I have the Active Directory domain with Windows 2008 R2 domain controller and Samba domain controller on CentOS 7. Samba is 4.3.5 (self-compiled). Forest and domain levels are Windows 2008 R2. After joining Samba to the domain as the domain controller there were no DC=ForestDnsZones and DC=DomainDnsZones records on "OUTBOUND NEIGHBORS". I fixed it with ntdsutil, as it's written here (https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting). My goal now is to remove Windows DC from the domain and leave Samba as the only domain controller. At this time I can't find the way to transfer ForestDNS and DomainDNS FSMO roles from Windows DC to Samba (other roles transferred successfully). (dc01 - is a Windows DC, linux01 - Samba DC) [root at linux01 ~]# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=LINUX01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd InfrastructureMasterRole owner: CN=NTDS Settings,CN=LINUX01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd RidAllocationMasterRole owner: CN=NTDS Settings,CN=LINUX01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd PdcEmulationMasterRole owner: CN=NTDS Settings,CN=LINUX01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd DomainNamingMasterRole owner: CN=NTDS Settings,CN=LINUX01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd If I try to transfer domaindns and forestdns roles samba-tool fails (with different errors ) and "samba-tool fsmo show" fails permanently after that: [root at linux01 ~]# samba-tool fsmo transfer --role=domaindns -Uadministrator Password for [COMPANY1\administrator]: ERROR: Failed to add role 'domaindns': LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <000020AE: SvcErr: DSID-03152965, problem 5003 (WILL_NOT_PERFORM), data 0> <>[root at linux01 ~]# samba-tool fsmo transfer --role=domaindns -Uadministrator Password for [COMPANY1\administrator]: ERROR: Failed to delete role 'domaindns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <00002085: AtrErr: DSID-03151EF2, #1: 0: 00002085: DSID-03151EF2, problem 1001 (NO_ATTRIBUTE_OR_VAL), data 0, Att 90171 (fSMORoleOwner):len 270> <>[root at linux01 ~]# samba-tool fsmo transfer --role=forestdns -Uadministrator Password for [COMPANY1\administrator]: ERROR: Failed to add role 'forestdns': LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <000020AE: SvcErr: DSID-03152965, problem 5003 (WILL_NOT_PERFORM), data 0> <>[root at linux01 ~]# samba-tool fsmo transfer --role=forestdns -Uadministrator Password for [COMPANY1\administrator]: ERROR: Failed to delete role 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <00002085: AtrErr: DSID-03151EF2, #1: 0: 00002085: DSID-03151EF2, problem 1001 (NO_ATTRIBUTE_OR_VAL), data 0, Att 90171 (fSMORoleOwner):len 270 [root at linux01 ~]# samba-tool fsmo show ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element' File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 396, in run domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn) File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 43, in get_fsmo_roleowner master_owner = res[0]["fSMORoleOwner"][0] I tried Samba 4.4.0rc5 with same result. I also tried this process on Samba-only AD domain and transfer worked correctly. What is the correct way to transfer DomainDnsZonesMasterRole and ForestDnsZonesMasterRole to Samba? Kind regards, Daniil Landau
On 21/03/16 15:44, Landau Daniil wrote:> I have the Active Directory domain with Windows 2008 R2 domain controller and Samba domain controller on CentOS 7. Samba is 4.3.5 (self-compiled). Forest and domain levels are Windows 2008 R2. > After joining Samba to the domain as the domain controller there were no DC=ForestDnsZones and DC=DomainDnsZones records on "OUTBOUND NEIGHBORS". I fixed it with ntdsutil, as it's written here (https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting). > > My goal now is to remove Windows DC from the domain and leave Samba as the only domain controller. > At this time I can't find the way to transfer ForestDNS and DomainDNS FSMO roles from Windows DC to Samba (other roles transferred successfully). > (dc01 - is a Windows DC, linux01 - Samba DC) > > [root at linux01 ~]# samba-tool fsmo show > SchemaMasterRole owner: CN=NTDS Settings,CN=LINUX01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd > InfrastructureMasterRole owner: CN=NTDS Settings,CN=LINUX01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd > RidAllocationMasterRole owner: CN=NTDS Settings,CN=LINUX01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd > PdcEmulationMasterRole owner: CN=NTDS Settings,CN=LINUX01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd > DomainNamingMasterRole owner: CN=NTDS Settings,CN=LINUX01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd > DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd > ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=company1,DC=dd > > If I try to transfer domaindns and forestdns roles samba-tool fails (with different errors ) and "samba-tool fsmo show" fails permanently after that: > > [root at linux01 ~]# samba-tool fsmo transfer --role=domaindns -Uadministrator > Password for [COMPANY1\administrator]: > ERROR: Failed to add role 'domaindns': LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <000020AE: SvcErr: DSID-03152965, problem 5003 (WILL_NOT_PERFORM), data 0 >> <> > [root at linux01 ~]# samba-tool fsmo transfer --role=domaindns -Uadministrator > Password for [COMPANY1\administrator]: > ERROR: Failed to delete role 'domaindns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <00002085: AtrErr: DSID-03151EF2, #1: > 0: 00002085: DSID-03151EF2, problem 1001 (NO_ATTRIBUTE_OR_VAL), data 0, Att 90171 (fSMORoleOwner):len 270 >> <> > [root at linux01 ~]# samba-tool fsmo transfer --role=forestdns -Uadministrator > Password for [COMPANY1\administrator]: > ERROR: Failed to add role 'forestdns': LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <000020AE: SvcErr: DSID-03152965, problem 5003 (WILL_NOT_PERFORM), data 0 >> <> > [root at linux01 ~]# samba-tool fsmo transfer --role=forestdns -Uadministrator > Password for [COMPANY1\administrator]: > ERROR: Failed to delete role 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <00002085: AtrErr: DSID-03151EF2, #1: > 0: 00002085: DSID-03151EF2, problem 1001 (NO_ATTRIBUTE_OR_VAL), data 0, Att 90171 (fSMORoleOwner):len 270 > > [root at linux01 ~]# samba-tool fsmo show > ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element' > File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run > return self.run(*args, **kwargs) > File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 396, in run > domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn) > File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 43, in get_fsmo_roleowner > master_owner = res[0]["fSMORoleOwner"][0] > > I tried Samba 4.4.0rc5 with same result. I also tried this process on Samba-only AD domain and transfer worked correctly. > What is the correct way to transfer DomainDnsZonesMasterRole and ForestDnsZonesMasterRole to Samba? > > > Kind regards, > > Daniil Landau >Have you tried seizing the roles ? samba-tool fsmo seize --force --role=domaindns -Uadministrator --password=<adminpass> Rowland
Thank you, seizing helped! Daniil Landau -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland penny Sent: Monday, March 21, 2016 7:16 PM To: samba at lists.samba.org Subject: Re: [Samba] transfer FSMO roles from Windows DC On 21/03/16 15:44, Landau Daniil wrote:> I have the Active Directory domain with Windows 2008 R2 domain controller and Samba domain controller on CentOS 7. Samba is 4.3.5 (self-compiled). Forest and domain levels are Windows 2008 R2. > After joining Samba to the domain as the domain controller there were no DC=ForestDnsZones and DC=DomainDnsZones records on "OUTBOUND NEIGHBORS". I fixed it with ntdsutil, as it's written here (https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting). > > My goal now is to remove Windows DC from the domain and leave Samba as the only domain controller. > At this time I can't find the way to transfer ForestDNS and DomainDNS FSMO roles from Windows DC to Samba (other roles transferred successfully). > (dc01 - is a Windows DC, linux01 - Samba DC) > > [root at linux01 ~]# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS > Settings,CN=LINUX01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN> Configuration,DC=company1,DC=dd InfrastructureMasterRole owner: > CN=NTDS > Settings,CN=LINUX01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN> Configuration,DC=company1,DC=dd RidAllocationMasterRole owner: CN=NTDS > Settings,CN=LINUX01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN> Configuration,DC=company1,DC=dd PdcEmulationMasterRole owner: CN=NTDS > Settings,CN=LINUX01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN> Configuration,DC=company1,DC=dd DomainNamingMasterRole owner: CN=NTDS > Settings,CN=LINUX01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN> Configuration,DC=company1,DC=dd DomainDnsZonesMasterRole owner: > CN=NTDS > Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Con > figuration,DC=company1,DC=dd ForestDnsZonesMasterRole owner: CN=NTDS > Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Con > figuration,DC=company1,DC=dd > > If I try to transfer domaindns and forestdns roles samba-tool fails (with different errors ) and "samba-tool fsmo show" fails permanently after that: > > [root at linux01 ~]# samba-tool fsmo transfer --role=domaindns > -Uadministrator Password for [COMPANY1\administrator]: > ERROR: Failed to add role 'domaindns': LDAP error 53 > LDAP_UNWILLING_TO_PERFORM - <000020AE: SvcErr: DSID-03152965, problem > 5003 (WILL_NOT_PERFORM), data 0 >> <> > [root at linux01 ~]# samba-tool fsmo transfer --role=domaindns > -Uadministrator Password for [COMPANY1\administrator]: > ERROR: Failed to delete role 'domaindns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <00002085: AtrErr: DSID-03151EF2, #1: > 0: 00002085: DSID-03151EF2, problem 1001 > (NO_ATTRIBUTE_OR_VAL), data 0, Att 90171 (fSMORoleOwner):len 270 >> <> > [root at linux01 ~]# samba-tool fsmo transfer --role=forestdns > -Uadministrator Password for [COMPANY1\administrator]: > ERROR: Failed to add role 'forestdns': LDAP error 53 > LDAP_UNWILLING_TO_PERFORM - <000020AE: SvcErr: DSID-03152965, problem > 5003 (WILL_NOT_PERFORM), data 0 >> <> > [root at linux01 ~]# samba-tool fsmo transfer --role=forestdns > -Uadministrator Password for [COMPANY1\administrator]: > ERROR: Failed to delete role 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <00002085: AtrErr: DSID-03151EF2, #1: > 0: 00002085: DSID-03151EF2, problem 1001 > (NO_ATTRIBUTE_OR_VAL), data 0, Att 90171 (fSMORoleOwner):len 270 > > [root at linux01 ~]# samba-tool fsmo show ERROR(<type > 'exceptions.KeyError'>): uncaught exception - 'No such element' > File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run > return self.run(*args, **kwargs) > File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 396, in run > domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn) > File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 43, in get_fsmo_roleowner > master_owner = res[0]["fSMORoleOwner"][0] > > I tried Samba 4.4.0rc5 with same result. I also tried this process on Samba-only AD domain and transfer worked correctly. > What is the correct way to transfer DomainDnsZonesMasterRole and ForestDnsZonesMasterRole to Samba? > > > Kind regards, > > Daniil Landau >Have you tried seizing the roles ? samba-tool fsmo seize --force --role=domaindns -Uadministrator --password=<adminpass> Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba