thr3ads.net - samba - [Samba] Transfer of FSMO roles [Aug 2015]

If this information is useful, please help other people find it:
Share via:

John Gardeniers

2015-Aug-25 02:46 UTC

[Samba] Transfer of FSMO roles

I just transferred all the FSMO roles from DC-MIGRATE to DC1:

[root at dc1 ~]# samba-tool fsmo transfer --role=all
FSMO transfer of 'rid' role successful
FSMO transfer of 'pdc' role successful
FSMO transfer of 'naming' role successful
FSMO transfer of 'infrastructure' role successful
FSMO transfer of 'schema' role successful

I then double checked as follows:

[root at dc1 ~]# samba-tool fsmo show
InfrastructureMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
RidAllocationMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
PdcEmulationMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
DomainNamingMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
SchemaMasterRole owner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com

Looks good but when I run this:

[root at dc1 ~]# ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b 
"CN=Infrastructure,DC=DomainDnsZones,DC=omtest,DC=com" -s base
fsmoroleowner
# record 1
dn: CN=Infrastructure,DC=DomainDnsZones,DC=omtest,DC=com
fSMORoleOwner: CN=NTDS 
Settings,CN=DC-MIGRATE,CN=Servers,CN=Default-First-Site
  -Name,CN=Sites,CN=Configuration,DC=omtest,DC=com

You'll notice that this time it still lists DC-MIGRATE as the role owner 
(I didn't bother running this for the other roles). I re-ran the command 
again half an hour later, thinking that perhaps this just need a little 
time to settle, but got the same results.

Does this indicate a problem that I need to resolve? If so, how do I 
resolve it?

Incidentally, the link for " FSMO role management using the Windows
GUI" on
https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_(FSMO)_roles 
is broken.

regards,
John

Rowland Penny

2015-Aug-25 06:57 UTC

head link

[Samba] Transfer of FSMO roles

On 25/08/15 03:46, John Gardeniers wrote:> I just transferred all the FSMO roles from DC-MIGRATE to DC1:
Unfortunately, no you didn't, if you have read the wiki page, you will 
now know there are 7 FSMO roles.
>
> [root at dc1 ~]# samba-tool fsmo transfer --role=all
> FSMO transfer of 'rid' role successful
> FSMO transfer of 'pdc' role successful
> FSMO transfer of 'naming' role successful
> FSMO transfer of 'infrastructure' role successful
> FSMO transfer of 'schema' role successful
>
> I then double checked as follows:
>
> [root at dc1 ~]# samba-tool fsmo show
> InfrastructureMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
> RidAllocationMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
> PdcEmulationMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
> DomainNamingMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
> SchemaMasterRole owner: CN=NTDS 
>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>
> Looks good but when I run this:
>
> [root at dc1 ~]# ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb 
> -b "CN=Infrastructure,DC=DomainDnsZones,DC=omtest,DC=com" -s base
> fsmoroleowner
> # record 1
> dn: CN=Infrastructure,DC=DomainDnsZones,DC=omtest,DC=com
> fSMORoleOwner: CN=NTDS 
> Settings,CN=DC-MIGRATE,CN=Servers,CN=Default-First-Site
>  -Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>
> You'll notice that this time it still lists DC-MIGRATE as the role 
> owner (I didn't bother running this for the other roles). I re-ran the 
> command again half an hour later, thinking that perhaps this just need 
> a little time to settle, but got the same results.
>
> Does this indicate a problem that I need to resolve? If so, how do I 
> resolve it?
>
Yes, you have a problem, to resolve it, you can either wait until 4.3.0 
comes out and then upgrade, you will then be able to transfer all 7 
roles, or (I never said this) download the latest 4.3.0rc tarball use 
the fsmo.py on your machine.

> Incidentally, the link for " FSMO role management using the Windows 
> GUI" on
>
https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_(FSMO)_roles
> is broken.
Fixed

Rowland>
> regards,
> John
>

Rowland Penny

2015-Aug-26 08:18 UTC

head link

[Samba] Transfer of FSMO roles

On 25/08/15 22:44, John Gardeniers wrote:> Hi Rowland,
>
> Yes, I did move all the roles and , yes, I did read the wiki, which is 
> where I learned which commands to run. I moved the other two roles 
> separately but as that has absolutely nothing to do with the questions 
> I didn't see any great need to mention it.
>
> Just to clarify, the questions I am asking are:
>
> Why is one command showing that the roles have been moved and another 
> telling me that they didn't? Which one is correct? How can I make them 
> agree? Does it even matter that they don't agree?
>
> I need to remove the original DC, so I'd like to have some level of 
> confidence about this.
>
> regards,
> John
>
>
> On 25/08/15 16:57, Rowland Penny wrote:
>> On 25/08/15 03:46, John Gardeniers wrote:
>>> I just transferred all the FSMO roles from DC-MIGRATE to DC1:
>>
>> Unfortunately, no you didn't, if you have read the wiki page, you 
>> will now know there are 7 FSMO roles.
>>
>>>
>>> [root at dc1 ~]# samba-tool fsmo transfer --role=all
>>> FSMO transfer of 'rid' role successful
>>> FSMO transfer of 'pdc' role successful
>>> FSMO transfer of 'naming' role successful
>>> FSMO transfer of 'infrastructure' role successful
>>> FSMO transfer of 'schema' role successful
>>>
>>> I then double checked as follows:
>>>
>>> [root at dc1 ~]# samba-tool fsmo show
>>> InfrastructureMasterRole owner: CN=NTDS 
>>>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>> RidAllocationMasterRole owner: CN=NTDS 
>>>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>> PdcEmulationMasterRole owner: CN=NTDS 
>>>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>> DomainNamingMasterRole owner: CN=NTDS 
>>>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>> SchemaMasterRole owner: CN=NTDS 
>>>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>>
>>> Looks good but when I run this:
>>>
>>> [root at dc1 ~]# ldbsearch --cross-ncs -H 
>>> /var/lib/samba/private/sam.ldb -b 
>>> "CN=Infrastructure,DC=DomainDnsZones,DC=omtest,DC=com" -s
base
>>> fsmoroleowner
>>> # record 1
>>> dn: CN=Infrastructure,DC=DomainDnsZones,DC=omtest,DC=com
>>> fSMORoleOwner: CN=NTDS 
>>> Settings,CN=DC-MIGRATE,CN=Servers,CN=Default-First-Site
>>>  -Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>>
>>> You'll notice that this time it still lists DC-MIGRATE as the
role
>>> owner (I didn't bother running this for the other roles). I
re-ran
>>> the command again half an hour later, thinking that perhaps this 
>>> just need a little time to settle, but got the same results.
>>>
>>> Does this indicate a problem that I need to resolve? If so, how do
I
>>> resolve it?
>>>
>>
>> Yes, you have a problem, to resolve it, you can either wait until 
>> 4.3.0 comes out and then upgrade, you will then be able to transfer 
>> all 7 roles, or (I never said this) download the latest 4.3.0rc 
>> tarball use the fsmo.py on your machine.
>>
>>
>>> Incidentally, the link for " FSMO role management using the
Windows
>>> GUI" on
>>>
https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_(FSMO)_roles
>>> is broken.
>>
>> Fixed
>>
>> Rowland
>>>
>>> regards,
>>> John
>>>
>>
>>
>
You are using a samba4 version less than 4.3.0 and as such 'samba-tool 
fsmo' only knows about the 5 main FSMO roles, so it can only show, 
transfer or seize these. There are another 2 FSMO roles, the DNS 
infrastructure roles, which you are now telling us that you have moved 
manually. From samba 4.3.0, 'samba-tool fsmo' will show, transfer and 
seize all 7 FSMO roles, from the information, so if you use 'fsmo.py' 
from 4.3.0, you should be able to see if all the roles have transferred.

If you don't want to use the latest 'fsmo.py', see here:

https://wiki.samba.org/index.php/Transfering_/_seizing_FSMO_roles

Rowland

John Gardeniers

2015-Aug-26 21:28 UTC

head link

[Samba] Transfer of FSMO roles

Hi Rowland,

It's all academic now, as the attempt to move the roles and remove the 
original DC left both DCs broken, so I have to start again from scratch 
and this time I won't start with a DC that I later want to remove.

