We went to run a DCPromo on a temporary DC to remove it from a domain and received the following error:
Active Directory Domain Services Installation Wizard
The operation failed because:
Active Directory Domain Services could not transfer the remaining data in directory partition DC=ForestDNSZones,DC=DOMAIN,DC=LOCAL to Active Directory Domain Controller \\SBS.DOMAIN.LOCAL.
“The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.
In the temporary DC’s Event Logs we found the following:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 3/12/2011 12:29:37 PM
Event ID: 2091
Task Category: Replication
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: TempDC.DOMAIN.LOCAL
Description:Ownership of the following FSMO role is set to a server which is deleted or does not exist.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Infrastructure,DC=ForestDnsZones,DC=DOMAIN,DC=LOCAL
FSMO Server DN: CN=NTDS Settings\0ADEL:b3541fc4-50cc-4c12-96be-e5239b314bea,CN=OLD-DC\0ADEL:da50a8ba-dbc7-4219-8d68-ffa03b38c030,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=LOCAL
User Action:
1. Determine which server should hold the role in question.
2. Configuration view may be out of date. If the server in question has been promoted recently, verify that the Configuration partition has replicated from the new server recently. If the server in question has been demoted recently and the role transferred, verify that this server has replicated the partition (containing the latest role ownership) lately.
3. Determine whether the role is set properly on the FSMO role holder server. If the role is not set, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
4. Verify that replication of the FSMO partition between the FSMO role holder server and this server is occurring successfully.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.
The referenced OLD-DC was an original Windows Server from eight years ago!
Long story short, make sure to open ADSIEdit _on the affected FSMO Role owner_ and make the necessary changes there. When we tried to change the required settings on TempDC we kept getting errors.
- Obtain the correct setting:
- On the affected role owner open ADSIEdit.
- Click on Default Naming Context [SBS.Domain.Local].
- Click on DC=Domain,DC=Local.
- Double click on CN=Infrastructure at the bottom of the list of folders.
- Locate the fSMORoleOwner attribute and click on it.
- Click the Edit button.
- CTRL+C to copy the contents of the attribute.
- Click CANCEL twice.
- Correct the problematic settings:
- Right click the ADSI Edit root and click on Connect to…
- Use the following connection point:
- Click on Default Naming Context [SBS.Domain.Local] to populate it.
- Click on DC=DomainDNSZones,DC=Domain,DC=Local folder.
- Double click on CN=Infrastructure.
- Locate the fSMORoleOwner attribute and click on it.
- Click the Edit button.
- CTRL+V to paste the correct setting.
- Click OK and then Apply.
- Repeat steps 2.1-2.9 to correct DC=ForestDNSZones,DC=Domain,DC=Local.
Once the above steps were completed on the FSMO Role owner for Infrastructure we were able to properly demote the temporary DC.
NOTE
The error we kept receiving when trying to edit the FSMO Role owner setting on TempDC was the following:
ADSIEdit
Operation failed. Error code: 0x20ae
The role owner attribute could not be read.000020AE: SvcErr: DSID-03152965, problem 5003 (WILL_NOT_PERFORM), data 0
The above message took a while to decipher that we were being told to move our FSMO editing operations over to the Role Owner!
Further Reading
- Microsoft KB949257: Error message when you run the "Adprep /rodcprep" command in Windows Server 2008: "Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Contoso,DC=com"
- We could not get the script to run properly. Though, we were attempting to run it on the TempDC instead of the FSMO Role Owner.
- Microsoft Forums: dcpromo remove domain controller failed
- Helped to guide us into the right direction.
- Microsoft KB867464: Event ID 4515 is logged in the DNS Server log in Windows Server 2003
- Error is completely irrelevant. OPTION 1 showed us how to get connected to ForestDNSZones and DomainDNSZones in ADSIEdit.
- TechArena Forums: Infrastructure FSMO role owner attibute [sic] not correct in root do
- We opened a ticket on the Microsoft Partner Forum: DCPromo Fail - AD DS could not transfer the remaining data in directory partition ... missing mandatory configuration. FSMO.
- Green Yi’s reply helped us to focus in on finding the solution.
Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book
*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.
Thanks Bro, saved me
ReplyDeleteThanks, from me as well, saved my butt too!!! Great post!
ReplyDeleteThanks, the post saved my Day (or better Night)
ReplyDeleteThanks bro, you save my life!
ReplyDeleteFantastic article, got hit by this at 10:30pm, my heart was sinking. Why don't MS publish this?
ReplyDeleteThanks alot, been looking out for a solution to this problem for a while now, glad i came across your blog.
ReplyDeleteyou made my day
Thanks!
ReplyDeleteBrilliant, worked first time!
ReplyDeleteThanks great post and save my day too :)
ReplyDeleteGreat post, your resolution worked like a charm and will help in future DC removals. Much better than what other users recommend a force removal!
ReplyDeleteI'm not sure I understand how to resolve the error when editing the fSMORoleOwner parameter with ADSIEDIT.
ReplyDelete"Operation failed. Error code: 0x20ae
The role owner attribute could not be read."
Can anyone shed some light on it?
Olly
Thanks very much - solved my issue. Very clear instructions.
ReplyDeleteChris.
Thanks for this post. Totally solved my problem. Note - I did have to replace the generic DC=Domain with DC=myactualdomain in order to get it to connect properly in ADSI edit.
ReplyDeleteMost probably know this but just in case... Thanks again!
Thanks for this post. Totally solved my problem. Note - I did have to replace the generic DC=Domain with DC=myactualdomain in order to get it to connect properly in ADSI edit.
