[Samba] Unable to join DC to domain

IT Admin

unread,

Mar 21, 2016, 12:30:03 AM3/21/16

to

I cannot join two new VMs to my domain, I receive the following error on
both machines:

twerks@cbadc03:~$ kinit
Administrator
Password for Admini...@CB.CLIFFBELLS.COM:
itwerks@cbadc03:~$ klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Admini...@CB.CLIFFBELLS.COM

Valid starting Expires Service principal
03/21/2016 00:19:56 03/21/2016 10:19:56 krbtgt/
CB.CLIFF...@CB.CLIFFBELLS.COM
renew until 03/22/2016 00:19:41, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
itwerks@cbadc03:~$ sudo /usr/local/samba/bin/samba-tool domain join
cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM
--dns-backend=SAMBA_INTERNAL
Finding a writeable DC for domain 'cb.cliffbells.com'
Found DC filer.cb.cliffbells.com
Password for [WORKGROUP\administrator]:
workgroup is CB
realm is cb.cliffbells.com
checking sAMAccountName
Adding CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS -
<00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index
objectSid in CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com -
../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in
CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <>
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line
621, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
1183, in join_DC
ctx.do_join()
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
1086, in do_join
ctx.join_add_objects()
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
536, in join_add_objects
ctx.samdb.add(rec)
itwerks@cbadc03:~$

Neither machine exists in ADUC on either of my current DCs. Neither
machine has any records in DNS. I ran ldbsearch and dumped it's output to
a text file, there are no references to either machine name in the file.

Please advise.

JS
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Denis Cardon

unread,

Mar 21, 2016, 10:20:03 AM3/21/16

to

Hi JS,

have you cleaned up the /usr/local/samba/private/ directory and
/usr/local/samba/etc/smb.conf file before trying to rejoin the domain?

HTH,

Denis

Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

IT Admin

unread,

Mar 21, 2016, 1:40:05 PM3/21/16

to

Yes, I have:

itwerks@cbadc03:~$ sudo /etc/init.d/samba4 stop
[sudo] password for itwerks:
[ ok ] Stopping samba4 (via systemctl): samba4.service
itwerks@cbadc03:~$ sudo mkdir /usr/local/samba-backups/3.21.2016 && sudo mv
/usr/local/samba/private /usr/local/samba-backups/3.21.2016/
itwerks@cbadc03:~$ ls -la /usr/local/samba/etc/
total 8
drwxr-xr-x 2 root root 4096 Mar 17 06:17 .
drwxr-xr-x 9 root root 4096 Mar 21 13:23 ..
itwerks@cbadc03:~$ kinit

Administrator
Password for Admini...@CB.CLIFFBELLS.COM:
itwerks@cbadc03:~$ klist
-e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Admini...@CB.CLIFFBELLS.COM

Valid starting Expires Service principal

03/21/2016 13:24:37 03/21/2016 23:24:37 krbtgt/
CB.CLIFF...@CB.CLIFFBELLS.COM
renew until 03/22/2016 13:24:25, Etype (skey, tkt):

aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
itwerks@cbadc03:~$ sudo /usr/local/samba/bin/samba-tool domain join
cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM
--dns-backend=SAMBA_INTERNAL
Finding a writeable DC for domain 'cb.cliffbells.com'
Found DC filer.cb.cliffbells.com
Password for [WORKGROUP\administrator]:
workgroup is CB
realm is cb.cliffbells.com
checking sAMAccountName
Adding CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
Join failed - cleaning up
checking sAMAccountName

ERROR(ldb): uncaught exception - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS -
<00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index
objectSid in CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com -
../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in
CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <>
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line
621, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
1183, in join_DC
ctx.do_join()
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
1086, in do_join
ctx.join_add_objects()
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
536, in join_add_objects
ctx.samdb.add(rec)
itwerks@cbadc03:~$

Both cbadc02 and cbadc03 exhibit this behavior.

