> I faced the same problem, solved it by adding the line > import samba.drs_utils > to the file fsmo.py. > > When building samba yourself, from withtin the base directory you can > apply this patch file to do it for you:Thank you Nobert. Indeed the line "import samba.drs_utils" is missing, although I'm using the repositories from Sernet. According to "samba-tool fsmo show", the roles were in spite of the error successfully transfered. Was the transfer completed or can it be there is something missing ? What about the DNS-entry "_msdcs->pdc->_tcp" ? Isn't it an entry for the PDC ? Because after I transfered the roles, this DNS-entry didnt change, I changed manually. Regards
Because I wanted to reinstall a DC1 (samba 4.3.11-SerNet, SLES 11 SP3 before reinstall) which owned all fsmo-roles, I transferred the roles to another DC2 (samba 4.6.6-SerNet, SLES 12 SP 2). As I wrote all roles were tranferred successful, but with an error message. After demotion and reinstallation I joined DC1 with success again, but all SRV-entries (_kerberos, _ldap, _kpasswd) were not generated. Do I list the replication on DC1, all connections under "INBOUND NEIGHBORS" shows an error "WERR_DS_DRA_ACCESS_DENIED". The connections under "OUTBOUND NEIGHBORS" are with success. Can it be, the missing DNS-entries and the replication error has to do with the error when I transferred the fsmo-roles ? Regards
> After demotion and reinstallation I joined DC1 with success again, but all SRV-entries (_kerberos, _ldap, _kpasswd) > were not generated.SOLVED, everything works fine. The DNS-SRV-entries were not generated, because after transferring the roles, the SOA-entries for all zones contained still the old DC which didnt exist anymore. I changed to the new PDC. Same for the DNS-entry _msdcs->pdc. After this change the DCs wrote the missing entries into the DNS. Another problem I had with the tool "Active Directory Sites and Services". The information about the DCs were incomplete for the newly joinned DCs. I compared the attribute list and saw, that the attribute "serverReference" was empty. But a check with "ldbsearch" showed a value for this attribute (serverReferenceBL). Was like the value had a hidden character the tool "Active Directory Sites and Services" couldnt interpret. After rewriting this value everything worked.