Hi all-
I've been polishing my Samba4 AD set-up as we get close to deploying it the
office. However, one thing that I'm having issues with is FSMO roles and
DCs. The gist of the situation is that I can not demote the original DC. Both
DCs are implemented with Samba4, running the same version (4.0.3) and have
replication working*
Here is a summary of everything I've noticed:
? samba-tool fsmo transfer does not work:
running it without specifying anything returns a success command, but no roles
are transferred off the DC
running it and specifying another DC with the -H flag yields this error:
ERROR(ldb): uncaught exception - ldb_search: invalid basedn '(null)'
running it with the -H and -b yields the error:
samba-tool fsmo transfer: error: no such option: -b
? samba-tool fsmo seize *appears* to work:
running it with any one role gives the following output:
Attempting transfer...
FSMO transfer of 'pdc' role successful
ERROR: Failed to initiate role seize of 'pdc' role: objectclass: modify
message must have elements/attributes!
checking with samba-tool fsmo show *does* show that the role has been
transferred
however, the error prevents --role=all from working as it hits the error and
stops execution
? windows MMC snapins (e.g. Users and Computers) *do* reflect changes made on
role owners
? windows utilities (e.g. ntdsutil) *do* reflect changes made on role owners
? both DCs agree on who has what role with samba-tool fsmo show
Now the issue:
After transferring all 5 roles from dc1 to dc2 and verifying that both of them
agree, I want to remove dc1, so I attempt to demote dc1:
samba-tool domain demote -UAdministrator
This returns the following:
ERROR: Current DC is still the owner of 2 role(s), use the role command to
transfer roles to another DC
What are the 2 hidden roles it has or thinks it has?
If I try to delete it from the windows side using Users and Computers, after
ticking the box that says 'yes, I can't dcpromo, it's permanently
offline', I receive the following error:
"Windows cannot delete object LDAP://dc2.[...]/CN=DC1,OU=Domain
Controllers,DC=[...],DC=[...] because: The specified module could not be
found."
Why is it referred to as a module?
In any case, using ldbedit on DC1, I did find that exact DN, so it is there.
I can't use ldbdel to remove the DC as it refuses the operation (probably
reasonably so).
I think it might be an issue with just the *original* DC because I did this
exact process with dc2 (the DC created via replication) and it returns this on
samba-tool domain demote:
Using dc1.[...] as partner server for the demotion
Password for [[...]\Administrator]:
Desactivating inbound replication
Asking partner server dc1.[...] to synchronize from us
Changing userControl and container
Demote successfull
So what could possibly be wrong with the original DC?
As I poked around on this error, I also found this:
https://bugzilla.samba.org/show_bug.cgi?id=9461
So is anyone using the test branch and can verify this bug is fixed in that
version?
*replication is working 100% but I do see this error:
Warning: No NC replicated for Connection! >From back when I was setting up replication, I poked around and from what I
understood, it was a glitch and not an issue
Any insights would be great,
Thanks,
-Mike Ray
