Hi all- I've been polishing my Samba4 AD set-up as we get close to deploying it the office. However, one thing that I'm having issues with is FSMO roles and DCs. The gist of the situation is that I can not demote the original DC. Both DCs are implemented with Samba4, running the same version (4.0.3) and have replication working*
Here is a summary of everything I've noticed: · samba-tool fsmo transfer does not work: running it without specifying anything returns a success command, but no roles are transferred off the DC running it and specifying another DC with the -H flag yields this error: ERROR(ldb): uncaught exception - ldb_search: invalid basedn '(null)' running it with the -H and -b yields the error: samba-tool fsmo transfer: error: no such option: -b · samba-tool fsmo seize *appears* to work: running it with any one role gives the following output: Attempting transfer... FSMO transfer of 'pdc' role successful ERROR: Failed to initiate role seize of 'pdc' role: objectclass: modify message must have elements/attributes! checking with samba-tool fsmo show *does* show that the role has been transferred however, the error prevents --role=all from working as it hits the error and stops execution · windows MMC snapins (e.g. Users and Computers) *do* reflect changes made on role owners · windows utilities (e.g. ntdsutil) *do* reflect changes made on role owners · both DCs agree on who has what role with samba-tool fsmo show Now the issue: After transferring all 5 roles from dc1 to dc2 and verifying that both of them agree, I want to remove dc1, so I attempt to demote dc1: samba-tool domain demote -UAdministrator This returns the following: ERROR: Current DC is still the owner of 2 role(s), use the role command to transfer roles to another DC What are the 2 hidden roles it has or thinks it has? If I try to delete it from the windows side using Users and Computers, after ticking the box that says 'yes, I can't dcpromo, it's permanently offline', I receive the following error: "Windows cannot delete object LDAP://dc2.[...]/CN=DC1,OU=Domain Controllers,DC=[...],DC=[...] because: The specified module could not be found." Why is it referred to as a module? In any case, using ldbedit on DC1, I did find that exact DN, so it is there. I can't use ldbdel to remove the DC as it refuses the operation (probably reasonably so). I think it might be an issue with just the *original* DC because I did this exact process with dc2 (the DC created via replication) and it returns this on samba-tool domain demote: Using dc1.[...] as partner server for the demotion Password for [[...]\Administrator]: Desactivating inbound replication Asking partner server dc1.[...] to synchronize from us Changing userControl and container Demote successfull So what could possibly be wrong with the original DC? As I poked around on this error, I also found this: https://bugzilla.samba.org/show_bug.cgi?id=9461 So is anyone using the test branch and can verify this bug is fixed in that version? *replication is working 100% but I do see this error: Warning: No NC replicated for Connection! >From back when I was setting up replication, I poked around and from what I >understood, it was a glitch and not an issue Any insights would be great, Thanks, -Mike Ray -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba