Daniel Christie
2025-Jun-23 10:54 UTC
[Samba] transferring FSMO to new DC failing with domaindns and forestdns
*sudo ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -P -b 'CN=infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com' -s s* *ub '(fSMORoleOwner=*)' fSMORoleOwner* # record 1 dn: CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com fSMORoleOwner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Mears,CN=Sites,CN=Configu ration,DC=home,DC=krust,DC=kiwi # returned 1 records # 1 entries # 0 referrals On Mon, 23 Jun 2025 at 22:33, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Mon, 23 Jun 2025 21:57:23 +1200 > Daniel Christie via samba <samba at lists.samba.org> wrote: > > > I have 2 samba DCs, wanting to migrate fully from DC1 to DC2. > > So far all seems to have gone well. amd right now I am having an > > issue with transferring the FSMO roles to the new DC. my first > > correct attempt went like this > > > > *localadmin at dc2:~$ sudo samba-tool fsmo transfer --role=all* > > *FSMO transfer of 'rid' role successful* > > *FSMO transfer of 'pdc' role successful* > > *FSMO transfer of 'naming' role successful* > > *FSMO transfer of 'infrastructure' role successful* > > *FSMO transfer of 'schema' role successful* > > *ERROR: Failed to add role 'domaindns': LDAP error 50 > > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object > > CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com has no > > write property access* > > *> <>* > > > > After that i figured out (i think) how to define the user that needs > > to run the transfer process for those 2 naming contexts, so i ran > > again and then got another error > > > > *localadmin at dc2:~$ sudo samba-tool fsmo transfer --role=all -U > > adm_daniel* *This DC already has the 'rid' FSMO role* > > *This DC already has the 'pdc' FSMO role* > > *This DC already has the 'naming' FSMO role* > > *This DC already has the 'infrastructure' FSMO role* > > *This DC already has the 'schema' FSMO role* > > *Password for [DOMAIN\administrator]:* > > *ERROR: Failed to add role 'domaindns': LDAP error 16 > > LDAP_NO_SUCH_ATTRIBUTE - <attribute 'fSMORoleOwner': no matching > > attribute value while deleting attribute on > > 'CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com'> <>* > > > > Lets start by checking for the 'missing' attribute, what does this > search return: > > sudo ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -P -b > 'CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com' -s sub > '(fSMORoleOwner=*)' fSMORoleOwner > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Daniel Christie
2025-Jun-24 11:38 UTC
[Samba] transferring FSMO to new DC failing with domaindns and forestdns
Today I retried samba-tool to transfer but still same error... then I tried to update the attribute within adsiedit again and that worked, and can confirm the roles show correctly as being on the new server with the smaba-tool fsmo show command. Is there anything else I need to worry about since I did this in adsiedit or is that effectively the same as changing from samba-tool? On Mon, 23 Jun 2025 at 22:54, Daniel Christie <dchristienz at gmail.com> wrote:> *sudo ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -P -b > 'CN=infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com' -s s* > *ub '(fSMORoleOwner=*)' fSMORoleOwner* > # record 1 > dn: CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com > fSMORoleOwner: CN=NTDS > Settings,CN=DC1,CN=Servers,CN=site,CN=Sites,CN=Configu > ration,DC=home,DC=domain,DC=com > > # returned 1 records > # 1 entries > # 0 referrals > > On Mon, 23 Jun 2025 at 22:33, Rowland Penny via samba < > samba at lists.samba.org> wrote: > >> On Mon, 23 Jun 2025 21:57:23 +1200 >> Daniel Christie via samba <samba at lists.samba.org> wrote: >> >> > I have 2 samba DCs, wanting to migrate fully from DC1 to DC2. >> > So far all seems to have gone well. amd right now I am having an >> > issue with transferring the FSMO roles to the new DC. my first >> > correct attempt went like this >> > >> > *localadmin at dc2:~$ sudo samba-tool fsmo transfer --role=all* >> > *FSMO transfer of 'rid' role successful* >> > *FSMO transfer of 'pdc' role successful* >> > *FSMO transfer of 'naming' role successful* >> > *FSMO transfer of 'infrastructure' role successful* >> > *FSMO transfer of 'schema' role successful* >> > *ERROR: Failed to add role 'domaindns': LDAP error 50 >> > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object >> > CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com has no >> > write property access* >> > *> <>* >> > >> > After that i figured out (i think) how to define the user that needs >> > to run the transfer process for those 2 naming contexts, so i ran >> > again and then got another error >> > >> > *localadmin at dc2:~$ sudo samba-tool fsmo transfer --role=all -U >> > adm_daniel* *This DC already has the 'rid' FSMO role* >> > *This DC already has the 'pdc' FSMO role* >> > *This DC already has the 'naming' FSMO role* >> > *This DC already has the 'infrastructure' FSMO role* >> > *This DC already has the 'schema' FSMO role* >> > *Password for [DOMAIN\administrator]:* >> > *ERROR: Failed to add role 'domaindns': LDAP error 16 >> > LDAP_NO_SUCH_ATTRIBUTE - <attribute 'fSMORoleOwner': no matching >> > attribute value while deleting attribute on >> > 'CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com'> <>* >> > >> >> Lets start by checking for the 'missing' attribute, what does this >> search return: >> >> sudo ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -P -b >> 'CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com' -s sub >> '(fSMORoleOwner=*)' fSMORoleOwner >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >
Rowland Penny
2025-Jun-25 09:12 UTC
[Samba] transferring FSMO to new DC failing with domaindns and forestdns
On Mon, 23 Jun 2025 22:54:01 +1200 Daniel Christie via samba <samba at lists.samba.org> wrote: Sorry to be a bit late in replying, but I have been trying to get my head around code I wrote 10 years ago.> *sudo ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -P -b > 'CN=infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com' -s s* > *ub '(fSMORoleOwner=*)' fSMORoleOwner* > # record 1 > dn: CN=Infrastructure,DC=DomainDnsZones,DC=home,DC=domain,DC=com > fSMORoleOwner: CN=NTDS > Settings,CN=DC1,CN=Servers,CN=Mears,CN=Sites,CN=Configu > ration,DC=home,DC=krust,DC=kiwiIs that bad sanitising ? 'DC=home,DC=domain,DC=com' in the DN has become 'DC=home,DC=krust,DC=kiwi' in the attribute, if it isn't, then that is probably your problem. If all else fails try seizing the domaindns and forestdns roles to the new DC and then demote the old DC. NOTE: You will have to use '--force' with the seize command, or it will try to transfer the role first. Rowland