Petr MOTEJLEK
2014-Jul-21 19:14 UTC
[Samba] samba-tool domain demote - current DC is still the owner of 2 role(s)
Hey guys,
I had recently setup a new DC (called dc0) (in accordance with the wiki) and now
I would like to demote the old DC (called pdc0 :)). I followed the wiki again,
but I ran into the following issue. When trying to demote the old DC, I get this
error message:
pdc0 # samba-tool domain demote
ERROR: Current DC is still the owner of 2 role(s), use the role command to
transfer roles to another DC
It's not very verbose - I have no idea what the role(s) might be. I did run
the samba-tool fsmo transfer -role=all command on the new DC prior to trying to
demote command the old DC.
pdc0 # samba-tool fsmo show
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=m-k,DC=cz
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=m-k,DC=cz
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=m-k,DC=cz
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=m-k,DC=cz
SchemaMasterRole owner: CN=NTDS
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=m-k,DC=cz
pdc0 # samba-tool drs showrepl
Default-First-Site-Name\PDC0
DSA Options: 0x00000001
DSA object GUID: 0bdca96b-bb1a-42ed-bd78-b4486e64f609
DSA invocationId: e5aad444-67dc-4b35-8fc2-42b5fd8cd140
==== INBOUND NEIGHBORS ===
DC=ForestDnsZones,DC=ad,DC=m-k,DC=cz
Default-First-Site-Name\DC0 via RPC
DSA object GUID: 9215ee10-7dce-4968-af6c-c015229a7be9
Last attempt @ Mon Jul 21 21:05:20 2014 CEST was successful
0 consecutive failure(s).
Last success @ Mon Jul 21 21:05:20 2014 CEST
DC=DomainDnsZones,DC=ad,DC=m-k,DC=cz
Default-First-Site-Name\DC0 via RPC
DSA object GUID: 9215ee10-7dce-4968-af6c-c015229a7be9
Last attempt @ Mon Jul 21 21:05:21 2014 CEST was successful
0 consecutive failure(s).
Last success @ Mon Jul 21 21:05:21 2014 CEST
DC=ad,DC=m-k,DC=cz
Default-First-Site-Name\DC0 via RPC
DSA object GUID: 9215ee10-7dce-4968-af6c-c015229a7be9
Last attempt @ Mon Jul 21 21:05:22 2014 CEST was successful
0 consecutive failure(s).
Last success @ Mon Jul 21 21:05:22 2014 CEST
CN=Schema,CN=Configuration,DC=ad,DC=m-k,DC=cz
Default-First-Site-Name\DC0 via RPC
DSA object GUID: 9215ee10-7dce-4968-af6c-c015229a7be9
Last attempt @ Mon Jul 21 21:05:23 2014 CEST was successful
0 consecutive failure(s).
Last success @ Mon Jul 21 21:05:23 2014 CEST
CN=Configuration,DC=ad,DC=m-k,DC=cz
Default-First-Site-Name\DC0 via RPC
DSA object GUID: 9215ee10-7dce-4968-af6c-c015229a7be9
Last attempt @ Mon Jul 21 21:05:24 2014 CEST was successful
0 consecutive failure(s).
Last success @ Mon Jul 21 21:05:24 2014 CEST
==== OUTBOUND NEIGHBORS ===
DC=ForestDnsZones,DC=ad,DC=m-k,DC=cz
Default-First-Site-Name\DC0 via RPC
DSA object GUID: 9215ee10-7dce-4968-af6c-c015229a7be9
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=ad,DC=m-k,DC=cz
Default-First-Site-Name\DC0 via RPC
DSA object GUID: 9215ee10-7dce-4968-af6c-c015229a7be9
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ad,DC=m-k,DC=cz
Default-First-Site-Name\DC0 via RPC
DSA object GUID: 9215ee10-7dce-4968-af6c-c015229a7be9
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Schema,CN=Configuration,DC=ad,DC=m-k,DC=cz
Default-First-Site-Name\DC0 via RPC
DSA object GUID: 9215ee10-7dce-4968-af6c-c015229a7be9
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=ad,DC=m-k,DC=cz
Default-First-Site-Name\DC0 via RPC
DSA object GUID: 9215ee10-7dce-4968-af6c-c015229a7be9
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ===
Connection --
Connection name: 10178e90-e3e4-4dcf-9165-5d363d8dd6ae
Enabled : TRUE
Server DNS name : DC0.ad.m-k.cz
Server DN name : CN=NTDS
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=m-k,DC=cz
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
dc0 # samba-tool fsmo show
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=m-k,DC=cz
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=m-k,DC=cz
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=m-k,DC=cz
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=m-k,DC=cz
SchemaMasterRole owner: CN=NTDS
Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=m-k,DC=cz
dc0 # samba-tool drs showrepl
Default-First-Site-Name\DC0
DSA Options: 0x00000001
DSA object GUID: 9215ee10-7dce-4968-af6c-c015229a7be9
DSA invocationId: 4413329c-1e75-4d95-935a-2d9af6926255
==== INBOUND NEIGHBORS ===
CN=Schema,CN=Configuration,DC=ad,DC=m-k,DC=cz
Default-First-Site-Name\PDC0 via RPC
DSA object GUID: 0bdca96b-bb1a-42ed-bd78-b4486e64f609
Last attempt @ Mon Jul 21 21:06:54 2014 CEST was successful
0 consecutive failure(s).
