Tagged: dcpromo 2008r2 fsmo
Dominus1701ParticipantNovember 21, 2019 at 2:03 pm #624968
I’m trying to remove a 2008 R2 Domain Controller from my domain. I run through DCPROMO and it fails saying:
The operation failed because:
Active Directory Domain Services could not transfer the remaining data in directory partition DC=DomainDnsZones,DC=[domain],DC=local to
Active Directory Domain Controller \\red.[domain].local.
“The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.”
Looking at the event logs I get this bit of information:
EVENT ID: 2091
Ownership of the following FSMO role is set to a server which is deleted or does not exist.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Infrastructure,DC=DomainDnsZones,DC=[domain],DC=local
FSMO Server DN: CN=NTDS Settings\0ADEL:0484546d-5c60-4f08-9cfa-fa79b970d626,CN=CRIMSON\0ADEL:fbeda01d-bcde-4c8f-81f3-4da3e26e9044,CN=Servers,CN=Lexington,CN=Sites,CN=Configuration,DC=[domain],DC=local
“CRIMSON” is a very old Domain Controller that failed like 7 years ago. I did have to seize the FSMO roles when that happened – all of which are now being handled by a server called “RED”. I performed metadata cleanup (via NTDSUTIL) at that time too.
As you can see, the FMSO roles are being handled properly:
PS C:\Windows\system32> netdom query fsmo
Schema master red.[domain].local
Domain naming master red.[domain].local
RID pool manager red.[domain].local
Infrastructure master red.[domain].local
The command completed successfully.
The domain has been functioning properly since that time with NO issues at all. I’ve even added two additional domain controllers and added/removed countless member servers and workstations in that time.
Searching Google, I’ve checked things like bogus DNS records, seized the FSMO roles again (to the same server, so they actually “transferred” without issue), forced replication among my three DCs, and searched for things with ASDI Edit. Nothing I’ve tried is allowing me to see where remnants of CRIMSON are lingering in the Active Directory, so I can’t “clean” it out.
I’ve been tempted to use NTDSUTIL to “remove selected server….” with the DN supplied in the event logs, but I’m not wanting to nuke my Active Directory. So I’m here asking for other thigs look for and try so I can remove this machine and move on.
Dominus1701ParticipantNovember 21, 2019 at 3:31 pm #624970
UPDATE and Solution
After searching and pulling my hair out for about four and a half hours today, I discovered that when Crimson failed oh so long ago, it was in control of two other “FSMO” roles – ForestDNSZones and DomainDNSZones. Thanks to the web sites linked below I was able to use a Visual Basic script to “cure” the problem. The script is called “FixFSMO.vbs” and I ran it in an elevated command prompt on Red – the domain controller with all the other FSMO roles – for both the DomainDNSZones and ForestDNSZones – like this:
cscript fixfsmo.vbs DC=DomainDnsZones,DC=[domain],DC=local
cscript fixfsmo.vbs DC=ForestDnsZones,DC=[domain],DC=local
Afterward, I was about to successfully demote Scarlet from Domain Controller duty.
Here’s the site explaining the EXACT issue I was having: https://blogs.technet.microsoft.com/the_9z_by_chris_davis/2011/12/20/forestdnszones-or-domaindnszones-fsmo-says-the-role-owner-attribute-could-not-be-read/
And here’s the site that explained how to run the script: https://support.microsoft.com/en-us/help/949257/error-message-when-you-run-the-adprep-rodcprep-command-in-windows-serv
You must be logged in to reply to this topic.