Web lists-archives.com

Re: [Samba] FSMO transfer problems




On Mon, 25 Mar 2019 20:39:25 +0000
Piers Kittel via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello all,
> 
> Have joined a new DC to an existing active directory consisting of a 
> sole DC.  So, we now have two domain controllers, the original being 
> ad.DOMAIN.intranet (192.168.0.17), and the new one being 
> DOMAIN-ad.DOMAIN.intranet (192.168.0.11).  I want the new DC to
> become the FSMO role owner, so I followed the instructions here - 
> https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles. 
> The first five FSMO roles transferred successfully, but the domaindns 
> and forestdns both failed to transfer:
> 
> root@DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer
> --role=all FSMO transfer of 'rid' role successful
> FSMO transfer of 'pdc' role successful
> FSMO transfer of 'naming' role successful
> FSMO transfer of 'infrastructure' role successful
> FSMO transfer of 'schema' role successful
> ERROR: Failed to delete role 'domaindns': LDAP error 50 
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object 
> CN=Infrastructure,DC=DomainDnsZones,DC=DOMAIN,DC=intranet has no
> write property access
>  > <>  

When transferring the domaindns and/or forestdns FSMO roles, you must
supply authentication, I have updated the wikipage.

> 
> So I tried adding the admin login details:
> 
> root@DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer 
> --role=domaindns -U Administrator
> Password for [DOMAIN\Administrator]:
> ERROR(<type 'exceptions.AttributeError'>): uncaught exception -
> 'module' object has no attribute 'drs_utils'
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 176, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 
> 520, in run
>      transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 
> 129, in transfer_dns_role
>      except samba.drs_utils.drsException, e:
> 
> Looking online, I found someone fixed this by adding in "import 
> samba.drs_utils" in the file "fsmo.py" which I've done.  Running it 
> again gets:
> 
> root@DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer 
> --role=domaindns -U Administrator
> Password for [DOMAIN\Administrator]:
> ERROR: Failed to delete role 'domaindns': LDAP error 16 
> LDAP_NO_SUCH_ATTRIBUTE -  <attribute 'fSMORoleOwner': no matching 
> attribute value while deleting attribute on 
> 'CN=Infrastructure,DC=DomainDnsZones,DC=DOMAIN,DC=intranet'> <>  
> 
> However, running "samba-tool fsmo show" show that apparently the role
> is now owned by DOMAIN-ad which is the intended outcome.  So did the 
> transfer work?  Doing the same for forestdns gave the exact same
> result:
> 
> root@DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer 
> --role=forestdns -U Administrator
> Password for [DOMAIN\Administrator]:
> ERROR(<class 'samba.drs_utils.drsException'>): Replication failed - 
> drsException: DsReplicaSync failed (-1073741643, '{Device Timeout}
> The specified I/O operation on %hs was not completed before the
> time-out period expired.')
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 
> 141, in transfer_dns_role
>      NC, req_options)
>    File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
> 83, in sendDsReplicaSync
>      raise drsException("DsReplicaSync failed %s" % estr)
> 
> So checking the FSMO roles show:
> 
> root@DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo show
> SchemaMasterRole owner: CN=NTDS 
> Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
> InfrastructureMasterRole owner: CN=NTDS 
> Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
> RidAllocationMasterRole owner: CN=NTDS 
> Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
> PdcEmulationMasterRole owner: CN=NTDS 
> Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
> DomainNamingMasterRole owner: CN=NTDS 
> Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
> DomainDnsZonesMasterRole owner: CN=NTDS 
> Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
> ForestDnsZonesMasterRole owner: CN=NTDS 
> Settings,CN=DOMAIN-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=intranet
> 
> I can't see if the FSMO roles have definitely been transferred?

It appears that they have been transferred, 'CN=DOMAIN-AD' is your new
DC's hostname in uppercase.

> 
> root@DOMAIN-ad:/var/lib/samba/sysvol# samba-tool fsmo transfer 
> --role=all -U Administrator
> This DC already has the 'rid' FSMO role
> This DC already has the 'pdc' FSMO role
> This DC already has the 'naming' FSMO role
> This DC already has the 'infrastructure' FSMO role
> This DC already has the 'schema' FSMO role
> This DC already has the 'domaindns' FSMO role
> This DC already has the 'forestdns' FSMO role
> 
> Secondly, when running "Active Directory Users and Computers", it 
> automatically connects to the old DC, and when I try to connect to
> the new DC, it just shows "Unavailable" and trying to connect to it
> anyway gets "The following Domain Controller could not be contacted: 
> DOMAIN-ad.DOMAIN.intranet. The server is not operational." - how do I 
> fix this issue?

OK, if this doesn't settle down, try to transfer the roles back (this
time with authentication), if this helps, you should then be able to
transfer the roles to the new DC again.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba