Rowland Penny
2025-Jun-23 10:32 UTC
[Samba] transferring FSMO to new DC failing with domaindns and forestdns
On Mon, 23 Jun 2025 21:57:23 +1200 Daniel Christie via samba <samba at lists.samba.org> wrote:> I have 2 samba DCs, wanting to migrate fully from DC1 to DC2. > So far all seems to have gone well. amd right now I am having an > issue with transferring the FSMO roles to the new DC. my first > correct attempt went like this > > *localadmin at dc2:~$ sudo samba-tool fsmo transfer --role=all* > *FSMO transfer of 'rid' role successful* > *FSMO transfer of 'pdc' role successful* > *FSMO transfer of 'naming' role successful* > *FSMO transfer of 'infrastructure' role successful* > *FSMO transfer of 'schema' role successful* > *ERROR: Failed to add role 'domaindns': LDAP error 50 > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object > CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com has no > write property access* > *> <>* > > After that i figured out (i think) how to define the user that needs > to run the transfer process for those 2 naming contexts, so i ran > again and then got another error > > *localadmin at dc2:~$ sudo samba-tool fsmo transfer --role=all -U > adm_daniel* *This DC already has the 'rid' FSMO role* > *This DC already has the 'pdc' FSMO role* > *This DC already has the 'naming' FSMO role* > *This DC already has the 'infrastructure' FSMO role* > *This DC already has the 'schema' FSMO role* > *Password for [DOMAIN\administrator]:* > *ERROR: Failed to add role 'domaindns': LDAP error 16 > LDAP_NO_SUCH_ATTRIBUTE - <attribute 'fSMORoleOwner': no matching > attribute value while deleting attribute on > 'CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com'> <>* >Lets start by checking for the 'missing' attribute, what does this search return: sudo ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -P -b 'CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com' -s sub '(fSMORoleOwner=*)' fSMORoleOwner Rowland
Daniel Christie
2025-Jun-23 10:54 UTC
[Samba] transferring FSMO to new DC failing with domaindns and forestdns
*sudo ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -P -b 'CN=infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com' -s s* *ub '(fSMORoleOwner=*)' fSMORoleOwner* # record 1 dn: CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com fSMORoleOwner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Mears,CN=Sites,CN=Configu ration,DC=home,DC=krust,DC=kiwi # returned 1 records # 1 entries # 0 referrals On Mon, 23 Jun 2025 at 22:33, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Mon, 23 Jun 2025 21:57:23 +1200 > Daniel Christie via samba <samba at lists.samba.org> wrote: > > > I have 2 samba DCs, wanting to migrate fully from DC1 to DC2. > > So far all seems to have gone well. amd right now I am having an > > issue with transferring the FSMO roles to the new DC. my first > > correct attempt went like this > > > > *localadmin at dc2:~$ sudo samba-tool fsmo transfer --role=all* > > *FSMO transfer of 'rid' role successful* > > *FSMO transfer of 'pdc' role successful* > > *FSMO transfer of 'naming' role successful* > > *FSMO transfer of 'infrastructure' role successful* > > *FSMO transfer of 'schema' role successful* > > *ERROR: Failed to add role 'domaindns': LDAP error 50 > > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object > > CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com has no > > write property access* > > *> <>* > > > > After that i figured out (i think) how to define the user that needs > > to run the transfer process for those 2 naming contexts, so i ran > > again and then got another error > > > > *localadmin at dc2:~$ sudo samba-tool fsmo transfer --role=all -U > > adm_daniel* *This DC already has the 'rid' FSMO role* > > *This DC already has the 'pdc' FSMO role* > > *This DC already has the 'naming' FSMO role* > > *This DC already has the 'infrastructure' FSMO role* > > *This DC already has the 'schema' FSMO role* > > *Password for [DOMAIN\administrator]:* > > *ERROR: Failed to add role 'domaindns': LDAP error 16 > > LDAP_NO_SUCH_ATTRIBUTE - <attribute 'fSMORoleOwner': no matching > > attribute value while deleting attribute on > > 'CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com'> <>* > > > > Lets start by checking for the 'missing' attribute, what does this > search return: > > sudo ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -P -b > 'CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com' -s sub > '(fSMORoleOwner=*)' fSMORoleOwner > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >