Environment
Novell Open Enterprise Server 11 SP2 (OES11SP2)
Novell Open Enterprise Server 11 SP1 (OES11SP1)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Domain Services for Windows
DSfW
Domain Services for Windows
DSfW
Situation
How to Transfer FSMO Roles
How to Seize FSMO Roles
Moving DSfW FSMO Roles to an Additional Domain Controller
Resolution
Follow the Transferring and Seizing FSMO Roles section in the DSfW documentation.
- Transfer all the FSMO roles using the MMC utility. For details, see How to View and Transfer FSMO Roles
- Get the domain administrator's kerberos ticket by executing following command:
/opt/novell/xad/bin/kinit Administrator@_DOMAIN NAME - Update the samba configuration, msdfs links and the DNS SRV record for the first domain controller by running the following script:
/opt/novell/xad/share/dcinit/UpdatePDCMaster.pl
Do the following steps to finish the transfer.
NOTE: If the
/opt/novell/xad/share/dcinit/UpdatePDCMaster.pl was successful, the smb.conf
section 5 and the _ldap._tcp.pdc._msdcs record in section 6 will be updated.
Those two sections can be skipped, but it is still a good idea to verify they have been properly updated.
Once the following is completed the sysvol sync should work and the new
PDC fully functional.
For the examples below replace DC=dsfw,DC=lan with your domain name or domain
mapped container example:o=novell.
Replace OLDPDC with the name of the old PDC DSfW server
Replace NEWPDC with the name of the new PDC DSfW server
Replace OLDPDC with the name of the old PDC DSfW server
Replace NEWPDC with the name of the new PDC DSfW server
1) Rename the OLD PDC to the new PDC name in the cn=Domain System Volume
(SYSVOL share) container.
Rename from:
cn=OLDPDC,cn=Domain System Volume (SYSVOL share),cn=File Replication Service,cn=System,dc=dsfw,dc=lan
Rename to:
cn=NEWPDC,cn=Domain System Volume (SYSVOL share),cn=File Replication Service,cn=System,dc=dsfw,dc=lan
Rename from:
cn=OLDPDC,cn=Domain System Volume (SYSVOL share),cn=File Replication Service,cn=System,dc=dsfw,dc=lan
Rename to:
cn=NEWPDC,cn=Domain System Volume (SYSVOL share),cn=File Replication Service,cn=System,dc=dsfw,dc=lan
2) Update the following attributes: fRSMemberReference from the old PDC to the new PDC for the object listed below. If frsComputerReference, and serverReference exist do the same for those attributes.
cn=Domain System Volume (SYSVOL share),cn=NTFRS
Subscriptions,cn=OLDPDC,cn=Domain System Volume (SYSVOL share),cn=File
Replication Service,cn=System,dc=dsfw,dc=lan
Open iManager or console One, modify the cn=Domain System Volume (SYSVOL share),cn=NTFRS Subscriptions,cn=OLDPDC,cn=Domain System Volume (SYSVOL share),cn=File Replication Service,cn=System,dc=dsfw,dc=lan object, go to the other tab.
Open iManager or console One, modify the cn=Domain System Volume (SYSVOL share),cn=NTFRS Subscriptions,cn=OLDPDC,cn=Domain System Volume (SYSVOL share),cn=File Replication Service,cn=System,dc=dsfw,dc=lan object, go to the other tab.
For each attribute change from the old PDC:
frsComputerReference: cn=OLDPDC,ou=Domain Controllers,dc=dsfw,dc=lan
fRSMemberReference: cn=OLDPDC,cn=Domain System Volume (SYSVOL share),cn=File Replication Service,cn=System,dc=dsfw,dc=lan
serverReference: cn=NTDS Settings,cn=OLDPDC,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration,dc=dsfw,dc=lan
To the new PDC:
frsComputerReference: cn=NEWPDC,ou=Domain Controllers,dc=dsfw,dc=lan
fRSMemberReference: cn=NEWPDC,cn=Domain System Volume (SYSVOL share),cn=File Replication Service,cn=System,dc=dsfw,dc=lan
serverReference: cn=NTDS Settings,cn=NEWPDC,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration,dc=dsfw,dc=lan
frsComputerReference: cn=NEWPDC,ou=Domain Controllers,dc=dsfw,dc=lan
fRSMemberReference: cn=NEWPDC,cn=Domain System Volume (SYSVOL share),cn=File Replication Service,cn=System,dc=dsfw,dc=lan
serverReference: cn=NTDS Settings,cn=NEWPDC,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration,dc=dsfw,dc=lan
3) Move the NTFRS Subscriptions, ISA Identity, and RouterIdentity container
objects.
