Check, reassign and seize FSMO roles
All domain controllers (DCs) in an Active Directory infrastructure are identical except for one key difference. There are seven Active Directory Domain Controller Roles distributed among the DCs. Typically, one DC will have all seven roles, but this is not a requirement. Any DC can have any role. These roles are transferable and can be seized if needed, for example, from a dead server.
If you have never transferred these roles, the first DC you provisioned your Active Directory with, will own all FSMO roles.
See this for a better and longer description of Flexible Single-Master Operations
Show me the FSMO roles
For now, all we want to know is who owns these roles.
samba-tool fsmo show | cut -f1-2 -d, SchemaMasterRole owner: CN=NTDS Settings,CN=DC1 InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC1 RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC1 PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC1 DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC1 DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC1 ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC1
Transferring the FSMO roles
If we need to transfer the roles (for example we are going to demote the DC that owns the FSMO roles), execute this from another DC:
Please note Administrator password is required to transfer 'domaindns' and 'forestdns'
samba-tool fsmo transfer --role=all -U "MAD\Administrator" FSMO transfer of 'rid' role successful FSMO transfer of 'pdc' role successful FSMO transfer of 'naming' role successful FSMO transfer of 'infrastructure' role successful FSMO transfer of 'schema' role successful Password for [MAD\Administrator]: FSMO transfer of 'domaindns' role successful FSMO transfer of 'forestdns' role successful
One PDC_Emulator, one dns record
When the PDC emulator role is transferred to another domain controller, a new DNS record is generated. Samba does not remove the previous PDC emulator entry from DNS. If DC1 held the PDC emulator role and it has been transferred to DC2, two records will exist.
host -t SRV _ldap._tcp.pdc._msdcs.mad.caponato.es _ldap._tcp.pdc._msdcs.mad.caponato.es has SRV record 0 100 389 dc1.mad.caponato.es. _ldap._tcp.pdc._msdcs.mad.caponato.es has SRV record 0 100 389 dc2.mad.caponato.es.
After transferring or assigning FSMO roles, ensure that only one DNS record exists for the PCD emulator role. To achieve this, delete all other entries by editing DNS with tools like RSAT from Windows.
If you're temporarily transferring roles to upgrade Samba on a DC, make sure to update DNS after completing the upgrade and transferring roles back.
Seizing the roles from a dead server
If you have a dead DC, you can “seize” the roles from another DC.
samba-tool fsmo seize --role=all -U "MAD\Administrator"
If you have a dead DC, you also need to remotely demote it.
Do not reconnect a server that has been remotely demoted or had its FSMO roles seized, as this will break your AD.
Caponato's Samba notebook. Start here or else Main menu