regards,
John


On 26/08/15 18:18, Rowland Penny wrote:> On 25/08/15 22:44, John Gardeniers wrote:
>> Hi Rowland,
>>
>> Yes, I did move all the roles and , yes, I did read the wiki, which 
>> is where I learned which commands to run. I moved the other two roles 
>> separately but as that has absolutely nothing to do with the 
>> questions I didn't see any great need to mention it.
>>
>> Just to clarify, the questions I am asking are:
>>
>> Why is one command showing that the roles have been moved and another 
>> telling me that they didn't? Which one is correct? How can I make 
>> them agree? Does it even matter that they don't agree?
>>
>> I need to remove the original DC, so I'd like to have some level of
>> confidence about this.
>>
>> regards,
>> John
>>
>>
>> On 25/08/15 16:57, Rowland Penny wrote:
>>> On 25/08/15 03:46, John Gardeniers wrote:
>>>> I just transferred all the FSMO roles from DC-MIGRATE to DC1:
>>>
>>> Unfortunately, no you didn't, if you have read the wiki page,
you
>>> will now know there are 7 FSMO roles.
>>>
>>>>
>>>> [root at dc1 ~]# samba-tool fsmo transfer --role=all
>>>> FSMO transfer of 'rid' role successful
>>>> FSMO transfer of 'pdc' role successful
>>>> FSMO transfer of 'naming' role successful
>>>> FSMO transfer of 'infrastructure' role successful
>>>> FSMO transfer of 'schema' role successful
>>>>
>>>> I then double checked as follows:
>>>>
>>>> [root at dc1 ~]# samba-tool fsmo show
>>>> InfrastructureMasterRole owner: CN=NTDS 
>>>>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>>> RidAllocationMasterRole owner: CN=NTDS 
>>>>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>>> PdcEmulationMasterRole owner: CN=NTDS 
>>>>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>>> DomainNamingMasterRole owner: CN=NTDS 
>>>>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>>> SchemaMasterRole owner: CN=NTDS 
>>>>
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>>>
>>>> Looks good but when I run this:
>>>>
>>>> [root at dc1 ~]# ldbsearch --cross-ncs -H 
>>>> /var/lib/samba/private/sam.ldb -b 
>>>>
"CN=Infrastructure,DC=DomainDnsZones,DC=omtest,DC=com" -s base
>>>> fsmoroleowner
>>>> # record 1
>>>> dn: CN=Infrastructure,DC=DomainDnsZones,DC=omtest,DC=com
>>>> fSMORoleOwner: CN=NTDS 
>>>> Settings,CN=DC-MIGRATE,CN=Servers,CN=Default-First-Site
>>>>  -Name,CN=Sites,CN=Configuration,DC=omtest,DC=com
>>>>
>>>> You'll notice that this time it still lists DC-MIGRATE as
the role
>>>> owner (I didn't bother running this for the other roles). I
re-ran
>>>> the command again half an hour later, thinking that perhaps
this
>>>> just need a little time to settle, but got the same results.
>>>>
>>>> Does this indicate a problem that I need to resolve? If so, how
do
>>>> I resolve it?
>>>>
>>>
>>> Yes, you have a problem, to resolve it, you can either wait until 
>>> 4.3.0 comes out and then upgrade, you will then be able to transfer
>>> all 7 roles, or (I never said this) download the latest 4.3.0rc 
>>> tarball use the fsmo.py on your machine.
>>>
>>>
>>>> Incidentally, the link for " FSMO role management using
the Windows
>>>> GUI" on
>>>>
https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_(FSMO)_roles
>>>> is broken.
>>>
>>> Fixed
>>>
>>> Rowland
>>>>
>>>> regards,
>>>> John
>>>>
>>>
>>>
>>
>
> You are using a samba4 version less than 4.3.0 and as such 'samba-tool 
> fsmo' only knows about the 5 main FSMO roles, so it can only show, 
> transfer or seize these. There are another 2 FSMO roles, the DNS 
> infrastructure roles, which you are now telling us that you have moved 
> manually. From samba 4.3.0, 'samba-tool fsmo' will show, transfer
and
> seize all 7 FSMO roles, from the information, so if you use
'fsmo.py'
> from 4.3.0, you should be able to see if all the roles have transferred.
>
> If you don't want to use the latest 'fsmo.py', see here:
>
> https://wiki.samba.org/index.php/Transfering_/_seizing_FSMO_roles
>
> Rowland
>

Reasonably Related Threads

Search for more seemingly similar threads

samba - Aug 2015 - Transfer of FSMO roles

[Samba] Transfer of FSMO roles

[Samba] Transfer of FSMO roles

[Samba] Transfer of FSMO roles

[Samba] Transfer of FSMO roles

Reasonably Related Threads