JS
On Mar 21, 2016 10:16 AM, "Denis Cardon" <

Rowland penny

unread,

Mar 21, 2016, 4:00:05 PM3/21/16

to

The join seems to be failing because it seems to be trying to add an
objectsid that already exists:

unique index violation on objectSid in CN=CBADC03,OU=Domain
Controllers,DC=cb,DC=cliffbells,DC=com

Try pre-creating the computer in 'OU=Domain
Controllers,DC=cb,DC=cliffbells,DC=com' and then try joining again.

Rowland

IT Admin

unread,

Mar 21, 2016, 5:30:05 PM3/21/16

to

No dice.

Logged in to a workstation with RSAT installed. Added computer to OU
Domain Controllers, closed ADUC, attempted join again.

itwerks@cbadc03:~$ kinit

Administrator
Password for Admini...@CB.CLIFFBELLS.COM:
itwerks@cbadc03:~$ klist
-e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Admini...@CB.CLIFFBELLS.COM

Valid starting Expires Service principal

03/21/2016 17:21:42 03/22/2016 03:21:42 krbtgt/
CB.CLIFF...@CB.CLIFFBELLS.COM
renew until 03/22/2016 17:21:29, Etype (skey, tkt):

aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
itwerks@cbadc03:~$ sudo /usr/local/samba/bin/samba-tool domain join
cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM
--dns-backend=SAMBA_INTERNAL

[sudo] password for itwerks:

Finding a writeable DC for domain 'cb.cliffbells.com'
Found DC filer.cb.cliffbells.com
Password for [WORKGROUP\administrator]:
workgroup is CB
realm is cb.cliffbells.com
checking sAMAccountName

Deleted CN=CBADC03,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com

Please advise.

JS

mathias dufresne

unread,

Mar 22, 2016, 10:20:03 AM3/22/16

to

Hi JS,

You said in your firt mail you have this very same behaviour with two new
VMs you tried to join in your AD domain.

I expect you don't have just copied your VMs disks without changing VMs
hostname and FQDN. I expect you don't fully re-use smb.conf from another DC
(you can do that but you must change hostname into smb.conf).

You have disabled SELinux too.

So you have 3 systems to be AD DC:
cbaddc01 (working and running)
cbaddc02 (one of the two new VMs which refuse to be joined to AD domain
hosted on cbaddc01)
cbaddc03 (the other one new VMs which also refuses to be joined)

I found that few minutes ago speaking about LDB: http://somewoman.com/?p=261
Here two options were interesting me about your issue:
--cross-ncs to search not only in main DIT
--show-deleted to show deleted objects

In addition --show-binary switch can be used to decode base64 encoded
values when needed.

As I have no real idea about your issue I would first try to set up a new
VM with a different name, very different name, to test if your domain
refuses to add all new DC (whatever is the name) or only DC with names
already used.

IT Admin

unread,

Mar 25, 2016, 1:30:04 PM3/25/16

to

"I expect you don't have just copied your VMs disks without changing VMs
hostname and FQDN. I expect you don't fully re-use smb.conf from another DC
(you can do that but you must change hostname into smb.conf)."

1) These are new Ubuntu VMs, not cloned, built from scratch. I tried
joining them with no smb.conf in /usr/local/samba/etc

You have disabled SELinux too

2) AFAIK Ubuntu uses apparmor, not selinux. I have not disabled apparmor.

3) --show-deleted reveals a single instance of cbadc02:

