Web lists-archives.com

[Samba] FSMO transfer problems




Hello all,

Have joined a new DC to an existing active directory consisting of a sole DC.  So, we now have two domain controllers, the original being ad.DOMAIN.intranet (192.168.0.17), and the new one being DOMAIN-ad.DOMAIN.intranet (192.168.0.11).  I want the new DC to become the FSMO role owner, so I followed the instructions here - https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles. The first five FSMO roles transferred successfully, but the domaindns and forestdns both failed to transfer:

root@DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer --role=all
FSMO transfer of 'rid' role successful
FSMO transfer of 'pdc' role successful
FSMO transfer of 'naming' role successful
FSMO transfer of 'infrastructure' role successful
FSMO transfer of 'schema' role successful
ERROR: Failed to delete role 'domaindns': LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object CN=Infrastructure,DC=DomainDnsZones,DC=DOMAIN,DC=intranet has no write property access
> <>

So I tried adding the admin login details:

root@DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer --role=domaindns -U Administrator
Password for [DOMAIN\Administrator]:
ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'module' object has no attribute 'drs_utils'   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 520, in run
    transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 129, in transfer_dns_role
    except samba.drs_utils.drsException, e:

Looking online, I found someone fixed this by adding in "import samba.drs_utils" in the file "fsmo.py" which I've done.  Running it again gets:

root@DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer --role=domaindns -U Administrator
Password for [DOMAIN\Administrator]:
ERROR: Failed to delete role 'domaindns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE -  <attribute 'fSMORoleOwner': no matching attribute value while deleting attribute on 'CN=Infrastructure,DC=DomainDnsZones,DC=DOMAIN,DC=intranet'> <>

However, running "samba-tool fsmo show" show that apparently the role is now owned by DOMAIN-ad which is the intended outcome.  So did the transfer work?  Doing the same for forestdns gave the exact same result:

root@DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer --role=forestdns -U Administrator
Password for [DOMAIN\Administrator]:
ERROR(<class 'samba.drs_utils.drsException'>): Replication failed - drsException: DsReplicaSync failed (-1073741643, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.')   File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 141, in transfer_dns_role
    NC, req_options)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
    raise drsException("DsReplicaSync failed %s" % estr)

So checking the FSMO roles show:

root@DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet InfrastructureMasterRole owner: CN=NTDS Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet RidAllocationMasterRole owner: CN=NTDS Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet DomainNamingMasterRole owner: CN=NTDS Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet

I can't see if the FSMO roles have definitely been transferred?

root@DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer --role=all -U Administrator
This DC already has the 'rid' FSMO role
This DC already has the 'pdc' FSMO role
This DC already has the 'naming' FSMO role
This DC already has the 'infrastructure' FSMO role
This DC already has the 'schema' FSMO role
This DC already has the 'domaindns' FSMO role
This DC already has the 'forestdns' FSMO role

Secondly, when running "Active Directory Users and Computers", it automatically connects to the old DC, and when I try to connect to the new DC, it just shows "Unavailable" and trying to connect to it anyway gets "The following Domain Controller could not be contacted: DOMAIN-ad.DOMAIN.intranet. The server is not operational." - how do I fix this issue?

Many thanks for your time!

With kind regards - Piers


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba