[Samba] Error while transferring fsmo-roles
- Date: Fri, 4 Aug 2017 21:20:45 +0200
- From: gizmo via samba <samba@xxxxxxxxxxxxxxx>
- Subject: [Samba] Error while transferring fsmo-roles
I transfered all fsmo-roles from a DC (4.3.11-SerNet, SLES 11 SP3) to another DC (4.6.6-SerNet, SLES 12 SP2).
I had to try a couple of times because of an error "Failed FSMO transfer: NT_STATUS_IO_TIMEOUT"
But then following error happened:
samba-tool fsmo transfer --role=all
This DC already has the 'rid' FSMO role
This DC already has the 'pdc' FSMO role
This DC already has the 'naming' FSMO role
This DC already has the 'infrastructure' FSMO role
FSMO transfer of 'schema' role successful
ERROR: Failed to delete role 'domaindns': LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object
CN=Infrastructure,DC=DomainDnsZones,DC=domain,DC=university,DC=de has no write property access
OK, "LDAP_INSUFFICIENT_ACCESS_RIGHTS", another try with credentials:
samba-tool fsmo transfer --role=all -Uadministrator
ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'module' object has no attribute 'drs_utils'
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 515, in run
File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 129, in transfer_dns_role
except samba.drs_utils.drsException, e
Same error occurred with the role "forestdns".
In spite of the errors the roles were transfered.
Can I ignore this error or went something wrong ?
"samba-tool fsmo show" says, the owner of all roles is the new DC.
Also with the following check for all roles everything is ok.
ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b "CN=Infrastructure,DC=domain,DC=university,DC=de" -s base fsmoroleowner
The only thing I saw - there is an DNS-entry "Forward-Lookupzones->domain->_msdcs.domain->pdc->_tcp".
Sounds like an entry for the PDC, and there is still the DC which owned the roles.
Do I have to change this manually ?
In a next step I will demote (and reinstall) the DC which owned the roles, maybe this solves any inconsistencies, in case there are some.
To unsubscribe from this list go to the following URL and read the