The MS-ADTS 3.1.1.5.3.1.2 FSMO Changes has details about what objectClass the fSMORoleOwner attribute can be set on. We need to restrict setting this attribute to only these objectClasses (essentially, the fixed list of roles that we know about) and we need to ensure that the only DN that we can set it to is the current servers NTDS Settings object.
We also need to ensure that it cannot become empty.
Andrew, I am unsure if something has been done in this direction. I am re-assigning back to the default assignee since I am not active in Samba atm.