Demoting a Samba Domain Controller

calendar Dec 2, 2021 · 1 min read · samba domain-controller  ·
Share on: linkedin copy

sign into the DC you want to become the new primary, DC2 in my case and execute fsmo transfer --role=all -U Administrator.

 1root@dc2:/var/log/samba# samba-tool fsmo transfer --role=all -U chris.kramins
 2This DC already has the 'rid' FSMO role
 3This DC already has the 'pdc' FSMO role
 4This DC already has the 'naming' FSMO role
 5This DC already has the 'infrastructure' FSMO role
 6This DC already has the 'schema' FSMO role
 7Password for [HOME\chris.kramins]:
 8FSMO transfer of 'domaindns' role successful
 9FSMO transfer of 'forestdns' role successful
10root@dc2:/var/log/samba#

Verifiy the fsmo records have been changed with samba-tool fsmo show and are pointing to your new Domain Controller CN=DC2 in my case.

1root@dc2:/var/log/samba# samba-tool fsmo show
2SchemaMasterRole owner: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=home,DC=kramins,DC=ca
3InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=home,DC=kramins,DC=ca
4RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=home,DC=kramins,DC=ca
5PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=home,DC=kramins,DC=ca
6DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=home,DC=kramins,DC=ca
7DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=home,DC=kramins,DC=ca
8ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=home,DC=kramins,DC=ca
9root@dc2:/var/log/samba#

was getting error

1root@dc2:~# kinit [email protected] -V
2Using default cache: /tmp/krb5cc_0
3Using principal: [email protected]
4kinit: Cannot contact any KDC for realm 'HOME.KRAMINS.CA' while getting initial credentials

this was being caused by a TXT record _kerberos pointing to DC1. Updating this to DC2 fixed the issue.