twerks@filer:~$ sudo /usr/local/samba/bin/ldbsearch -H
/usr/local/samba/private/sam.ldb --cross-ncs --show-deleted >
ldbsearch_cross-ncs_deleted.txt
itwerks@filer:~$ cat ldbsearch_cross-ncs_deleted.txt | grep
cbadc
dNSHostName: cbadc02.cb.cliffbells.com
dNSHostName: cbadc01.cb.cliffbells.com
dn: DC=cbadc01,DC=cb.cliffbells.com
,CN=MicrosoftDNS,DC=DomainDnsZones,DC=cb,DC=cliffbells,DC=com
name: cbadc01
dc: cbadc01
distinguishedName: DC=cbadc01,DC=cb.cliffbells.com
,CN=MicrosoftDNS,DC=DomainDn
dNSHostName: cbadc01.cb.cliffbells.com
dNSHostName: cbadc01.cb.cliffbells.com
servicePrincipalName: HOST/cbadc01.cb.cliffbells.com
servicePrincipalName: GC/cbadc01.cb.cliffbells.com/cb.cliffbells.com
servicePrincipalName: HOST/cbadc01.cb.cliffbells.com/CB
servicePrincipalName: ldap/cbadc01.cb.cliffbells.com/CB
servicePrincipalName: ldap/cbadc01.cb.cliffbells.com
servicePrincipalName: HOST/cbadc01.cb.cliffbells.com/cb.cliffbells.com
servicePrincipalName: ldap/cbadc01.cb.cliffbells.com/cb.cliffbells.com
servicePrincipalName: RestrictedKrbHost/cbadc01.cb.cliffbells.com
servicePrincipalName: ldap/
cbadc01.cb.cliffbells.com/DomainDnsZones.cb.cliffbe
servicePrincipalName: ldap/
cbadc01.cb.cliffbells.com/ForestDnsZones.cb.cliffbe
dNSHostName: <http://cbadc02.cb.cliffbells.com>cbadc02.
<http://cbadc02.cb.cliffbells.com>cb.cliffbells.com
<http://cbadc02.cb.cliffbells.com>
itwerks@filer:~$

This article seems to explain how to resolve this issue from a Windows ADC:
http://social.technet.microsoft.com/wiki/contents/articles/15435.active-directory-duplicate-object-name-resolution.aspx

How could I replicate the approach in a Samba AD?

Re: spinning up a new VM, I tried that with cbadc03... I'll try again with
a radically different hostname this weekend.

JS

IT Admin

unread,

Mar 27, 2016, 12:20:03 AM3/27/16

to

Good times...

Spent hours today rolling a fresh VM.

FAIL

itwerks@testes:~$ kinit administrator
Password for admini...@CB.CLIFFBELLS.COM:
itwerks@testes:~$ klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: admini...@CB.CLIFFBELLS.COM

Valid starting Expires Service principal

03/27/2016 00:07:04 03/27/2016 10:07:04 krbtgt/
CB.CLIFF...@CB.CLIFFBELLS.COM
renew until 03/28/2016 00:06:59, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
itwerks@testes:~$ sudo /usr/local/samba/bin/samba-tool domain join

cb.cliffbells.com DC -Uadministrator --realm=CB.CLIFFBELLS.COM
--dns-backend=SAMBA_INTERNAL
Finding a writeable DC for domain 'cb.cliffbells.com'
Found DC filer.cb.cliffbells.com
Password for [WORKGROUP\administrator]:
workgroup is CB
realm is cb.cliffbells.com
checking sAMAccountName

Adding CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com

Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS -
<00002071: ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index

objectSid in CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com -

../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in

CN=TESTES,OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com> <>

File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line
621, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
1183, in join_DC
ctx.do_join()
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
1086, in do_join
ctx.join_add_objects()
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
536, in join_add_objects
ctx.samdb.add(rec)

sigh.

*&@$^@&$(@*$&@^$@!)($#)(^)%@*%_

Please advise.

JS

IT Admin

unread,

Mar 27, 2016, 2:40:03 AM3/27/16

to

I ran ldbsearch on my sam.ldb
I searched for CBADC02, CBADC03, and TESTES (all VMs that fail to join
domain), results are below:

CBADC02 shows up a few times:

# record 1906
dn:
CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu$
objectClass: top
objectClass: server
instanceType: 4
whenCreated: 20160310044543.0Z
uSNCreated: 4215
objectGUID: de85228c-f92b-4d5d-9d6a-01c3f915dec9
systemFlags: 1375731712
dNSHostName: cbadc02.cb.cliffbells.com
cn:: Q0JBREMwMgpERUw6ZGU4NTIyOGMtZjkyYi00ZDVkLTlkNmEtMDFjM2Y5MTVkZWM5
isDeleted: TRUE
name:: Q0JBREMwMgpERUw6ZGU4NTIyOGMtZjkyYi00ZDVkLTlkNmEtMDFjM2Y5MTVkZWM5
lastKnownParent:
CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati
on,DC=cb,DC=cliffbells,DC=com
isRecycled: TRUE
whenChanged: 20160319092438.0Z
uSNChanged: 4261
distinguishedName:
CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Se
rvers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbell
s,DC=com

# record 2372
dn: CN=NTDS
Settings\0ADEL:a5d3b626-e936-4a65-97bc-cade176d1b10,CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec$
objectClass: top
objectClass: applicationSettings
objectClass: nTDSDSA
instanceType: 4
whenCreated: 20160310044546.0Z
uSNCreated: 4214
objectGUID: a5d3b626-e936-4a65-97bc-cade176d1b10
systemFlags: 33554432
cn::
TlREUyBTZXR0aW5ncwpERUw6YTVkM2I2MjYtZTkzNi00YTY1LTk3YmMtY2FkZTE3NmQxYjEw
isDeleted: TRUE
name::
TlREUyBTZXR0aW5ncwpERUw6YTVkM2I2MjYtZTkzNi00YTY1LTk3YmMtY2FkZTE3NmQxYjE
w
isRecycled: TRUE
whenChanged: 20160319092438.0Z
uSNChanged: 4259
distinguishedName: CN=NTDS
Settings\0ADEL:a5d3b626-e936-4a65-97bc-cade176d1b10
,CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Servers,CN=Default-
First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com

# record 3275
dn: CN=CBADC02\0ADEL:b34ccfd9-0f88-4f7b-8c00-3296ed92507d,CN=Deleted
Objects,DC=cb,DC=cliffbells,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
instanceType: 4
whenCreated: 20160321212014.0Z
uSNCreated: 4287
objectGUID: b34ccfd9-0f88-4f7b-8c00-3296ed92507d
userAccountControl: 4128
objectSid: S-1-5-21-2555112579-3841919511-698463993-1602
sAMAccountName: CBADC02$
isDeleted: TRUE
lastKnownParent: OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
isRecycled: TRUE
cn:: Q0JBREMwMgpERUw6YjM0Y2NmZDktMGY4OC00ZjdiLThjMDAtMzI5NmVkOTI1MDdk
name:: Q0JBREMwMgpERUw6YjM0Y2NmZDktMGY4OC00ZjdiLThjMDAtMzI5NmVkOTI1MDdk
whenChanged: 20160327050242.0Z
uSNChanged: 4293
distinguishedName:
CN=CBADC02\0ADEL:b34ccfd9-0f88-4f7b-8c00-3296ed92507d,CN=De
leted Objects,DC=cb,DC=cliffbells,DC=com

# record 3481
dn: CN=CBADC02\0ADEL:ec36364c-6f01-4c82-be95-8def84528d9a,CN=Deleted
Objects,DC=cb,DC=cliffbells,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
instanceType: 4
whenCreated: 20160310044542.0Z
uSNCreated: 4212
objectGUID: ec36364c-6f01-4c82-be95-8def84528d9a
userAccountControl: 532480
objectSid: S-1-5-21-2555112579-3841919511-698463993-1122
sAMAccountName: CBADC02$
dNSHostName: cbadc02.cb.cliffbells.com
cn:: Q0JBREMwMgpERUw6ZWMzNjM2NGMtNmYwMS00YzgyLWJlOTUtOGRlZjg0NTI4ZDlh
whenChanged: 20160318045619.0Z
isDeleted: TRUE
uSNChanged: 4253
name:: Q0JBREMwMgpERUw6ZWMzNjM2NGMtNmYwMS00YzgyLWJlOTUtOGRlZjg0NTI4ZDlh
lastKnownParent: OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
isRecycled: TRUE
distinguishedName:
CN=CBADC02\0ADEL:ec36364c-6f01-4c82-be95-8def84528d9a,CN=De
leted Objects,DC=cb,DC=cliffbells,DC=com

CBADC03 is there once:

