samba - Mar 2019 - FSMO transfer problems

Hello all,

Have joined a new DC to an existing active directory consisting of a 
sole DC.  So, we now have two domain controllers, the original being 
ad.DOMAIN.intranet (192.168.0.17), and the new one being 
DOMAIN-ad.DOMAIN.intranet (192.168.0.11).  I want the new DC to become 
the FSMO role owner, so I followed the instructions here - 
https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles. 
The first five FSMO roles transferred successfully, but the domaindns 
and forestdns both failed to transfer:

root at DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer --role=all
FSMO transfer of 'rid' role successful
FSMO transfer of 'pdc' role successful
FSMO transfer of 'naming' role successful
FSMO transfer of 'infrastructure' role successful
FSMO transfer of 'schema' role successful
ERROR: Failed to delete role 'domaindns': LDAP error 50 
LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object 
CN=Infrastructure,DC=DomainDnsZones,DC=DOMAIN,DC=intranet has no write 
property access
 > <>

So I tried adding the admin login details:

root at DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer 
--role=domaindns -U Administrator
Password for [DOMAIN\Administrator]:
ERROR(<type 'exceptions.AttributeError'>): uncaught exception -
'module'
object has no attribute 'drs_utils'
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 
520, in run
     transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 
129, in transfer_dns_role
     except samba.drs_utils.drsException, e:

Looking online, I found someone fixed this by adding in "import 
samba.drs_utils" in the file "fsmo.py" which I've done. 
Running it
again gets:

root at DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer 
--role=domaindns -U Administrator
Password for [DOMAIN\Administrator]:
ERROR: Failed to delete role 'domaindns': LDAP error 16 
LDAP_NO_SUCH_ATTRIBUTE -  <attribute 'fSMORoleOwner': no matching 
attribute value while deleting attribute on 
'CN=Infrastructure,DC=DomainDnsZones,DC=DOMAIN,DC=intranet'> <>

However, running "samba-tool fsmo show" show that apparently the role
is
now owned by DOMAIN-ad which is the intended outcome.  So did the 
transfer work?  Doing the same for forestdns gave the exact same result:

root at DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer 
--role=forestdns -U Administrator
Password for [DOMAIN\Administrator]:
ERROR(<class 'samba.drs_utils.drsException'>): Replication failed
-
drsException: DsReplicaSync failed (-1073741643, '{Device Timeout} The 
specified I/O operation on %hs was not completed before the time-out 
period expired.')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 
141, in transfer_dns_role
     NC, req_options)
   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
83,
in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)

So checking the FSMO roles show:

root at DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS 
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
InfrastructureMasterRole owner: CN=NTDS 
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
RidAllocationMasterRole owner: CN=NTDS 
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
PdcEmulationMasterRole owner: CN=NTDS 
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
DomainNamingMasterRole owner: CN=NTDS 
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
DomainDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
ForestDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet

I can't see if the FSMO roles have definitely been transferred?

root at DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer 
--role=all -U Administrator
This DC already has the 'rid' FSMO role
This DC already has the 'pdc' FSMO role
This DC already has the 'naming' FSMO role
This DC already has the 'infrastructure' FSMO role
This DC already has the 'schema' FSMO role
This DC already has the 'domaindns' FSMO role
This DC already has the 'forestdns' FSMO role

Secondly, when running "Active Directory Users and Computers", it 
automatically connects to the old DC, and when I try to connect to the 
new DC, it just shows "Unavailable" and trying to connect to it anyway
gets "The following Domain Controller could not be contacted: 
DOMAIN-ad.DOMAIN.intranet. The server is not operational." - how do I 
fix this issue?

Many thanks for your time!

