Three DC on domain: HOORN (owner of the roles), VOLENDAM, TILBURG HOORN stoped making replication to VOLENDAM/TILBURG: root@hoorn:/home/newhang# samba-tool drs showrepl ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to hoorn.solid-optics.local failed - drsException: DRS connection to hoorn.solid-optics.local failed: (-1073741643, 'NT_STATUS_IO_TIMEOUT') File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds) File "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect raise drsException("DRS connection to %s failed: %s" % (server, e)) root@hoorn:/home/newhang# executed command: samba-tool fsmo transfer --role=all -U administrator --realm=solid-optics.local. All roles were transfered succesfully. HOORN output (previous owner of the roles) root@hoorn:/home/newhang# samba-tool fsmo show > InfrastructureMasterRole owner: CN=NTDS > Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local > RidAllocationMasterRole owner: CN=NTDS > Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local > > PdcEmulationMasterRole owner: CN=NTDS > Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local > DomainNamingMasterRole owner: CN=NTDS > Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local > SchemaMasterRole owner: CN=NTDS > Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local Output on VOLENDAM/TILBURG is the same. Same information appears on windows GUI AD management tool After trying demote of HOORN: > root@hoorn:/home/newhang# samba-tool domain demote > ERROR: Current DC is still the owner of 2 role(s), use the role command > to transfer roles to another DC > root@hoorn:/home/newhang# the command samba-tool drs showrepl shows that replication is ok between ALL DC: Volendam: root@volendam:/home/newhang# samba-tool fsmo show InfrastructureMasterRole owner: CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local RidAllocationMasterRole owner: CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local PdcEmulationMasterRole owner: CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local DomainNamingMasterRole owner: CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local SchemaMasterRole owner: CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local root@volendam:/home/newhang# samba-tool drs showrepl Default-First-Site-Name\VOLENDAM DSA Options: 0x00000001 DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38 DSA invocationId: 5a66b068-ae8b-4f7b-8a6a-aa9aeb33ab2e ==== INBOUND NEIGHBORS ==== CN=Schema,CN=Configuration,DC=solid-optics,DC=local Default-First-Site-Name\TILBURG via RPC DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6 Last attempt @ Sat Jul 19 12:25:49 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:25:49 2014 CEST CN=Schema,CN=Configuration,DC=solid-optics,DC=local Default-First-Site-Name\HOORN via RPC DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f Last attempt @ Sat Jul 19 12:25:50 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:25:50 2014 CEST CN=Configuration,DC=solid-optics,DC=local Default-First-Site-Name\TILBURG via RPC DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6 Last attempt @ Sat Jul 19 12:25:50 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:25:50 2014 CEST CN=Configuration,DC=solid-optics,DC=local Default-First-Site-Name\HOORN via RPC DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f Last attempt @ Sat Jul 19 12:25:51 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:25:51 2014 CEST DC=DomainDnsZones,DC=solid-optics,DC=local Default-First-Site-Name\TILBURG via RPC DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6 Last attempt @ Sat Jul 19 12:25:47 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:25:47 2014 CEST DC=DomainDnsZones,DC=solid-optics,DC=local Default-First-Site-Name\HOORN via RPC DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f Last attempt @ Sat Jul 19 12:25:48 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:25:48 2014 CEST DC=ForestDnsZones,DC=solid-optics,DC=local Default-First-Site-Name\TILBURG via RPC DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6 Last attempt @ Sat Jul 19 12:25:48 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:25:48 2014 CEST DC=ForestDnsZones,DC=solid-optics,DC=local Default-First-Site-Name\HOORN via RPC DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f Last attempt @ Sat Jul 19 12:25:49 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:25:49 2014 CEST DC=solid-optics,DC=local Default-First-Site-Name\TILBURG via RPC DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6 Last attempt @ Sat Jul 19 12:25:52 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:25:52 2014 CEST DC=solid-optics,DC=local Default-First-Site-Name\HOORN via RPC DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f Last attempt @ Sat Jul 19 12:25:52 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:25:52 2014 CEST ==== OUTBOUND NEIGHBORS ==== CN=Schema,CN=Configuration,DC=solid-optics,DC=local Default-First-Site-Name\HOORN via RPC DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Schema,CN=Configuration,DC=solid-optics,DC=local Default-First-Site-Name\TILBURG via RPC DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=solid-optics,DC=local Default-First-Site-Name\HOORN via RPC DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=solid-optics,DC=local Default-First-Site-Name\TILBURG via RPC DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=DomainDnsZones,DC=solid-optics,DC=local Default-First-Site-Name\HOORN via RPC DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f Last attempt @ Sat Jul 19 12:24:23 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:24:23 2014 CEST DC=DomainDnsZones,DC=solid-optics,DC=local Default-First-Site-Name\TILBURG via RPC DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=ForestDnsZones,DC=solid-optics,DC=local Default-First-Site-Name\HOORN via RPC DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=ForestDnsZones,DC=solid-optics,DC=local Default-First-Site-Name\TILBURG via RPC DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=solid-optics,DC=local Default-First-Site-Name\HOORN via RPC DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f Last attempt @ Fri Jul 18 17:18:06 2014 CEST was successful 0 consecutive failure(s). Last success @ Fri Jul 18 17:18:06 2014 CEST DC=solid-optics,DC=local Default-First-Site-Name\TILBURG via RPC DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) ==== KCC CONNECTION OBJECTS ==== Connection -- Connection name: 01ddbc6d-9eb3-43cd-9cf3-b77e279c1305 Enabled : TRUE Server DNS name : TILBURG.solid-optics.local Server DN name : CN=NTDS Settings,CN=TILBURG,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection! Connection -- Connection name: 3addea62-2b75-4f83-a56b-b3407db5ea27 Enabled : TRUE Server DNS name : HOORN.solid-optics.local Server DN name : CN=NTDS Settings,CN=HOORN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection! root@volendam:/home/newhang# TILBURG root@tilburg:/home/newhang# samba-tool fsmo show InfrastructureMasterRole owner: CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local RidAllocationMasterRole owner: CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local PdcEmulationMasterRole owner: CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local DomainNamingMasterRole owner: CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local SchemaMasterRole owner: CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local root@tilburg:/home/newhang# samba-tool drs showrepl Default-First-Site-Name\TILBURG DSA Options: 0x00000001 DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6 DSA invocationId: d3b37458-35cf-4719-aed1-000335ccf439 ==== INBOUND NEIGHBORS ==== CN=Schema,CN=Configuration,DC=solid-optics,DC=local Default-First-Site-Name\VOLENDAM via RPC DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38 Last attempt @ Sat Jul 19 12:26:31 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:26:31 2014 CEST CN=Schema,CN=Configuration,DC=solid-optics,DC=local Default-First-Site-Name\HOORN via RPC DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f Last attempt @ Sat Jul 19 12:26:32 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:26:32 2014 CEST CN=Configuration,DC=solid-optics,DC=local Default-First-Site-Name\VOLENDAM via RPC DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38 Last attempt @ Sat Jul 19 12:26:32 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:26:32 2014 CEST CN=Configuration,DC=solid-optics,DC=local Default-First-Site-Name\HOORN via RPC DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f Last attempt @ Sat Jul 19 12:26:33 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:26:33 2014 CEST DC=DomainDnsZones,DC=solid-optics,DC=local Default-First-Site-Name\VOLENDAM via RPC DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38 Last attempt @ Sat Jul 19 12:26:30 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:26:30 2014 CEST DC=DomainDnsZones,DC=solid-optics,DC=local Default-First-Site-Name\HOORN via RPC DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f Last attempt @ Sat Jul 19 12:26:30 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:26:30 2014 CEST DC=ForestDnsZones,DC=solid-optics,DC=local Default-First-Site-Name\VOLENDAM via RPC DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38 Last attempt @ Sat Jul 19 12:26:30 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:26:30 2014 CEST DC=ForestDnsZones,DC=solid-optics,DC=local Default-First-Site-Name\HOORN via RPC DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f Last attempt @ Sat Jul 19 12:26:31 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:26:31 2014 CEST DC=solid-optics,DC=local Default-First-Site-Name\VOLENDAM via RPC DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38 Last attempt @ Sat Jul 19 12:26:33 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:26:33 2014 CEST DC=solid-optics,DC=local Default-First-Site-Name\HOORN via RPC DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f Last attempt @ Sat Jul 19 12:26:34 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:26:34 2014 CEST ==== OUTBOUND NEIGHBORS ==== CN=Schema,CN=Configuration,DC=solid-optics,DC=local Default-First-Site-Name\HOORN via RPC DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Schema,CN=Configuration,DC=solid-optics,DC=local Default-First-Site-Name\VOLENDAM via RPC DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=solid-optics,DC=local Default-First-Site-Name\HOORN via RPC DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=solid-optics,DC=local Default-First-Site-Name\VOLENDAM via RPC DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=DomainDnsZones,DC=solid-optics,DC=local Default-First-Site-Name\HOORN via RPC DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f Last attempt @ Sat Jul 19 12:24:23 2014 CEST was successful 0 consecutive failure(s). Last success @ Sat Jul 19 12:24:23 2014 CEST DC=DomainDnsZones,DC=solid-optics,DC=local Default-First-Site-Name\VOLENDAM via RPC DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=ForestDnsZones,DC=solid-optics,DC=local Default-First-Site-Name\HOORN via RPC DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=ForestDnsZones,DC=solid-optics,DC=local Default-First-Site-Name\VOLENDAM via RPC DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=solid-optics,DC=local Default-First-Site-Name\HOORN via RPC DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f Last attempt @ Fri Jul 18 17:18:06 2014 CEST was successful 0 consecutive failure(s). Last success @ Fri Jul 18 17:18:06 2014 CEST DC=solid-optics,DC=local Default-First-Site-Name\VOLENDAM via RPC DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) ==== KCC CONNECTION OBJECTS ==== Connection -- Connection name: 6d55f4b5-22e0-420b-a27f-e313a423079c Enabled : TRUE Server DNS name : VOLENDAM.solid-optics.local Server DN name : CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection! Connection -- Connection name: 73f3d261-4ed7-4a3f-9822-47ec62d0c159 Enabled : TRUE Server DNS name : HOORN.solid-optics.local Server DN name : CN=NTDS Settings,CN=HOORN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection! root@tilburg:/home/newhang# But same command on failed DC shows: root@hoorn:/home/newhang# samba-tool drs showrepl ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to hoorn.solid-optics.local failed - drsException: DRS connection to hoorn.solid-optics.local failed: (-1073741643, 'NT_STATUS_IO_TIMEOUT') File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds) File "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect raise drsException("DRS connection to %s failed: %s" % (server, e)) root@hoorn:/home/newhang# Fernando
If more information is needed in order to reproduce the problem, please contact me. Thank you
I just stumbled over this a few days ago myself. A look at the code shows that there are in fact 2 additional roles that "samba-tool fsmo" is not aware of. These roles are neither displayed nor transferred but samba-tool domain demote's filter finds them. More details to follow... Michael
(In reply to comment #2) > I just stumbled over this a few days ago myself. > A look at the code shows that there are in fact > 2 additional roles that "samba-tool fsmo" is not > aware of. These roles are neither displayed nor > transferred but samba-tool domain demote's filter > finds them. > > More details to follow... CN=Infrastructure,DC=ForestDnsZones,DC=... CN=Infrastructure,DC=DomainDnsZones,DC=...
This email seems to indicate 4.0 is/was affected as well: https://lists.samba.org/archive/samba/2013-March/172078.html Can someone confirm/deny if 4.0 series is affected?
I have Ubuntu 10.10 with samba 4.0.0(db1) as DC(test.loc) and I installed a new DC on samba4.1.11. I successfully added new samba as a new DC to old DC. and now !!!!before transferring roles I try to demote old server: root@db1:~# samba-tool fsmo show InfrastructureMasterRole owner: CN=NTDS Settings,CN=DB1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=loc RidAllocationMasterRole owner: CN=NTDS Settings,CN=DB1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=loc PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DB1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=loc DomainNamingMasterRole owner: CN=NTDS Settings,CN=DB1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=loc SchemaMasterRole owner: CN=NTDS Settings,CN=DB1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=loc root@db1:~# samba-tool domain demote ERROR: Current DC is still the owner of 7 role(s), use the role command to transfer roles to another DC As you can see there are 7 roles on old DC. And even all 5 FSMO roles transfer successfully - remain 2 undiscovered roles. and finally they prevent demoting old DC.
Also hit this bug. user@DC1 sudo samba-tool domain demote ERROR: Current DC is still the owner of 2 role(s), use the role command to transfer roles to another DC samba-tool fsmo show on both servers displays only 5 roles that belong to the DC2. Is there a workaround yet? Can I remove the DC1 server disregarding the warning or will it break domain functionality?
(In reply to Mārtiņš from comment #6) > Is there a workaround yet? Only to edit the AD manually (not recommended, until you're absolutely sure, what you're doing and what consequences it will have!) > Can I remove the DC1 server disregarding the warning or will it break domain > functionality? You have to demote the DC, to get everything about it out of the AD. If you simply remove the DC without demoting (what you can't because of this bug here), everything stays. It can cause e. g. timeouts during logon, because workstations try to logon to the removed DC.
For work-around I have managed to find the following two approaches. I have not tried these but some others have reported success. I have an old DC I now really need to remove. approach 1: Use microsoft's dead DC removal vb script does a much better job and works too. http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3 approach 2: seeAlso http://support.microsoft.com/kb/216498 2. Remove old computer account by using "Active Directory Sites and Services" tool. 3. Remove old DNS and WINS records of the orphaned Domain Controller. 4. Use "ADSIEdit" to remove old computer records from the Active Directory: a. OU=Domain Controllers,DC=domain,DC=local b. CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local c. CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=domain,DC=local
This seems like a rather serious bug. If I'm understanding correctly, this prevents anyone from transferring roles and demoting the DC (to decommission) from a Samba DC to Samba DC, Windows DC to Samba DC, or Samba DC to Windows DC. Thus making your "multi-master" redundancy a bit of an issue, no? I had tried this over a year ago and ran into this issue. I thought it was just my fault. I had a Samba DC I setup quickly in a jam and had planned to move it. The move took a bit longer and then found that I was unable to transfer the roles to the new DC and decommission. Wiping and starting over really isn't viable when you have Group Policy and accounts with passwords already set and a bunch of computers already added to the domain. Sure hope this gets resolved soon so I don't have to resort to trying the MS script or redoing the whole domain!
I have one system with two samba DC 4.0.0 and other system with two samba DC 4.2.1 both of them has the same problem. this is critical, if the PDC dies, the other DC does nothing and the entire domain go offline
Hello, I am running Samba 4.1.6 on two Ubuntu servers. One of them is going to be demoted after a successful transfer of all roles since it has a problem with its network adapter. If I got it right there is no more recent version of samba that solves the bug. Is there a chance that this samba bug is solved soon? The problematic machine runs in 10Mbit mode and is a bottleneck in the network. I would like to remove it as soon as possible. Cheers, Kai
Created attachment 11312 [details] Patch for v4-2-test
Created attachment 11313 [details] Patch for v4-1-test
Hello, new upcoming release Samba 4.3 looks ok. I tested 4.3.0rc1. samba-tool fsmo transfer/seize can handle all 7 FSMO roles. So DC can be demoted after transfer (but take care of remaining DNS entries). As you can see metze just uploaded patches for 4.1 and 4.2. So next release of 4.1 and 4.2 will be ok too. Dead DC is serious problem, because there is no native Samba tool, which can delete it. I tested it in my lab. At first I seized all FSMO roles, after that I used MS VB script to clean DC's metadata and deleted all remaining DNS entries. Everything looks ok after this procedure. Jiri
Hello, We tested fsmo role transfer between windows 2008r2 DC and samba DC and got this error: ERROR: Failed to add role 'domaindns': LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <000020AE: SvcErr: DSID-03152965, problem 5003 (WILL_NOT_PERFORM), data 0 After that fSMORoleOwner attribute on both DCs is not set. We tried that on samba 4.2.3 with patch and samba 4.3 rc4 with the same results. Probably because of that error we can not demote windows DC without forcing. We also tried to change fSMORoleOwner attribute manually with ADSI edit on samba DC and it does not replicate to windows DC. If we try that with two windows DCs, attribute replicates as expected. Is there a chance that this samba bug is solved soon? Cheers, Josip
Despite Jiris announcement I haven't found this bug being addressed by the release notes of any of the newer versions. Is the current state still "not resolved"?
(In reply to Ole from comment #16) Yes, unfortunately it has not been picked up for the releases, because it has not been reviewed yet.
Is someone volunteering for review?
Thanks for the Update, Karolin. My first reponse would be "What is a review in this regard?", so probably I am not the guy for this. I was just wondering because the release notes of 4.3.0 say that Samba now is capable of viewing AND transferring all of the 7 FSMO roles - but no mentioning of this bug. So this is actually not true?
(In reply to Ole from comment #19) A patch needs to be reviewed by at least two members of the Samba team before ending up in a release.
This is fixed in Samba 4.3 per the comments, but due to other regressions and issues such as bug 11882 I suggest using 4.5.0rc1 or later. Samba 4.2 is in security fixes only mode, so no further non-security patches will be applied there. Sorry for the delays and the series of issues in this area, with the new code now under automated test, this should now be reliable. See also samba-tool domain demote --remove-other-dead-server, which does a more comprehensive cleanup.