Bug 12800 - FSMO Role Transfer fails for DNS roles
Summary: FSMO Role Transfer fails for DNS roles
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.5.8
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2017-05-23 07:16 UTC by Peter Gerritsen
Modified: 2019-05-28 14:57 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Peter Gerritsen 2017-05-23 07:16:50 UTC
Hi There,

We have recently upgraded two of our customer directories from 4.1.17 to 4.5.8 with that i also wanted to change the DNS FSMO roles since those were still on the server that was first installed in their environment instead on the dedicated server we introduced later. Now i've already done this with a different customers directory that we've put on 4.4.6 without a problem but with 4.5.8 i seem to be unable to do this with both the customers i'm trying this with. See the error below.

root@gc:~# samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS Settings,CN=GC,CN=Servers,CN=Servicebureau,CN=Sites,CN=Configuration,DC=customer
InfrastructureMasterRole owner: CN=NTDS Settings,CN=GC,CN=Servers,CN=Servicebureau,CN=Sites,CN=Configuration,DC=customer
RidAllocationMasterRole owner: CN=NTDS Settings,CN=GC,CN=Servers,CN=Servicebureau,CN=Sites,CN=Configuration,DC=customer
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=GC,CN=Servers,CN=Servicebureau,CN=Sites,CN=Configuration,DC=customer
DomainNamingMasterRole owner: CN=NTDS Settings,CN=GC,CN=Servers,CN=Servicebureau,CN=Sites,CN=Configuration,DC=customer
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=AD-zoetermeer,CN=Servers,CN=Zoetermeer,CN=Sites,CN=Configuration,DC=customer
ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=AD-zoetermeer,CN=Servers,CN=Zoetermeer,CN=Sites,CN=Configuration,DC=customer
root@gc:~# samba-tool fsmo transfer --role=all -U domadm
This DC already has the 'rid' FSMO role
This DC already has the 'pdc' FSMO role
This DC already has the 'naming' FSMO role
This DC already has the 'infrastructure' FSMO role
This DC already has the 'schema' FSMO role
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Password for [CUSTOMER\domadm]:
ERROR: Failed to delete role 'domaindns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE -  <attribute 'fSMORoleOwner': no matching attribute value while deleting attribute on 'CN=Infrastructure,DC=DomainDnsZones,DC=customer'> <>
root@gc:~# samba -V
Version 4.5.8-Debian

The domadm user is the original Administrator account we always immediately rename after a deployment. I've changed the domain name to customer for our customers discretion. I've checked to values myself in the database but everything seems to be just fine there, meaning the fSMORoleOwner is correct in the database. samba-tool dbcheck doesn't find any issues regarding this.

Please help since the server currently holding this role has to be decommissioned soon. At the other customer site the server will stay.

Peter Gerritsen
Comment 1 Peter Gerritsen 2017-07-20 07:40:01 UTC
Does anyone have a suggestion on this matter?