With kind regards - Piers

On Mon, 25 Mar 2019 20:39:25 +0000
Piers Kittel via samba <samba at lists.samba.org> wrote:
> Hello all,
> 
> Have joined a new DC to an existing active directory consisting of a 
> sole DC.  So, we now have two domain controllers, the original being 
> ad.DOMAIN.intranet (192.168.0.17), and the new one being 
> DOMAIN-ad.DOMAIN.intranet (192.168.0.11).  I want the new DC to
> become the FSMO role owner, so I followed the instructions here - 
> https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles. 
> The first five FSMO roles transferred successfully, but the domaindns 
> and forestdns both failed to transfer:
> 
> root at DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer
> --role=all FSMO transfer of 'rid' role successful
> FSMO transfer of 'pdc' role successful
> FSMO transfer of 'naming' role successful
> FSMO transfer of 'infrastructure' role successful
> FSMO transfer of 'schema' role successful
> ERROR: Failed to delete role 'domaindns': LDAP error 50 
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object 
> CN=Infrastructure,DC=DomainDnsZones,DC=DOMAIN,DC=intranet has no
> write property access
>  > <>  
When transferring the domaindns and/or forestdns FSMO roles, you must
supply authentication, I have updated the wikipage.
> 
> So I tried adding the admin login details:
> 
> root at DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer 
> --role=domaindns -U Administrator
> Password for [DOMAIN\Administrator]:
> ERROR(<type 'exceptions.AttributeError'>): uncaught exception
-
> 'module' object has no attribute 'drs_utils'
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py",
line
> 520, in run
>      transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py",
line
> 129, in transfer_dns_role
>      except samba.drs_utils.drsException, e:
> 
> Looking online, I found someone fixed this by adding in "import 
> samba.drs_utils" in the file "fsmo.py" which I've done. 
Running it
> again gets:
> 
> root at DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer 
> --role=domaindns -U Administrator
> Password for [DOMAIN\Administrator]:
> ERROR: Failed to delete role 'domaindns': LDAP error 16 
> LDAP_NO_SUCH_ATTRIBUTE -  <attribute 'fSMORoleOwner': no
matching
> attribute value while deleting attribute on 
> 'CN=Infrastructure,DC=DomainDnsZones,DC=DOMAIN,DC=intranet'>
<>
> 
> However, running "samba-tool fsmo show" show that apparently the
role
> is now owned by DOMAIN-ad which is the intended outcome.  So did the 
> transfer work?  Doing the same for forestdns gave the exact same
> result:
> 
> root at DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer 
> --role=forestdns -U Administrator
> Password for [DOMAIN\Administrator]:
> ERROR(<class 'samba.drs_utils.drsException'>): Replication
failed -
> drsException: DsReplicaSync failed (-1073741643, '{Device Timeout}
> The specified I/O operation on %hs was not completed before the
> time-out period expired.')
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py",
line
> 141, in transfer_dns_role
>      NC, req_options)
>    File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py",
line
> 83, in sendDsReplicaSync
>      raise drsException("DsReplicaSync failed %s" % estr)
> 
> So checking the FSMO roles show:
> 
> root at DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo show
> SchemaMasterRole owner: CN=NTDS 
>
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
> InfrastructureMasterRole owner: CN=NTDS 
>
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
> RidAllocationMasterRole owner: CN=NTDS 
>
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
> PdcEmulationMasterRole owner: CN=NTDS 
>
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
> DomainNamingMasterRole owner: CN=NTDS 
>
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
> DomainDnsZonesMasterRole owner: CN=NTDS 
>
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
> ForestDnsZonesMasterRole owner: CN=NTDS 
>
Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
> 
> I can't see if the FSMO roles have definitely been transferred?
It appears that they have been transferred, 'CN=DOMAIN-AD' is your new
DC's hostname in uppercase.
> 
> root at DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer 
> --role=all -U Administrator
> This DC already has the 'rid' FSMO role
> This DC already has the 'pdc' FSMO role
> This DC already has the 'naming' FSMO role
> This DC already has the 'infrastructure' FSMO role
> This DC already has the 'schema' FSMO role
> This DC already has the 'domaindns' FSMO role
> This DC already has the 'forestdns' FSMO role
> 
> Secondly, when running "Active Directory Users and Computers", it
> automatically connects to the old DC, and when I try to connect to
> the new DC, it just shows "Unavailable" and trying to connect to
it
> anyway gets "The following Domain Controller could not be contacted: 
> DOMAIN-ad.DOMAIN.intranet. The server is not operational." - how do I 
> fix this issue?
OK, if this doesn't settle down, try to transfer the roles back (this
time with authentication), if this helps, you should then be able to
transfer the roles to the new DC again.

Rowland

On Mon, Mar 25, 2019 at 5:14 PM Rowland Penny via samba
<samba at lists.samba.org> wrote:
> When transferring the domaindns and/or forestdns FSMO roles, you must
> supply authentication, I have updated the wikipage.
There are a handful of other samba-tool commands that I noticed need
authentication to work correctly. I haven't dug really deep into the
Python code, but perhaps we could add an attribute to all of these
commands to force the user to provide authentication?

On Mon, 2019-03-25 at 20:39 +0000, Piers Kittel via samba
wrote:
> Hello all,
> 
> 
> root at DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer 
> --role=domaindns -U Administrator
> Password for [DOMAIN\Administrator]:
> ERROR(<type 'exceptions.AttributeError'>): uncaught exception
- 'module'
> object has no attribute 'drs_utils'
>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py",
line
> 520, in run
>      transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py",
line
> 129, in transfer_dns_role
>      except samba.drs_utils.drsException, e:
> 
> Looking online, I found someone fixed this by adding in "import 
> samba.drs_utils" in the file "fsmo.py" which I've done. 
Running it
> again gets:
> 
> root at DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer 
> --role=domaindns -U Administrator
> Password for [DOMAIN\Administrator]:
> ERROR: Failed to delete role 'domaindns': LDAP error 16 
> LDAP_NO_SUCH_ATTRIBUTE -  <attribute 'fSMORoleOwner': no
matching
> attribute value while deleting attribute on 
> 'CN=Infrastructure,DC=DomainDnsZones,DC=DOMAIN,DC=intranet'>
<>
For this much, can you please file a bug?

As an administrator you shouldn't need to be patching our python code.

I've sent you a bugzilla invite to aid you in that.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba