Error while transferring fsmo-roles

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Error while transferring fsmo-roles

Samba - General mailing list
Hello,
I transfered all fsmo-roles from a DC (4.3.11-SerNet, SLES 11 SP3) to another DC (4.6.6-SerNet, SLES 12 SP2).
I had to try a couple of times because of an error "Failed FSMO transfer: NT_STATUS_IO_TIMEOUT"
But then following error happened:

  samba-tool fsmo transfer --role=all

  This DC already has the 'rid' FSMO role
  This DC already has the 'pdc' FSMO role
  This DC already has the 'naming' FSMO role
  This DC already has the 'infrastructure' FSMO role
  FSMO transfer of 'schema' role successful
  ERROR: Failed to delete role 'domaindns': LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object
  CN=Infrastructure,DC=DomainDnsZones,DC=domain,DC=university,DC=de has no write property access


OK, "LDAP_INSUFFICIENT_ACCESS_RIGHTS", another try with credentials:


  samba-tool fsmo transfer --role=all -Uadministrator

  ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'module' object has no attribute 'drs_utils'
    File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
      return self.run(*args, **kwargs)
    File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 515, in run
      "domaindns", samdb)
    File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 129, in transfer_dns_role
      except samba.drs_utils.drsException, e


Same error occurred with the role "forestdns".
In spite of the errors the roles were transfered.

Can I ignore this error or went something wrong ?
"samba-tool fsmo show" says, the owner of all roles is the new DC.

Also with the following check for all roles everything is ok.
ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b "CN=Infrastructure,DC=domain,DC=university,DC=de" -s base fsmoroleowner

The only thing I saw - there is an DNS-entry "Forward-Lookupzones->domain->_msdcs.domain->pdc->_tcp".
Sounds like an entry for the PDC, and there is still the DC which owned the roles.
Do I have to change this manually ?

In a next step I will demote (and reinstall) the DC which owned the roles, maybe this solves any inconsistencies, in case there are some.

Regards

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Error while transferring fsmo-roles

Samba - General mailing list
Hi,

I faced the same problem, solved it by adding the line
import samba.drs_utils
to the file fsmo.py.

When building samba yourself, from withtin the base directory you can
apply this patch file to do it for you:

--- python/samba/netcmd/fsmo.py.old     2016-12-05 08:18:44.000000000 +0000
+++ python/samba/netcmd/fsmo.py 2017-03-11 10:27:31.453884091 +0000
@@ -20,6 +20,7 @@
  import samba
  import samba.getopt as options
  import ldb
+import samba.drs_utils
  from ldb import LdbError
  from samba.dcerpc import drsuapi, misc
  from samba.auth import system_session

regards,
Norbert


On 04.08.2017 21:20, gizmo via samba wrote:

> Hello,
> I transfered all fsmo-roles from a DC (4.3.11-SerNet, SLES 11 SP3) to another DC (4.6.6-SerNet, SLES 12 SP2).
> I had to try a couple of times because of an error "Failed FSMO transfer: NT_STATUS_IO_TIMEOUT"
> But then following error happened:
>
>    samba-tool fsmo transfer --role=all
>
>    This DC already has the 'rid' FSMO role
>    This DC already has the 'pdc' FSMO role
>    This DC already has the 'naming' FSMO role
>    This DC already has the 'infrastructure' FSMO role
>    FSMO transfer of 'schema' role successful
>    ERROR: Failed to delete role 'domaindns': LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object
>    CN=Infrastructure,DC=DomainDnsZones,DC=domain,DC=university,DC=de has no write property access
>
>
> OK, "LDAP_INSUFFICIENT_ACCESS_RIGHTS", another try with credentials:
>
>
>    samba-tool fsmo transfer --role=all -Uadministrator
>
>    ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'module' object has no attribute 'drs_utils'
>      File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
>        return self.run(*args, **kwargs)
>      File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 515, in run
>        "domaindns", samdb)
>      File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 129, in transfer_dns_role
>        except samba.drs_utils.drsException, e
>
>
> Same error occurred with the role "forestdns".
> In spite of the errors the roles were transfered.
>
> Can I ignore this error or went something wrong ?
> "samba-tool fsmo show" says, the owner of all roles is the new DC.
>
> Also with the following check for all roles everything is ok.
> ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b "CN=Infrastructure,DC=domain,DC=university,DC=de" -s base fsmoroleowner
>
> The only thing I saw - there is an DNS-entry "Forward-Lookupzones->domain->_msdcs.domain->pdc->_tcp".
> Sounds like an entry for the PDC, and there is still the DC which owned the roles.
> Do I have to change this manually ?
>
> In a next step I will demote (and reinstall) the DC which owned the roles, maybe this solves any inconsistencies, in case there are some.
>
> Regards
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Error while transferring fsmo-roles

Samba - General mailing list
> I faced the same problem, solved it by adding the line
> import samba.drs_utils
> to the file fsmo.py.
>
> When building samba yourself, from withtin the base directory you can
> apply this patch file to do it for you:

Thank you Nobert.
Indeed the line "import samba.drs_utils" is missing, although I'm using the repositories from Sernet.
According to "samba-tool fsmo show", the roles were in spite of the error successfully transfered.
Was the transfer completed or can it be there is something missing ?
What about the DNS-entry "_msdcs->pdc->_tcp" ? Isn't it an entry for the PDC ? Because after I transfered
the roles, this DNS-entry didnt change, I changed manually.

Regards


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Error while transferring fsmo-roles

Samba - General mailing list
Because I wanted to reinstall a DC1 (samba 4.3.11-SerNet, SLES 11 SP3 before reinstall)
which owned all fsmo-roles, I transferred the roles to another DC2 (samba 4.6.6-SerNet, SLES 12 SP 2).
As I wrote all roles were tranferred successful, but with an error message.

After demotion and reinstallation I joined DC1 with success again, but all SRV-entries (_kerberos, _ldap, _kpasswd)
were not generated.
Do I list the replication on DC1, all connections under "INBOUND NEIGHBORS" shows an error "WERR_DS_DRA_ACCESS_DENIED".
The connections under "OUTBOUND NEIGHBORS" are with success.

Can it be, the missing DNS-entries and the replication error has to do with the error when I transferred the fsmo-roles ?


Regards

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Error while transferring fsmo-roles

Samba - General mailing list
> After demotion and reinstallation I joined DC1 with success again, but all SRV-entries (_kerberos, _ldap, _kpasswd)
> were not generated.

SOLVED, everything works fine.

The DNS-SRV-entries were not generated, because after transferring the roles, the SOA-entries for all zones contained
still the old DC which didnt exist anymore. I changed to the new PDC. Same for the DNS-entry _msdcs->pdc.
After this change the DCs wrote the missing entries into the DNS.

Another problem I had with the tool "Active Directory Sites and Services". The information about the DCs were
incomplete for the newly joinned DCs. I compared the attribute list and saw, that the attribute "serverReference" was
empty. But a check with "ldbsearch" showed a value for this attribute (serverReferenceBL). Was like the value had
a hidden character the tool "Active Directory Sites and Services" couldnt interpret.
After rewriting this value everything worked.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Error while transferring fsmo-roles

Samba - General mailing list
After applying change in fsmo.py proposed by Norbert Hanke I was able to
transfer roles without error but only when proceeding one by one:
# for role in rid pdc naming infrastructure schema domaindns forestdns ; do
samba-tool fsmo transfer --role=$role -k yes ; done
FSMO transfer of 'rid' role successful
FSMO transfer of 'pdc' role successful
FSMO transfer of 'naming' role successful
FSMO transfer of 'infrastructure' role successful
FSMO transfer of 'schema' role successful
FSMO transfer of 'domaindns' role successful
FSMO transfer of 'forestdns' role successful

Regarding _ldap._tcp.pdc._msdcs.samdom.domain.tld SRV entry there is still
an issue as now I have both DC declared into that SRV rather than one as
explained here:
https://blogs.msdn.microsoft.com/servergeeks/2014/07/12/dns-records-that-are-required-for-proper-functionality-of-active-directory/

I'm using Samba 4.6.5 on both DC.

I'll remove manually non-PDC entry from PDC SRV records and I'll try to
remember to to test that again once I'll have upgraded my DC's Samba
version.



2017-08-09 11:42 GMT+02:00 gizmo via samba <[hidden email]>:

> > After demotion and reinstallation I joined DC1 with success again, but
> all SRV-entries (_kerberos, _ldap, _kpasswd)
> > were not generated.
>
> SOLVED, everything works fine.
>
> The DNS-SRV-entries were not generated, because after transferring the
> roles, the SOA-entries for all zones contained
> still the old DC which didnt exist anymore. I changed to the new PDC. Same
> for the DNS-entry _msdcs->pdc.
> After this change the DCs wrote the missing entries into the DNS.
>
> Another problem I had with the tool "Active Directory Sites and Services".
> The information about the DCs were
> incomplete for the newly joinned DCs. I compared the attribute list and
> saw, that the attribute "serverReference" was
> empty. But a check with "ldbsearch" showed a value for this attribute
> (serverReferenceBL). Was like the value had
> a hidden character the tool "Active Directory Sites and Services" couldnt
> interpret.
> After rewriting this value everything worked.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...