC
[Samba] transferring FSMO to new DC failing with domaindns and forestdns
I have 2 samba DCs, wanting to migrate fully from DC1 to DC2. So far all seems to have gone well. amd right now I am having an issue with transferring the FSMO roles to the new DC. my first correct attempt went like this *localadmin at dc2:~$ sudo samba-tool fsmo transfer --role=all* *FSMO transfer of 'rid' role successful* *FSMO transfer of 'pdc' role successful* *FSMO transfer of 'naming' role successful* *FSMO transfer of 'infrastructure' role successful* *FSMO transfer of 'schema' role successful* *ERROR: Failed to add role 'domaindns': LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com has no write property access* *> <>* After that i figured out (i think) how to define the user that needs to run the transfer process for those 2 naming contexts, so i ran again and then got another error *localadmin at dc2:~$ sudo samba-tool fsmo transfer --role=all -U adm_daniel* *This DC already has the 'rid' FSMO role* *This DC already has the 'pdc' FSMO role* *This DC already has the 'naming' FSMO role* *This DC already has the 'infrastructure' FSMO role* *This DC already has the 'schema' FSMO role* *Password for [DOMAIN\administrator]:* *ERROR: Failed to add role 'domaindns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute 'fSMORoleOwner': no matching attribute value while deleting attribute on 'CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com'> <>* My goal is to transfer roles to DC2 and then demote and unjoin DC1 from domain. Its seems like replication is working as expected according to what i have researched. though from some searching through the mailing list i found a thread from 2023 with a similar error but it looked like the cause was not really determined or that it was to do with the site the DCs were in. I have for no good reason decided to rename the default site to street name of my home where i run this lab environment from. could this be the issue? Thanks for any help.
Rowland Penny
2025-Jun-23 10:32 UTC
[Samba] transferring FSMO to new DC failing with domaindns and forestdns
On Mon, 23 Jun 2025 21:57:23 +1200 Daniel Christie via samba <samba at lists.samba.org> wrote:> I have 2 samba DCs, wanting to migrate fully from DC1 to DC2. > So far all seems to have gone well. amd right now I am having an > issue with transferring the FSMO roles to the new DC. my first > correct attempt went like this > > *localadmin at dc2:~$ sudo samba-tool fsmo transfer --role=all* > *FSMO transfer of 'rid' role successful* > *FSMO transfer of 'pdc' role successful* > *FSMO transfer of 'naming' role successful* > *FSMO transfer of 'infrastructure' role successful* > *FSMO transfer of 'schema' role successful* > *ERROR: Failed to add role 'domaindns': LDAP error 50 > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object > CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com has no > write property access* > *> <>* > > After that i figured out (i think) how to define the user that needs > to run the transfer process for those 2 naming contexts, so i ran > again and then got another error > > *localadmin at dc2:~$ sudo samba-tool fsmo transfer --role=all -U > adm_daniel* *This DC already has the 'rid' FSMO role* > *This DC already has the 'pdc' FSMO role* > *This DC already has the 'naming' FSMO role* > *This DC already has the 'infrastructure' FSMO role* > *This DC already has the 'schema' FSMO role* > *Password for [DOMAIN\administrator]:* > *ERROR: Failed to add role 'domaindns': LDAP error 16 > LDAP_NO_SUCH_ATTRIBUTE - <attribute 'fSMORoleOwner': no matching > attribute value while deleting attribute on > 'CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com'> <>* >Lets start by checking for the 'missing' attribute, what does this search return: sudo ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -P -b 'CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com' -s sub '(fSMORoleOwner=*)' fSMORoleOwner Rowland