thr3ads.net - samba - [Samba] Unable to transfer ForestDns/DomainDNS [Jun 2016]

If this information is useful, please help other people find it:
Share via:

Jason Waters

2016-Jun-23 15:32 UTC

[Samba] Unable to transfer ForestDns/DomainDNS

This is what it returned.

root at DC01:/mnt# ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b
"CN=Infrastructure,DC=DomainDnsZones,DC=fisherthompson,DC=local" -s
base
fsmoroleowner
# record 1
dn: CN=Infrastructure,DC=DomainDnsZones,DC=fisherthompson,DC=local
fSMORoleOwner: CN=NTDS
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,C
 N=Sites,CN=Configuration,DC=fisherthompson,DC=local

# returned 1 records
# 1 entries
# 0 referrals


Looks right, right?  It almost seems like it is trying to delete it from
the Windows 2003 machine, but can't.  So I ran NetDOM /query FSMO on the
windows 2003 server and got this.

Schema owner                PDC.fisherthompson.local
Domain role owner           PDC.fisherthompson.local
PDC role                    PDC.fisherthompson.local
RID pool manager            PDC.fisherthompson.local
Infrastructure owner        PDC.fisherthompson.local
The command completed successfully.

So no DomainDNS or ForestDNS present.


On Thu, Jun 23, 2016 at 11:11 AM, Rowland penny <rpenny at samba.org>
wrote:
> On 23/06/16 13:37, Jason Waters wrote:
>
>> I'm working my way off of our Windows 2003 R2 Domain Server.  That
machine
>> is called PDC, sorry really bad planning so many years ago!  So my end
>> goal
>> is to have two samba4 domain controllers. They are setup and joined as
>> DC's, dc01 and dc02.  I have most of my files off of PDC but would
like to
>> keep it up for a little longer to make sure I have everything off of
>> there.
>>
>>
>> So I tried transferring all the roles.  The first 5 worked great, the
last
>> two, ForestDns/DomainDns fail with this error.
>>
>> root at DC01:~# samba-tool fsmo transfer --role=domaindns
-UAdministrator
>> Password for [FISHERTHOMPSON\Administrator]:
>> ERROR: Failed to delete role 'domaindns': LDAP error 16
>> LDAP_NO_SUCH_ATTRIBUTE -  <00002085: AtrErr: DSID-03151B93, #1:
>>          0: 00002085: DSID-03151B93, problem 1001
(NO_ATTRIBUTE_OR_VAL),
>> data 0, Att 90171 (fSMORoleOwner):len 286
>>
>>> <>
>>>
>> root at DC01:~# samba-tool fsmo transfer --role=forestdns
-UAdministrator
>> Password for [FISHERTHOMPSON\Administrator]:
>> ERROR: Failed to delete role 'forestdns': LDAP error 16
>> LDAP_NO_SUCH_ATTRIBUTE -  <00002085: AtrErr: DSID-03151B93, #1:
>>          0: 00002085: DSID-03151B93, problem 1001
(NO_ATTRIBUTE_OR_VAL),
>> data 0, Att 90171 (fSMORoleOwner):len 286
>>
>>> <>
>>>
>>
>> Ideally I would get the transfer to just work, but if I can't do
that then
>> I have a question about the path forward.  Since I would like to keep
the
>> PDC up, do I run dcpromo on PDC(Win2003) and get it out of the domain
and
>> then do the samba-tool fsmo seize, or the other way around?  Or
doesn't it
>> matter?  My concern is the big scary messages about NEVER EVER start
the
>> machine again that you seized the fsmo from for fear of your entire AD
>> blowing up and zombie apocalypse starting.  But I thought once you run
the
>> dcpromo and demote the DC active directory is gone and then it
won't break
>> AD on the good domain.
>>
>> So if you could
>>
>> 1.  Help me resolve my issue so I can do the transfer, that would be
>> awesome.
>>
>> 2. If that doesn't work, tell me the correct order of seize and
dcpromo.
>>
>> Thanks for the help!
>>
>> Jason
>> irc: jch2os
>>
>>
>> Some information about the samba dc's
>>
>> Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-88-generic x86_64)
>>
>> root at DC01:~# samba-tool domain level show
>> Domain and forest function level for domain
'DC=fisherthompson,DC=local'
>>
>> Forest function level: (Windows) 2003
>> Domain function level: (Windows) 2003
>> Lowest function level of a DC: (Windows) 2003
>>
>>
>> root at DC01:~# dpkg -l |grep samba
>> ii  python-samba                        2:4.3.9+dfsg-0ubuntu0.14.04.3
>>   amd64        Python bindings for Samba
>> ii  samba                               2:4.3.9+dfsg-0ubuntu0.14.04.3
>>   amd64        SMB/CIFS file, print, and login server for Unix
>> ii  samba-common                        2:4.3.9+dfsg-0ubuntu0.14.04.3
>>   all          common files used by both the Samba server and client
>> ii  samba-common-bin                    2:4.3.9+dfsg-0ubuntu0.14.04.3
>>   amd64        Samba common files used by both the server and the
client
>> ii  samba-dsdb-modules                  2:4.3.9+dfsg-0ubuntu0.14.04.3
>>   amd64        Samba Directory Services Database
>> ii  samba-libs:amd64                    2:4.3.9+dfsg-0ubuntu0.14.04.3
>>   amd64        Samba core libraries
>> ii  samba-vfs-modules                   2:4.3.9+dfsg-0ubuntu0.14.04.3
>>   amd64        Samba Virtual FileSystem plugins
>> root at DC01:~# samba-tool fsmo show
>> SchemaMasterRole owner: CN=NTDS
>>
>>
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fisherthompson,DC=local
>> InfrastructureMasterRole owner: CN=NTDS
>>
>>
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fisherthompson,DC=local
>> RidAllocationMasterRole owner: CN=NTDS
>>
>>
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fisherthompson,DC=local
>> PdcEmulationMasterRole owner: CN=NTDS
>>
>>
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fisherthompson,DC=local
>> DomainNamingMasterRole owner: CN=NTDS
>>
>>
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fisherthompson,DC=local
>> DomainDnsZonesMasterRole owner: CN=NTDS
>>
>>
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fisherthompson,DC=local
>> ForestDnsZonesMasterRole owner: CN=NTDS
>>
>>
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fisherthompson,DC=local
>>
>
> The error seems to say it all: 'LDAP_NO_SUCH_ATTRIBUTE' at this
point
> fsmo.py is trying to delete the 'fsMORoleOwner' attribute and its
contents,
> but for some reason it is saying it isn't there.
>
> Can you run this command on the DC you are trying to transfer the FSMO
> roles to:
>
> ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b
> "CN=Infrastructure,DC=DomainDnsZones,DC=fisherthompson,DC=local"
-s base
> fsmoroleowner
>
> It should produce something like this:
>
> root at dc1:~# ldbsearch --cross-ncs -H /usr/local/samba/private/sam.ldb -b
> "CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com"
-s base
> fsmoroleowner
> # record 1
> dn: CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> fSMORoleOwner: CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,C
>  N=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> Rowland
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Rowland penny

2016-Jun-23 16:38 UTC

head link

[Samba] Unable to transfer ForestDns/DomainDNS

On 23/06/16 16:32, Jason Waters wrote:> This is what it returned.
>
> root at DC01:/mnt# ldbsearch --cross-ncs -H 
> /var/lib/samba/private/sam.ldb -b 
> "CN=Infrastructure,DC=DomainDnsZones,DC=fisherthompson,DC=local"
-s
> base fsmoroleowner
> # record 1
> dn: CN=Infrastructure,DC=DomainDnsZones,DC=fisherthompson,DC=local
> fSMORoleOwner: CN=NTDS 
> Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,C
>  N=Sites,CN=Configuration,DC=fisherthompson,DC=local
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
>
> Looks right, right?  It almost seems like it is trying to delete it 
> from the Windows 2003 machine, but can't.  So I ran NetDOM /query FSMO 
> on the windows 2003 server and got this.
>
> Schema owner                PDC.fisherthompson.local
> Domain role owner           PDC.fisherthompson.local
> PDC role                    PDC.fisherthompson.local
> RID pool manager            PDC.fisherthompson.local
> Infrastructure owner        PDC.fisherthompson.local
> The command completed successfully.
>
> So no DomainDNS or ForestDNS present.
>
>
Unfortunately that doesn't mean anything, the windows tools only seem to 
known about the five main FSMO roles (as did samba-tool up until 4.3.0)

Try this command, it should end with the word 'SUCCESS'

samba-tool ldapcmp ldap://dc01 ldap://pdc dnsdomain

Does the windows DC run a DNS server ?

Rowland

Jason Waters

2016-Jun-23 16:49 UTC

head link

[Samba] Unable to transfer ForestDns/DomainDNS

I did not get SUCCESS!

root at DC01:/mnt# samba-tool ldapcmp ldap://dc01 ldap://pdc dnsdomain

* Comparing [DNSDOMAIN] context...

* Objects to be compared: 188

Comparing:
'CN=Infrastructure,DC=DomainDnsZones,DC=fisherthompson,DC=local'
[ldap://dc01]
'CN=Infrastructure,DC=DomainDnsZones,DC=fisherthompson,DC=local'
[ldap://pdc]
    Attributes found only in ldap://dc01:
        fSMORoleOwner
    Difference in attribute values:
        whenChanged =>
['20160622133653.0Z']
['20160621205006.0Z']
    FAILED

Comparing:
'CN=MicrosoftDNS,DC=DomainDnsZones,DC=fisherthompson,DC=local'
[ldap://dc01]
'CN=MicrosoftDNS,DC=DomainDnsZones,DC=fisherthompson,DC=local'
[ldap://pdc]
    Attributes found only in ldap://dc01:
        distinguishedName
        cn
        objectCategory
        objectClass
        objectGUID
        showInAdvancedViewOnly
        whenCreated
        whenChanged
        instanceType
        name
    FAILED

* Result for [DNSDOMAIN]: FAILURE

SUMMARY
---------

Attributes found only in ldap://dc01:

    distinguishedName
    cn
    objectCategory
    objectClass
    fSMORoleOwner
    objectGUID
    showInAdvancedViewOnly
    whenCreated
    whenChanged
    instanceType
    name

Attributes with different values:

    whenChanged
ERROR: Compare failed: -1


On Thu, Jun 23, 2016 at 12:38 PM, Rowland penny <rpenny at samba.org>
wrote:
> On 23/06/16 16:32, Jason Waters wrote:
>
>> This is what it returned.
>>
>> root at DC01:/mnt# ldbsearch --cross-ncs -H
/var/lib/samba/private/sam.ldb
>> -b
"CN=Infrastructure,DC=DomainDnsZones,DC=fisherthompson,DC=local" -s
base
>> fsmoroleowner
>> # record 1
>> dn: CN=Infrastructure,DC=DomainDnsZones,DC=fisherthompson,DC=local
>> fSMORoleOwner: CN=NTDS
>> Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,C
>>  N=Sites,CN=Configuration,DC=fisherthompson,DC=local
>>
>> # returned 1 records
>> # 1 entries
>> # 0 referrals
>>
>>
>> Looks right, right?  It almost seems like it is trying to delete it
from
>> the Windows 2003 machine, but can't.  So I ran NetDOM /query FSMO
on the
>> windows 2003 server and got this.
>>
>> Schema owner                PDC.fisherthompson.local
>> Domain role owner           PDC.fisherthompson.local
>> PDC role                    PDC.fisherthompson.local
>> RID pool manager            PDC.fisherthompson.local
>> Infrastructure owner        PDC.fisherthompson.local
>> The command completed successfully.
>>
>> So no DomainDNS or ForestDNS present.
>>
>>
>>
> Unfortunately that doesn't mean anything, the windows tools only seem
to
> known about the five main FSMO roles (as did samba-tool up until 4.3.0)
>
> Try this command, it should end with the word 'SUCCESS'
>
> samba-tool ldapcmp ldap://dc01 ldap://pdc dnsdomain
>
> Does the windows DC run a DNS server ?
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Maybe Matching Threads

Search for more possibly parallel threads

samba - Jun 2016 - Unable to transfer ForestDns/DomainDNS

[Samba] Unable to transfer ForestDns/DomainDNS

[Samba] Unable to transfer ForestDns/DomainDNS

[Samba] Unable to transfer ForestDns/DomainDNS

Maybe Matching Threads