Last success @ Mon Jul 21 21:06:54 2014 CEST
DC=ForestDnsZones,DC=ad,DC=m-k,DC=cz
Default-First-Site-Name\PDC0 via RPC
DSA object GUID: 0bdca96b-bb1a-42ed-bd78-b4486e64f609
Last attempt @ Mon Jul 21 21:06:53 2014 CEST was successful
0 consecutive failure(s).
Last success @ Mon Jul 21 21:06:53 2014 CEST
CN=Configuration,DC=ad,DC=m-k,DC=cz
Default-First-Site-Name\PDC0 via RPC
DSA object GUID: 0bdca96b-bb1a-42ed-bd78-b4486e64f609
Last attempt @ Mon Jul 21 21:06:55 2014 CEST was successful
0 consecutive failure(s).
Last success @ Mon Jul 21 21:06:55 2014 CEST
DC=DomainDnsZones,DC=ad,DC=m-k,DC=cz
Default-First-Site-Name\PDC0 via RPC
DSA object GUID: 0bdca96b-bb1a-42ed-bd78-b4486e64f609
Last attempt @ Mon Jul 21 21:06:54 2014 CEST was successful
0 consecutive failure(s).
Last success @ Mon Jul 21 21:06:54 2014 CEST
DC=ad,DC=m-k,DC=cz
Default-First-Site-Name\PDC0 via RPC
DSA object GUID: 0bdca96b-bb1a-42ed-bd78-b4486e64f609
Last attempt @ Mon Jul 21 21:06:55 2014 CEST was successful
0 consecutive failure(s).
Last success @ Mon Jul 21 21:06:55 2014 CEST
==== OUTBOUND NEIGHBORS ===
CN=Schema,CN=Configuration,DC=ad,DC=m-k,DC=cz
Default-First-Site-Name\PDC0 via RPC
DSA object GUID: 0bdca96b-bb1a-42ed-bd78-b4486e64f609
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ForestDnsZones,DC=ad,DC=m-k,DC=cz
Default-First-Site-Name\PDC0 via RPC
DSA object GUID: 0bdca96b-bb1a-42ed-bd78-b4486e64f609
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
CN=Configuration,DC=ad,DC=m-k,DC=cz
Default-First-Site-Name\PDC0 via RPC
DSA object GUID: 0bdca96b-bb1a-42ed-bd78-b4486e64f609
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=DomainDnsZones,DC=ad,DC=m-k,DC=cz
Default-First-Site-Name\PDC0 via RPC
DSA object GUID: 0bdca96b-bb1a-42ed-bd78-b4486e64f609
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
DC=ad,DC=m-k,DC=cz
Default-First-Site-Name\PDC0 via RPC
DSA object GUID: 0bdca96b-bb1a-42ed-bd78-b4486e64f609
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)
==== KCC CONNECTION OBJECTS ===
Connection --
Connection name: bef32bac-a445-4672-bfb2-61b525842526
Enabled : TRUE
Server DNS name : pdc0.ad.m-k.cz
Server DN name : CN=NTDS
Settings,CN=PDC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=m-k,DC=cz
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
I am not an expert, but it seems like everything is working as it should, just
the old DC is probably holding on to some role(s) that samba-tool fsmo does not
care bout, but samba-tool domain demote does...
Just before sending this email, I realized that the DNS records could be of
importance too (since AD tends to store a lot information there). Here goes.
Additionally I am using BIND9 as backend.
pdc0 # dig @127.0.0.1 ad.m-k.cz AXFR
ad.m-k.cz. 3600 IN SOA pdc0.ad.m-k.cz.
hostmaster.ad.m-k.cz. 36 900 600 86400 0
ad.m-k.cz. 900 IN NS pdc0.ad.m-k.cz.
ad.m-k.cz. 900 IN A 192.168.1.3
ad.m-k.cz. 900 IN A 192.168.1.14
dc0.ad.m-k.cz. 900 IN A 192.168.1.14
pdc0.ad.m-k.cz. 900 IN A 192.168.1.3
apolo.ad.m-k.cz. 1200 IN A 192.168.1.22
sirene.ad.m-k.cz. 900 IN A 192.168.3.1
_msdcs.ad.m-k.cz. 900 IN NS pdc0.ad.m-k.cz.
_gc._tcp.ad.m-k.cz. 900 IN SRV 0 100 3268 pdc0.ad.m-k.cz.
_gc._tcp.ad.m-k.cz. 900 IN SRV 0 100 3268 dc0.ad.m-k.cz.
_ldap._tcp.ad.m-k.cz. 900 IN SRV 0 100 389 pdc0.ad.m-k.cz.
_ldap._tcp.ad.m-k.cz. 900 IN SRV 0 100 389 dc0.ad.m-k.cz.
_kpasswd._udp.ad.m-k.cz. 900 IN SRV 0 100 464 pdc0.ad.m-k.cz.
_kpasswd._udp.ad.m-k.cz. 900 IN SRV 0 100 464 dc0.ad.m-k.cz.
_kpasswd._tcp.ad.m-k.cz. 900 IN SRV 0 100 464 pdc0.ad.m-k.cz.
_kpasswd._tcp.ad.m-k.cz. 900 IN SRV 0 100 464 dc0.ad.m-k.cz.
_kerberos._udp.ad.m-k.cz. 900 IN SRV 0 100 88 pdc0.ad.m-k.cz.
_kerberos._udp.ad.m-k.cz. 900 IN SRV 0 100 88 dc0.ad.m-k.cz.
_kerberos._tcp.ad.m-k.cz. 900 IN SRV 0 100 88 pdc0.ad.m-k.cz.
_kerberos._tcp.ad.m-k.cz. 900 IN SRV 0 100 88 dc0.ad.m-k.cz.
ForestDnsZones.ad.m-k.cz. 900 IN A 192.168.1.3
DomainDnsZones.ad.m-k.cz. 900 IN A 192.168.1.3
_ldap._tcp.ForestDnsZones.ad.m-k.cz. 900 IN SRV 0 100 389 pdc0.ad.m-k.cz.
_ldap._tcp.DomainDnsZones.ad.m-k.cz. 900 IN SRV 0 100 389 pdc0.ad.m-k.cz.
_gc._tcp.Default-First-Site-Name._sites.ad.m-k.cz. 900 IN SRV 0 100 3268
pdc0.ad.m-k.cz.
_gc._tcp.Default-First-Site-Name._sites.ad.m-k.cz. 900 IN SRV 0 100 3268
dc0.ad.m-k.cz.
_ldap._tcp.Default-First-Site-Name._sites.ad.m-k.cz. 900 IN SRV 0 100 389
pdc0.ad.m-k.cz.
_ldap._tcp.Default-First-Site-Name._sites.ad.m-k.cz. 900 IN SRV 0 100 389
dc0.ad.m-k.cz.
_kerberos._tcp.Default-First-Site-Name._sites.ad.m-k.cz. 900 IN SRV 0 100 88
pdc0.ad.m-k.cz.
_kerberos._tcp.Default-First-Site-Name._sites.ad.m-k.cz. 900 IN SRV 0 100 88
dc0.ad.m-k.cz.
dc0\010CNF:61d132ad-c503-4c74-b7f7-5b77808f1a55.ad.m-k.cz. 900 IN A 192.168.1.14
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.m-k.cz. 900 IN SRV 0
100 389 pdc0.ad.m-k.cz.
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ad.m-k.cz. 900 IN SRV 0
100 389 pdc0.ad.m-k.cz.
ad.m-k.cz. 3600 IN SOA pdc0.ad.m-k.cz.
hostmaster.ad.m-k.cz. 36 900 600 86400 0
dc0 # dig @127.0.0.1 ad.m-k.cz AXFR
ad.m-k.cz. 3600 IN SOA dc0.ad.m-k.cz.
hostmaster.ad.m-k.cz. 36 900 600 86400 0
ad.m-k.cz. 900 IN NS pdc0.ad.m-k.cz.
ad.m-k.cz. 900 IN A 192.168.1.3
ad.m-k.cz. 900 IN A 192.168.1.14
dc0.ad.m-k.cz. 900 IN A 192.168.1.14
pdc0.ad.m-k.cz. 900 IN A 192.168.1.3
apolo.ad.m-k.cz. 1200 IN A 192.168.1.22
sirene.ad.m-k.cz. 900 IN A 192.168.3.1
_msdcs.ad.m-k.cz. 900 IN NS pdc0.ad.m-k.cz.