# record 3431
dn:
CN=CBADC03\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5,CN=Deleted
Obje$
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
instanceType: 4
whenCreated: 20160321211933.0Z
uSNCreated: 4286
objectGUID: 0d3362c2-c153-415e-b077-0772a61b96b5
userAccountControl: 4128
objectSid: S-1-5-21-2555112579-3841919511-698463993-1601
sAMAccountName: CBADC03$
isDeleted: TRUE
lastKnownParent: CN=LostAndFound,DC=cb,DC=cliffbells,DC=com
isRecycled: TRUE
cn::
Q0JBREMwMwpERUw6MGQzMzYyYzItYzE1My00MTVlLWIwNzctMDc3MmE2MWI5NmI1CkRFTDowZ
DMzNjJjMi1jMTUzLTQxNWUtYjA3Ny0wNzcyYTYxYjk2YjU=
name::
Q0JBREMwMwpERUw6MGQzMzYyYzItYzE1My00MTVlLWIwNzctMDc3MmE2MWI5NmI1CkRFTDo
wZDMzNjJjMi1jMTUzLTQxNWUtYjA3Ny0wNzcyYTYxYjk2YjU=
whenChanged: 20160327050527.0Z
uSNChanged: 4294
distinguishedName:
CN=CBADC03\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5\0ADEL
:0d3362c2-c153-415e-b077-0772a61b96b5,CN=Deleted
Objects,DC=cb,DC=cliffbells,
DC=com

TESTES is nowhere to be found and still fails due to ObjectSID. I don't
understand how that is even possible. I also manually inspected ADUC,
ADSS, ADSIEdit and DNS in RSAT for both of my live DCs (FILER & CBADC01)
and removed all references to CBADC02 & CBADC03. Replication between FILER
and CBADC01 is successful. RSync replication of sysvol from FILER to
CBADC01 is running via cron.

I am spun. I've been banging my head against Samba since 12/17/2015.
Please advise, I need to get these VMs joined to the domain so I can sieze
FSMO roles off of FILER so I don't have to keep restoring this ^&*(@^#()*&^
database every 36 hours.

JS

Rowland penny

unread,

Mar 27, 2016, 5:10:04 AM3/27/16

to

OK, so you cannot join another DC and you have to keep restoring every
36 hours, doesn't this tell you something ?

It looks like the database you keep restoring is badly corrupted, you
should also be aware that you shouldn't restore a DC if another DC in
the domain is running.

Are 'FILER' and 'CBADC01' joined ?
If so, is 'FILER' the only database that is giving problems ?
If so, then I think your best option is to seize all the fsmo roles to
'CBADC01', turn off 'FILER' and then try to join a new DC to 'CBADC01'

IT Admin

unread,

Mar 28, 2016, 4:20:04 AM3/28/16

to

Alright... appreciate the info. Gave it a shot. Domain is still up but
shares are down because they were hosted on FILER which has now been
demoted and is no longer running any samba services.

What I did while following the wiki "Transfer/Seize FSMO Roles":

1) logged on to FILER, ran samba-tool fsmo show, verified all 7 roles were
owned by FILER.

2) logged on to CBADC01, executed samba-tool fsmo transfer --role=all -U
administrator --realm=cb.cliffbells.com which succeeded.

3) ran samba-tool fsmo show again on FILER, verified all 7 roles were now
owned by CBADC01.

4) ran samba-tool drs showrepl on FILER, replication succeded after
transferring fsmo roles.

5) ran samba-tool domain demote -Uadministrator on FILER.

6) shut down samba on FILER, removed smb.conf, removed initscript

7) followed guidelines to cleanup any remaining references to FILER, it
existed in AD Sites and Services, I removed it. I did not delete DNS
references as FILER is critical in this network and must remain accessible.

8) rebooted FILER and CBADC01

Currently AD is allowing users to login to computers, all shares are dead
because FILER isn't providing them and I can't set it up as a Domain Member
to provide the shares again because CBADC01 is missing 3 of 7 fsmoroleowner
entries. I think I have empty fSMORoleOwner attributes as discussed here:
https://lists.samba.org/archive/samba-technical/2016-January/111516.html

Here's where I'm at:

sudo /usr/local/samba/bin/samba-tool fsmo show
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'