On Wed, 2021-11-10 at 17:51 +0100, Christian via samba
wrote:> Hello all,
>
> I just try to add some new DCs to an old single DC samba4 domain.
> Because we want to remove the old DC we try to transfer all FSMO
> roles
> to one of the new DCs.
>
> The old Server was named svr9 (samba version 4.1.17) and the new one
> is
> named madc1 (samba version 4.11.6-Ubuntu)
>
> When i try to transfer the dns fsmo roles i get the following error:
>
> root at madc1:~# samba-tool fsmo transfer --username=Administrator
> --role=domaindns
> Password for [MyDom\Administrator]:
> ERROR: Failed to add role 'domaindns': LDAP error 16
> LDAP_NO_SUCH_ATTRIBUTE - <attribute 'fSMORoleOwner': no
matching
> attribute value while deleting attribute on
> 'CN=Infrastructure,DC=DomainDnsZones,DC=ad,DC=mydom,DC=de'>
<>
>
>
> All other fsmo roles got transfered to the new dc without problems:
>
> root at madc1:~# samba-tool fsmo show
> SchemaMasterRole owner: CN=NTDS
> Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC
> =ad,DC=mydom,DC=de
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC
> =ad,DC=mydom,DC=de
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC
> =ad,DC=mydom,DC=de
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC
> =ad,DC=mydom,DC=de
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC
> =ad,DC=mydom,DC=de
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=SVR9,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC>
ad,DC=mydom,DC=de
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=SVR9,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC>
ad,DC=mydom,DC=de
>
>
> On the old Server i don't see the dns roles when running samba-tool
> fsmo
> show:
>
> root at svr9:/usr/local/samba4# samba-tool fsmo show
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC
> =ad,DC=mydom,DC=de
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC
> =ad,DC=mydom,DC=de
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC
> =ad,DC=mydom,DC=de
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC
> =ad,DC=mydom,DC=de
> SchemaMasterRole owner: CN=NTDS
> Settings,CN=MADC1,CN=Servers,CN=Mannheim,CN=Sites,CN=Configuration,DC
> =ad,DC=mydom,DC=de
>
> On the old DC everything looks ok to me on the first look:
>
> ldbsearch --cross-ncs -H /usr/local/samba4/private/sam.ldb
> '(fsmoroleowner=*)' | grep 'dn:'
>
> dn: CN=Schema,CN=Configuration,DC=ad,DC=mydom,DC=de
> dn: CN=Partitions,CN=Configuration,DC=ad,DC=mydom,DC=de
> dn: CN=Infrastructure,DC=DomainDnsZones,DC=ad,DC=mydom,DC=de
> dn: CN=Infrastructure,DC=ForestDnsZones,DC=ad,DC=mydom,DC=de
> dn: DC=ad,DC=mydom,DC=de
> dn: CN=RID Manager$,CN=System,DC=ad,DC=mydom,DC=de
> dn: CN=Infrastructure,DC=ad,DC=mydom,DC=de
>
> ldbsearch --cross-ncs -H /usr/local/samba4/private/sam.ldb -b
> 'DC=DomainDnsZones,DC=ad,DC=mydom,DC=de' -s sub
'(cn=Infrastructure)'
>
> # record 1
> dn: CN=Infrastructure,DC=DomainDnsZones,DC=ad,DC=mydom,DC=de
> objectClass: top
> objectClass: infrastructureUpdate
> cn: Infrastructure
> instanceType: 4
> whenCreated: 20140807081632.0Z
> whenChanged: 20140807081632.0Z
> uSNCreated: 3625
> showInAdvancedViewOnly: TRUE
> name: Infrastructure
> objectGUID: 64d605b9-919b-4905-8f44-854cd48fde2c
> systemFlags: -1946157056
> objectCategory:
> CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=ad,DC=m
> ydom,DC=de
> isCriticalSystemObject: TRUE
> fSMORoleOwner: CN=NTDS
> Settings,CN=SVR9,CN=Servers,CN=Mannheim,CN=Sites,CN=Con
> figuration,DC=ad,DC=mydom,DC=de
> uSNChanged: 3634
> distinguishedName: CN=Infrastructure,DC=DomainDnsZones,DC=ad,DC=mydom
> ,DC=de
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> ldbsearch --cross-ncs -H /usr/local/samba4/private/sam.ldb -b
> 'DC=ForestDnsZones,DC=ad,DC=mydom,DC=de' -s sub
'(cn=Infrastructure)'
> # record 1
> dn: CN=Infrastructure,DC=ForestDnsZones,DC=ad,DC=mydom,DC=de
> objectClass: top
> objectClass: infrastructureUpdate
> cn: Infrastructure
> instanceType: 4
> whenCreated: 20140807081632.0Z
> whenChanged: 20140807081632.0Z
> uSNCreated: 3629
> showInAdvancedViewOnly: TRUE
> name: Infrastructure
> objectGUID: 28e8ede3-36e1-4561-87a9-5effd0101fb4
> systemFlags: -1946157056
> objectCategory:
> CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=ad,DC=m
> ydom,DC=de
> isCriticalSystemObject: TRUE
> fSMORoleOwner: CN=NTDS
> Settings,CN=SVR9,CN=Servers,CN=Mannheim,CN=Sites,CN=Con
> figuration,DC=ad,DC=mydom,DC=de
> uSNChanged: 3635
> distinguishedName: CN=Infrastructure,DC=ForestDnsZones,DC=ad,DC=mydom
> ,DC=de
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
>
> Is this because of the really old samba version on the old DC?
Could be, 4.1.17 is very old and now 4.11.6 is just old as far as Samba
is concerned :-D
> How can i transfer those fsmo roles to the new DC?
Try seizing them to a new DC (you will have to use '--force'), but only
do this if the old DC is being removed.
Rowland