Failed DCPROMO Demote of Server 2008 R2 DC

Home Forums Microsoft Networking and Management Services Active Directory Failed DCPROMO Demote of Server 2008 R2 DC

This topic contains 2 replies, has 2 voices, and was last updated by Avatar Ossian 1 week, 6 days ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • Avatar
    Dominus1701
    Participant
    #624968

    I’m trying to remove a 2008 R2 Domain Controller from my domain. I run through DCPROMO and it fails saying:

    The operation failed because:

    Active Directory Domain Services could not transfer the remaining data in directory partition DC=DomainDnsZones,DC=[domain],DC=local to
    Active Directory Domain Controller \\red.[domain].local.

    “The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.”

    Looking at the event logs I get this bit of information:
    EVENT ID: 2091

    Ownership of the following FSMO role is set to a server which is deleted or does not exist.
    Operations which require contacting a FSMO operation master will fail until this condition is corrected.

    FSMO Role: CN=Infrastructure,DC=DomainDnsZones,DC=[domain],DC=local
    FSMO Server DN: CN=NTDS Settings\0ADEL:0484546d-5c60-4f08-9cfa-fa79b970d626,CN=CRIMSON\0ADEL:fbeda01d-bcde-4c8f-81f3-4da3e26e9044,CN=Servers,CN=Lexington,CN=Sites,CN=Configuration,DC=[domain],DC=local

    “CRIMSON” is a very old Domain Controller that failed like 7 years ago. I did have to seize the FSMO roles when that happened – all of which are now being handled by a server called “RED”. I performed metadata cleanup (via NTDSUTIL) at that time too.

    As you can see, the FMSO roles are being handled properly:

    PS C:\Windows\system32> netdom query fsmo
    Schema master red.[domain].local
    Domain naming master red.[domain].local
    PDC red.[domain].local
    RID pool manager red.[domain].local
    Infrastructure master red.[domain].local
    The command completed successfully.

    The domain has been functioning properly since that time with NO issues at all. I’ve even added two additional domain controllers and added/removed countless member servers and workstations in that time.

    Searching Google, I’ve checked things like bogus DNS records, seized the FSMO roles again (to the same server, so they actually “transferred” without issue), forced replication among my three DCs, and searched for things with ASDI Edit. Nothing I’ve tried is allowing me to see where remnants of CRIMSON are lingering in the Active Directory, so I can’t “clean” it out.

    I’ve been tempted to use NTDSUTIL to “remove selected server….” with the DN supplied in the event logs, but I’m not wanting to nuke my Active Directory. So I’m here asking for other thigs look for and try so I can remove this machine and move on.

    Avatar
    Dominus1701
    Participant
    #624970

    UPDATE and Solution

    After searching and pulling my hair out for about four and a half hours today, I discovered that when Crimson failed oh so long ago, it was in control of two other “FSMO” roles – ForestDNSZones and DomainDNSZones. Thanks to the web sites linked below I was able to use a Visual Basic script to “cure” the problem. The script is called “FixFSMO.vbs” and I ran it in an elevated command prompt on Red – the domain controller with all the other FSMO roles – for both the DomainDNSZones and ForestDNSZones – like this:

    cscript fixfsmo.vbs DC=DomainDnsZones,DC=[domain],DC=local

    cscript fixfsmo.vbs DC=ForestDnsZones,DC=[domain],DC=local

    Afterward, I was about to successfully demote Scarlet from Domain Controller duty.

    Here’s the site explaining the EXACT issue I was having: https://blogs.technet.microsoft.com/the_9z_by_chris_davis/2011/12/20/forestdnszones-or-domaindnszones-fsmo-says-the-role-owner-attribute-could-not-be-read/

    And here’s the site that explained how to run the script: https://support.microsoft.com/en-us/help/949257/error-message-when-you-run-the-adprep-rodcprep-command-in-windows-serv

    Avatar
    Ossian
    Moderator
    #625012

    Well done, and thanks for reporting back

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.