_gc._tcp.ad.m-k.cz. 900 IN SRV 0 100 3268 pdc0.ad.m-k.cz.
_gc._tcp.ad.m-k.cz. 900 IN SRV 0 100 3268 dc0.ad.m-k.cz.
_ldap._tcp.ad.m-k.cz. 900 IN SRV 0 100 389 pdc0.ad.m-k.cz.
_ldap._tcp.ad.m-k.cz. 900 IN SRV 0 100 389 dc0.ad.m-k.cz.
_kpasswd._udp.ad.m-k.cz. 900 IN SRV 0 100 464 pdc0.ad.m-k.cz.
_kpasswd._udp.ad.m-k.cz. 900 IN SRV 0 100 464 dc0.ad.m-k.cz.
_kpasswd._tcp.ad.m-k.cz. 900 IN SRV 0 100 464 pdc0.ad.m-k.cz.
_kpasswd._tcp.ad.m-k.cz. 900 IN SRV 0 100 464 dc0.ad.m-k.cz.
_kerberos._udp.ad.m-k.cz. 900 IN SRV 0 100 88 pdc0.ad.m-k.cz.
_kerberos._udp.ad.m-k.cz. 900 IN SRV 0 100 88 dc0.ad.m-k.cz.
_kerberos._tcp.ad.m-k.cz. 900 IN SRV 0 100 88 pdc0.ad.m-k.cz.
_kerberos._tcp.ad.m-k.cz. 900 IN SRV 0 100 88 dc0.ad.m-k.cz.
ForestDnsZones.ad.m-k.cz. 900 IN A 192.168.1.3
DomainDnsZones.ad.m-k.cz. 900 IN A 192.168.1.3
_ldap._tcp.ForestDnsZones.ad.m-k.cz. 900 IN SRV 0 100 389 pdc0.ad.m-k.cz.
_ldap._tcp.DomainDnsZones.ad.m-k.cz. 900 IN SRV 0 100 389 pdc0.ad.m-k.cz.
_gc._tcp.Default-First-Site-Name._sites.ad.m-k.cz. 900 IN SRV 0 100 3268
pdc0.ad.m-k.cz.
_gc._tcp.Default-First-Site-Name._sites.ad.m-k.cz. 900 IN SRV 0 100 3268
dc0.ad.m-k.cz.
_ldap._tcp.Default-First-Site-Name._sites.ad.m-k.cz. 900 IN SRV 0 100 389
pdc0.ad.m-k.cz.
_ldap._tcp.Default-First-Site-Name._sites.ad.m-k.cz. 900 IN SRV 0 100 389
dc0.ad.m-k.cz.
_kerberos._tcp.Default-First-Site-Name._sites.ad.m-k.cz. 900 IN SRV 0 100 88
pdc0.ad.m-k.cz.
_kerberos._tcp.Default-First-Site-Name._sites.ad.m-k.cz. 900 IN SRV 0 100 88
dc0.ad.m-k.cz.
dc0\010CNF:61d132ad-c503-4c74-b7f7-5b77808f1a55.ad.m-k.cz. 900 IN A 192.168.1.14
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.m-k.cz. 900 IN SRV 0
100 389 pdc0.ad.m-k.cz.
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.ad.m-k.cz. 900 IN SRV 0
100 389 pdc0.ad.m-k.cz.
ad.m-k.cz. 3600 IN SOA dc0.ad.m-k.cz.
hostmaster.ad.m-k.cz. 36 900 600 86400 0
Thanks a lot in advance for any pointers :)
Petr MOTEJLEK
Marc Muehlfeld
2014-Jul-22 04:48 UTC
[Samba] samba-tool domain demote - current DC is still the owner of 2 role(s)
Hello Petr, hello Fernando, Am 21.07.2014 21:14, schrieb Petr MOTEJLEK:> I had recently setup a new DC (called dc0) (in accordance with the wiki) > and now I would like to demote the old DC (called pdc0 :)). I > followed the wiki again, but I ran into the following issue. > When trying to demote the old DC, I get this error message: > > pdc0 # samba-tool domain demote > ERROR: Current DC is still the owner of 2 role(s), use the role command > to transfer roles to another DCyou both reported the same problem during the last days: http://comments.gmane.org/gmane.network.samba.general/140496 http://www.spinics.net/lists/samba/msg117640.html It seems we maybe hit a bug here. Let me try to demote a DC in my test environment today and see what happens there. I'll report the result tonight. BTW: Petr: What Samba version do you use? And was it self compiled or a package (SerNet, Distro, etc)? Regards, Marc