There are three container objects that will need to be moved. In order to move a container object, be sure eDirectory sync is good and partition the objects.
There are three container objects that will need to be moved. In order to move a container object, be sure eDirectory sync is good and partition the objects.
If the OLDPDC server is down and will be removed from the tree, remove the
ncp server object under the OESSystemObjects container before
partitioning.
example: cn=OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
The objects are under the object CN=OLDPDC,OU=Domain Controllers,DC=dsfw,DC=lan.
Partition
and then move:
NTFRS Subscriptions
ISA Identity
RouterIdentity
ISA Identity
RouterIdentity
to be under the CN=NEWPDC,OU=Domain
Controllers,DC=dsfw,DC=lan
4) Update the PDC in the DNS records.
This should have been updated with the successful completion of the
/opt/novell/xad/share/dcinit/UpdatePDCMaster.pl script.
Open the DNS/DHCP Console
Go to the _ldap._tcp.pdc._msdcs record. For the Resource Record attribute Target: rename to new PDC
Rename from:
Open the DNS/DHCP Console
Go to the _ldap._tcp.pdc._msdcs record. For the Resource Record attribute Target: rename to new PDC
Rename from:
OLDPDC.dsfw.lan
Rename to:
Rename to:
NEWPDC.dsfw.lan
5) Edit the /etc/samba/smb.conf on both servers, old and new PDC
This should have been updated with the successful completion of the
/opt/novell/xad/share/dcinit/UpdatePDCMaster.pl script.
Two shares need to be modified. The sysvol-msdfs and the sysvol.
The sysvol-msdfs should be on all ADC servers and should NOT be located on the PDC server.
Copy the sysvol-msdfs share from the new pdc and put it in the old PDC just under the netlogon share. Once the old PDC has the sysvol-msdfs, remove the sysvol-msdfs from the new PDC once it is copied.
Two shares need to be modified. The sysvol-msdfs and the sysvol.
The sysvol-msdfs should be on all ADC servers and should NOT be located on the PDC server.
Copy the sysvol-msdfs share from the new pdc and put it in the old PDC just under the netlogon share. Once the old PDC has the sysvol-msdfs, remove the sysvol-msdfs from the new PDC once it is copied.
[sysvol-msdfs]
wide links = yes
comment = Group Policies
path = /var/opt/novell/xad/sysvol/sysvol
writable = No
share modes = No
nt acl support = No
directory mask = 0750
The old PDC server should have the following for the sysvol
[sysvol]
comment = msdfs link to Group Policies
wide links = yes
path = /var/opt/novell/xad/msdfs
msdfs root = Yes
The new PDC server should have the following for the sysvol
[sysvol]
wide links = Yes
comment = Group Policies
path = /var/opt/novell/xad/sysvol/sysvol
writable = Yes
share modes = No
nt acl support = No
directory mask = 0750
wide links = Yes
comment = Group Policies
path = /var/opt/novell/xad/sysvol/sysvol
writable = Yes
share modes = No
nt acl support = No
directory mask = 0750
See TID 7011775 for default smb.conf files for OES11SP1
See TID 7005380 for default smb.conf files for OES2 SP2 and SP3
6) If removing the old PDC or removing and re-installing the old PDC do the
following
Delete the the following objects:
cn=OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=OESCommonProxy_OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=UNIX Workstation - OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=OLDPDCadmin,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=OLDPDC-PS,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=LDAP Server - OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=Http Server - OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=SAS Service - OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=SNMP Group - OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=DNS_OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=IP AG - OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=LDAP Group - OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=SSL CertificateIP - OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=SSL CertificateDNS - OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=OLDPDC,cn=dsfw_lan,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=OLDPDC_SYS,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=OLDPDC,ou=Domain Controllers,dc=dsfw,dc=lan
cn=OLDPDC,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration,dc=dsfw,dc=lan
Delete the the following objects:
cn=OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=OESCommonProxy_OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=UNIX Workstation - OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=OLDPDCadmin,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=OLDPDC-PS,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=LDAP Server - OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=Http Server - OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=SAS Service - OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=SNMP Group - OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=DNS_OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=IP AG - OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=LDAP Group - OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=SSL CertificateIP - OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=SSL CertificateDNS - OLDPDC,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=OLDPDC,cn=dsfw_lan,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=OLDPDC_SYS,ou=OESSystemObjects,dc=dsfw,dc=lan
cn=OLDPDC,ou=Domain Controllers,dc=dsfw,dc=lan
cn=OLDPDC,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration,dc=dsfw,dc=lan
Remove the old PDC from the DNS records
Open the DNS/DHCP Console and remove the old PDC from the following records.
