samba - Oct 2021 - Transfer FSMO roles to a new DC

El 29 de octubre de 2021 13:09:29 GMT-04:00, Rowland Penny via samba <samba
at lists.samba.org> escribi?:
>On Fri, 2021-10-29 at 12:36 -0400, Rommel Rodriguez Toirac via samba
>wrote:
>>  Hello all;
>> 
>> I have join a new domain controller [gtmad2](Ubuntu with samba4
>> version 4.14.8) to a Samba4 Domain (main DC version 4.14.3 in
>> CentOS8)[gtmad1].
>>  I want to replace the samba-4.14.3 (CentOS8)[host name gtmad1] and I
>> have  transferered the FSMO roles to the new one samba-4.14.8 (Ubuntu
>> 20.04)[hostname gtmad2]
>> 
>>  Here the transfer commands:
>> 
>> root at gtmad2:~# samba-tool fsmo transfer --role=rid             
>> FSMO transfer of 'rid' role successful
>> root at gtmad2:~# samba-tool fsmo transfer --role=pdc
>> FSMO transfer of 'pdc' role successful
>> root at gtmad2:~# samba-tool fsmo transfer --role=infrastructure
>> FSMO transfer of 'infrastructure' role successful
>> root at gtmad2:~# samba-tool fsmo transfer --role=schema        
>> FSMO transfer of 'schema' role successful
>> root at gtmad2:~# samba-tool fsmo transfer --role=naming
>> FSMO transfer of 'naming' role successful
>> root at gtmad2:~# samba-tool fsmo transfer --role=domaindns
>> -UAdministrator
>> Password for [ATGTM00\Administrator]:
>> FSMO transfer of 'domaindns' role successful
>> root at gtmad2:~# samba-tool fsmo transfer --role=forestdns
>> -UAdministrator
>> Password for [ATGTM00\Administrator]:
>> FSMO transfer of 'forestdns' role successful
>> 
>>  All transfer were successful, but when I check I have a problem. 
>>  From the new DC [gtmad2] still look the other DC [gtmad1] as owner
>> of the FSMO roles and from gtmad1 it look to gtmad2 like the FSMO
>> roles owner.
>> 
>> root at gtmad2:~# samba-tool fsmo
>> show                                     
>> SchemaMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> InfrastructureMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> RidAllocationMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> PdcEmulationMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> DomainNamingMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> DomainDnsZonesMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> ForestDnsZonesMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> root at gtmad2:~#
>> 
>> [root at gtmad1 samba]# samba-tool fsmo show
>> ldb_wrap open of secrets.ldb
>> SchemaMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> InfrastructureMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> RidAllocationMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> PdcEmulationMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> DomainNamingMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> DomainDnsZonesMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> ForestDnsZonesMasterRole owner: CN=NTDS
>> Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
>> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
>> [root at gtmad1 samba]#
>> 
>> 
>>  What could be possible to to be wrong?
>>  Any ideas?
>
>Well, that is weird, first thought was faulty replication, but it has
>replicated to the old DC and isn't showing on the new DC.
>
>I have checked on my DC's and the rid FSMO transferred OK. I would
>check if the FSMO roles are still showing as being on two DC's (if you
>have more than two DC's, check those as well). If they are, try
>transferring them back and see what happens. If they do transfer back,
>you need to examine gtmad2 to see if there is anything wrong with that.
>
>Rowland
> 
>
>

 Thanks Rowland to write me back.

 The third DC [hostname gtmad] also sees gtmad1 as the owner of the FSMO roles.

[root at gtmad ~]# samba-tool fsmo show
ldb_wrap open of secrets.ldb
SchemaMasterRole has no current owner
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
DomainDnsZonesMasterRole has no current owner
ForestDnsZonesMasterRole has no current owner
[root at gtmad ~]#


 I have to check gtmad2 (the new Domain Controller added to domain). For
Eixample? what to check?


