Contents
- 1 Difference of Transferring and Seizing FSMO Roles
- 2 How to Handle Situations Where a DC with FSMO Roles Is Offline
- 3 FSMO Role Management Using samba-tool
- 3.1 Displaying the Current FSMO Role Owners
- 3.2 Transferring an FSMO Role
- 3.3 Seizing a FSMO Role
- 4 Windows FSMO Role Management
Whenever it's possible, you should transfer FSMO roles and do not seize them! Transferring is the recommended and cleaner way. But it requires that the DC, which currently owns the role you want to transfer, is still working and connected to the network. Transferring makes the old DC know that it does not own the role(s) any more.
If the DC is broken (e. g. hardware defect) and will never come back again, then you can seize the role on a remaining DC. It is very important that the old DC will never be connected to the network again, if it is connected again, this will cause conflicts and lead to an inconsistent AD. This is because the old DC will not notice the change and still feel responsible for tasks related to the role.
There are three situations to distinguish:
1. The downtime is planned and the DC will come back soon (reboot, hardware replacement, etc.):
- In this case, you have to decide, to temporarily transfer the roles to a different DC or be aware of the effects during the downtime. See The seven FSMO roles.
2. The DC should be demoted:
- Transfer the roles to a different DC, before you demote.
3. The DC is offline because of a problem:
- 1. Don't panic!
- 2. Depending on the kind of role(s) that were on the DC, the consequences may be different. Make sure that you find out which roles are affected and what it means for your forest. See The seven FSMO roles.
- 3. Try repairing the broken DC and connect it to the network again. But never restore it from a backup, if at least one DC in the domain is still working. The replication could mix up your directory!
- 4. If there is no chance to get the DC back again, seize the roles on a remaining DC and demote the broken one.
Displaying the Current FSMO Role Owners
On a Domain Controller of your choice, run the following command, to print the owner of the different FSMO roles:
# samba-tool fsmo showInfrastructureMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=comRidAllocationMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=comPdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=comDomainNamingMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=comSchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Unfortunately before samba 4.3.0, samba-tool only shows five of the fsmo roles and that these five roles are owned by DC1 at the moment.
Before 4.3.0, to see all the fsmo roleowners, you will need to do something like this:
ldbsearch --cross-ncs -H /usr/local/samba/private/sam.ldb '(fsmoroleowner=*)' |\ grep 'dn:' | sed 's|dn: ||'
This should produce a list of where the role owners are stored:
CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=comCN=Partitions,CN=Configuration,DC=samdom,DC=example,DC=comCN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=comCN=Infrastructure,DC=ForestDnsZones,DC=samdom,DC=example,DC=comDC=samdom,DC=example,DC=comCN=RID Manager$,CN=System,DC=samdom,DC=example,DC=comCN=Infrastructure,DC=samdom,DC=example,DC=com
To find out the fsmo role owner for a specific dn, you will need to do something like this:
ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b "CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com" \-s base fsmoroleowner
Which should produce something similar to this:
# record 1dn: CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=comfSMORoleOwner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
From Samba 4.3.0, running the 'samba-tool fsmo show' command will now show all 7 FSMO roles:
# samba-tool fsmo showInfrastructureMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=comRidAllocationMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=comPdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=comDomainNamingMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=comSchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=comDomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=comForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Transferring an FSMO Role
- Log on to the DC, that should be the new owner of the role you want to transfer.
- Transfer the role to the DC, by executing the following command:
# samba-tool fsmo transfer --role=...FSMO transfer of '...' role successful
- Ensure that the role was transferred ('samba-tool fsmo show').
Seizing a FSMO Role
- Log on to the DC, that should be the new owner of the role you want to transfer.
- Seize the role to the current DC, by executing the following command:
# samba-tool fsmo seize --role=...Attempting transfer...Transfer unsuccessful, seizing...FSMO seize of '...' role successful
- Ensure that the role was transferred ('samba-tool fsmo show').
- Make sure, that the old DC is never connected to the network again!
 | If you are transferring or seizing the domaindns or forestdns FSMO role, you MUST supply authentication. |
 | Early versions of samba-tool had a bug that prevented the seizure of the Domain Naming Master role. If you encounter this problem in your version, add the "--force" parameter as a temporary workaround. You should upgrade to a supported Samba version as soon as possible. |