machineguid._msdcs.dc=dsfw,dc=lan --- machineguid is a number like 555bbd4ca-5599-33e2-8888-000c2222221d. This will be unique for each domain controller.
_gc._tcp.dc=dsfw,dc=lan
_gc._tcp.Default-First-Site-Name._dc._tcp.dc=dsfw,dc=lan
_kerberos._tcp.dc=dsfw,dc=lan
_kerberos._tcp.Default-First-Site-Name._sites.dc=dsfw,dc=lan
_kerberos.Default-First-Site-Name._sites.dc._msdcs._tcp.dc=dsfw,dc=lan
_kerberos.dc._msdcs.dc=dsfw,dc=lan
_kerberos._udp.dc=dsfw,dc=lan
_kpasswd._tcp.dc=dsfw,dc=lan
_kpasswd._udp.dc=dsfw,dc=lan
_ldap._tcp.dc=dsfw,dc=lan
_ldap._tcp.$domainguid.domains._msdcs.dc=dsfw,dc=lan
_ldap._tcp.Default-First-Site-Name._sites.dc=dsfw,dc=lan
_ldap._tcp.Default-First-Site-Name._sites._dc._msdcs.dc=dsfw,dc=lan
_ldap._tcp.Default-First-Site-Name._sites._gc._msdcs.dc=dsfw,dc=lan
_ldap._tcp.dc._msdcs.dc=dsfw,dc=lan
_ldap._tcp.gc._msdcs.dc=dsfw,dc=lan
Open the DNS/DHCP Console and remove the old PDC from the following records.
machineguid._msdcs.dc=dsfw,dc=lan --- machineguid is a number like 555bbd4ca-5599-33e2-8888-000c2222221d. This will be unique for each domain controller.
_gc._tcp.dc=dsfw,dc=lan
_gc._tcp.Default-First-Site-Name._dc._tcp.dc=dsfw,dc=lan
_kerberos._tcp.dc=dsfw,dc=lan
_kerberos._tcp.Default-First-Site-Name._sites.dc=dsfw,dc=lan
_kerberos.Default-First-Site-Name._sites.dc._msdcs._tcp.dc=dsfw,dc=lan
_kerberos.dc._msdcs.dc=dsfw,dc=lan
_kerberos._udp.dc=dsfw,dc=lan
_kpasswd._tcp.dc=dsfw,dc=lan
_kpasswd._udp.dc=dsfw,dc=lan
_ldap._tcp.dc=dsfw,dc=lan
_ldap._tcp.$domainguid.domains._msdcs.dc=dsfw,dc=lan
_ldap._tcp.Default-First-Site-Name._sites.dc=dsfw,dc=lan
_ldap._tcp.Default-First-Site-Name._sites._dc._msdcs.dc=dsfw,dc=lan
_ldap._tcp.Default-First-Site-Name._sites._gc._msdcs.dc=dsfw,dc=lan
_ldap._tcp.dc._msdcs.dc=dsfw,dc=lan
_ldap._tcp.gc._msdcs.dc=dsfw,dc=lan
AFTER ALL STEPS ARE COMPLETE, REBOOT ALL ADC / PDC SERVERS IN THE DSFW DOMAIN TO CLEAR CACHED INFORMATION FOR PDC REFERENCES
Additional Information
How to View and Transfer FSMO Roles - MS AID: 255690
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller - MS AID: 255504
Sample ldifs to transfer FSMO Roles.
dn:
changetype: modify
add: becomeDomainMaster
becomeDomainMaster: 1
-
dn:
changetype: modify
add: becomeInfrastructureMaster
becomeInfrastructureMaster: 1
-
dn:
changetype: modify
add: becomePdc
becomePdc:: base-64 encoding of the domain SID in binary
-
dn:
changetype: modify
add: becomeRidMaster
becomeRidMaster: 1
-
dn:
changetype: modify
add: becomeSchemaMaster
becomeSchemaMaster: 1
-