Samba: Transfer FSMO roles to another DC

samba ad dc fsmo roles error

In the case the Active Directory is running on a Samba server, scheduled maintenance of a server or other reasons may require the transfer of FSMO roles to another server in the directory.

You need to log in - say on SSH - to the target server and check the current value of the FSMO roles the following way.

samba-tool fsmo show

This will produce something similar:

SchemaMasterRole owner: CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=HOME,CN=Sites,CN=Configuration,DC=ad,DC=test,DC=com
InfrastructureMasterRole owner: CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=HOME,CN=Sites,CN=Configuration,DC=ad,DC=test,DC=com
RidAllocationMasterRole owner: CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=HOME,CN=Sites,CN=Configuration,DC=ad,DC=test,DC=com
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=HOME,CN=Sites,CN=Configuration,DC=ad,DC=test,DC=com
DomainNamingMasterRole owner: CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=HOME,CN=Sites,CN=Configuration,DC=ad,DC=test,DC=com
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=HOME,CN=Sites,CN=Configuration,DC=ad,DC=test,DC=com
ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=MYSERVER,CN=Servers,CN=HOME,CN=Sites,CN=Configuration,DC=ad,DC=test,DC=com

From the result above, it can be seen that the MYSERVER on the HOME Site is currently performing the tasks. To completely move the FSMO roles to another server, it is recommended that you issue the following command by logging on to the target server:

samba-tool fsmo transfer --role=all -U AdministratorAccount

Where AdministratorAccount specifies the account with admin rights in the domain. As you run the command, you will be prompted for the password for the admin account, I found this to be the best way to avoid the problem of typos and entering special characters on the command line.

You may encounter an error message similar to the following:

ERROR: Failed to delete role 'forestdns': LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object CN=Infrastructure,DC=ForestDnsZones,DC=ad,DC=test, DC=com has no write property access> <>

In this case, you have specified an incorrect user that does not have permission to make changes on the LDAP server. The same thing can happen without specifying the user, also due to the aforementioned authorization issue.

When moving FSMO roles, whether they are moving individually or all roles at the same time, the command may run into a similar error despite all the parameters have been specified correctly:

ERROR(): uncaught exception - 'module' object has no attribute 'drs_utils'
File "/usr/lib/python2.7/dist-packages/samba/netcmd/init.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 515, in run
"domaindns", samdb)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 129, in transfer_dns_role
except samba.drs_utils.drsException, e:

In this case, you need to manually patch the following file (Ubuntu 18.04):

/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py

Here you need to import samba.drs_utils in the first few lines, pasting it into the code the highlighted way:

import samba
import samba.getopt as options
import ldb
import samba.drs_utils
from ldb import LdbError
from samba.dcerpc import drsuapi, misc
from samba.auth import system_session