-- 
Rommel Rodriguez Toirac
rommelrt at nauta.cu

On Fri, 2021-10-29 at 13:23 -0400, Rommel Rodriguez Toirac via samba
wrote:
> El 29 de octubre de 2021 13:09:29 GMT-04:00, Rowland Penny via samba
> <samba at lists.samba.org> escribi?:
> > On Fri, 2021-10-29 at 12:36 -0400, Rommel Rodriguez Toirac via
> > samba
> > wrote:
> > >  Hello all;
> > > 
> > > I have join a new domain controller [gtmad2](Ubuntu with samba4
> > > version 4.14.8) to a Samba4 Domain (main DC version 4.14.3 in
> > > CentOS8)[gtmad1].
> > >  I want to replace the samba-4.14.3 (CentOS8)[host name gtmad1]
> > > and I
> > > have  transferered the FSMO roles to the new one samba-4.14.8
> > > (Ubuntu
> > > 20.04)[hostname gtmad2]
> > > 
> > >  Here the transfer commands:
> > > 
> > > root at gtmad2:~# samba-tool fsmo transfer --role=rid
> > > FSMO transfer of 'rid' role successful
> > > root at gtmad2:~# samba-tool fsmo transfer --role=pdc
> > > FSMO transfer of 'pdc' role successful
> > > root at gtmad2:~# samba-tool fsmo transfer --role=infrastructure
> > > FSMO transfer of 'infrastructure' role successful
> > > root at gtmad2:~# samba-tool fsmo transfer --role=schema        
> > > FSMO transfer of 'schema' role successful
> > > root at gtmad2:~# samba-tool fsmo transfer --role=naming
> > > FSMO transfer of 'naming' role successful
> > > root at gtmad2:~# samba-tool fsmo transfer --role=domaindns
> > > -UAdministrator
> > > Password for [ATGTM00\Administrator]:
> > > FSMO transfer of 'domaindns' role successful
> > > root at gtmad2:~# samba-tool fsmo transfer --role=forestdns
> > > -UAdministrator
> > > Password for [ATGTM00\Administrator]:
> > > FSMO transfer of 'forestdns' role successful
> > > 
> > >  All transfer were successful, but when I check I have a
> > > problem. 
> > >  From the new DC [gtmad2] still look the other DC [gtmad1] as
> > > owner
> > > of the FSMO roles and from gtmad1 it look to gtmad2 like the FSMO
> > > roles owner.
> > > 
> > > root at gtmad2:~# samba-tool fsmo
> > > show                                     
> > > SchemaMasterRole owner: CN=NTDS
> > > Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> > > InfrastructureMasterRole owner: CN=NTDS
> > > Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> > > RidAllocationMasterRole owner: CN=NTDS
> > > Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> > > PdcEmulationMasterRole owner: CN=NTDS
> > > Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> > > DomainNamingMasterRole owner: CN=NTDS
> > > Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> > > DomainDnsZonesMasterRole owner: CN=NTDS
> > > Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> > > ForestDnsZonesMasterRole owner: CN=NTDS
> > > Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> > > root at gtmad2:~#
> > > 
> > > [root at gtmad1 samba]# samba-tool fsmo show
> > > ldb_wrap open of secrets.ldb
> > > SchemaMasterRole owner: CN=NTDS
> > > Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> > > InfrastructureMasterRole owner: CN=NTDS
> > > Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> > > RidAllocationMasterRole owner: CN=NTDS
> > > Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> > > PdcEmulationMasterRole owner: CN=NTDS
> > > Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> > > DomainNamingMasterRole owner: CN=NTDS
> > > Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> > > DomainDnsZonesMasterRole owner: CN=NTDS
> > > Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> > > ForestDnsZonesMasterRole owner: CN=NTDS
> > > Settings,CN=GTMAD2,CN=Servers,CN=Default-First-Site-
> > > Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> > > [root at gtmad1 samba]#
> > > 
> > > 
> > >  What could be possible to to be wrong?
> > >  Any ideas?
> > 
> > Well, that is weird, first thought was faulty replication, but it
> > has
> > replicated to the old DC and isn't showing on the new DC.
> > 
> > I have checked on my DC's and the rid FSMO transferred OK. I would
> > check if the FSMO roles are still showing as being on two DC's (if
> > you
> > have more than two DC's, check those as well). If they are, try
> > transferring them back and see what happens. If they do transfer
> > back,
> > you need to examine gtmad2 to see if there is anything wrong with
> > that.
> > 
> > Rowland
> > 
> > 
> > 
> 
>  Thanks Rowland to write me back.
> 
>  The third DC [hostname gtmad] also sees gtmad1 as the owner of the
> FSMO roles.
> 
> [root at gtmad ~]# samba-tool fsmo show
> ldb_wrap open of secrets.ldb
> SchemaMasterRole has no current owner
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=GTMAD1,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC=cu
> DomainDnsZonesMasterRole has no current owner
> ForestDnsZonesMasterRole has no current owner
> [root at gtmad ~]#
I would try transferring the roles back to the original DC, then check
the new DC
> 
> 
>  I have to check gtmad2 (the new Domain Controller added to domain).
> For Eixample? what to check?
The usual dns things, /etc/hostname, etc/hosts, /etc/resolv.conf
You should also check the database with samba-tool.

If you cannot find anything wrong, I would demote the new DC and start
again.

Rowland