ReplyDeleteMost probably know this but just in case... Thanks again!
Hi, i have the exact same issue.
ReplyDeleteI have tried to follow your document and i get to the point that when i try to edit the FSMO Role owner setting on the DC i get the error" Operation failed. Error code: 0x20ae
The role owner attribute could not be read.
000020AE: SvcErr: DSID-03152965, problem 5003 (WILL_NOT_PERFORM), data 0"
How can i edit this?
I went through your links below that and i still don't know how did you manage to edit it.
Can you help?
Thanks
Hi. Thanks for the post. Ran into the same problem this week and this helped fix it.
ReplyDeleteHey, same here thanks for writing this up. Helped me just now as well.
ReplyDeleteTHANK YOU!!!
ReplyDeleteThanks - saved me too
ReplyDeleteBRILLIANT!!!!!
ReplyDeleteThank you!!!
ReplyDeleteThanks for the link and the clarifying NOTE that made me re-read the article more carefully.
ReplyDeleteThanks a lot for this worked first time much appreciated.
ReplyDeleteThanks!! You save my night!!
ReplyDeleteSaved us. Thank you!
ReplyDeleteUsed ntdsutil to get Infrastructure master value. Used that for value in forest and domain fSMORoleOwner. You should submit a request to have this published to the MSKB.
Can't tell you how many untold hours you saved me with this post. If I had a first born son I'd name him after you. Thanks a million!
ReplyDeleteI was following a SWING migration and this is the part where i have to decommission the tempdc. the error occured, but i couldn't get to carry out the steps outlined above because i was working on the wrong server.
ReplyDeletei think the steps above is applicable on the tempdc, but with the error appearing everytime i click 'apply' i found out the problem is that i have to apply the changes on the main server.
took me about 30min to read through the posts and figure out what's wrong.
after making the change on the main DC, in ForestDNSZones and DomainDNSZones, the problem was resolved. I can decommission the TempDC.
I had this problem but this did not help unfortunately. The solution in my case was to follow the steps under "Transfer FSMO roles" here:
ReplyDeletehttp://support.microsoft.com/kb/255504/en-us
worked for me too as of march 2014. Would be nice to know why this happens. I assume a customer removed a DC improperly, seized the FSMO role for Infrastructure and this issues was silent until now. Any Ideas?
ReplyDeleteThank you!!!
ReplyDeleteAwesome!! Saved my day..
ReplyDeletehelped. thx! (:
ReplyDeletewell illustrated, it saved teh day.
ReplyDeletewell illustrated, it saved the day.
ReplyDeleteThanks!!! I really appreciate this and I'm shocked (not really) this isn't a M$ KB.
ReplyDeleteI just wanted to add on this date I follow the instructions to the letter and after forcing a replication was able to decommission and DC and remove a subdomain from the forest. ~thank you
ReplyDeleteAwesome post...thank you so much. Just used this to cleanly demote an old Win2003 DC after installing a new Win2012 DC! The FSMO owner in the ForestDNSZones turned out to be the culprit. Saved me a ton of time for sure!
ReplyDeleteThanks for this awesome detailed documentation. I've used this at two different customer environments now and it has saved me hours of frustration. Nice work and good job giving credit where credit is due.
ReplyDeleteThank you! This was really helpful!
ReplyDeleteThank you, this was very helpful!
ReplyDeleteThanks, it was very helpful!
ReplyDeleteIt works for me too, thank you very much.
ReplyDeleteStill saving butts in late March 2016, thanks for this!!
ReplyDeleteJust keeps giving. Great post, saved days of work. Thank you!
ReplyDeleteApril 2016 - Just saved me a few hours! Nice
ReplyDeleteThathathathaNK You!!!
ReplyDeleteThanks, very helpful!
ReplyDeleteGreat article
ReplyDeleteIf you get the error message that the holder can't be read run the Microsoft script and so its set resets the 0ael to the local server name AND THEN copy and paste to all the effected zones
Satish Y (India)
ReplyDeleteAwesome!! You Saved my day...
Thank you! Saved me a few hours!
ReplyDeleteExcellent step by step - Understood it perfectly
ReplyDeleteWorked Instantly
Great Post!! It worked like a charm. Thanks so much!!
ReplyDeletegreat help, thanks
ReplyDeleteGreat help, was banging me head against a wall until I followed this post. Thanks!
ReplyDeleteHelped me as well. Thanks!
ReplyDeleteThanks. It helped.
ReplyDeleteWorked for me as well! Note that it did not take effect immediately, had to wait about 15 minutes before the affected DC was able to demote itself.
ReplyDeleteThanks !!!
ReplyDeleteThanks a mill. Worked a treat on my 2008 DC
ReplyDeleteWorked a charm.. Concise instructions... Brilliant. Many thanks
ReplyDeleteHugely helpful in solving my problem, I can finally get on with my life again :)
ReplyDeleteGlad to help folks. :O)
ReplyDeleteLife saver, thanks again!
ReplyDeleteLife saver, thanks again!
ReplyDeleteMan was really banging on this one, worked like a charm. Thanks!
ReplyDeleteBest guide on this subject by a long shot.
ReplyDeleteReally nicely done.
Thank you so much.
Very useful info. Thanks you
ReplyDeleteVery helpful. This information is around but very cryptic. Your post is excellent.
ReplyDeleteThank you so much for this, I was finally able to decommission an old 2008 DC successfully. The information is out there on the web but this is the only site I could find with it all in one place.
ReplyDeleteHello,
ReplyDeleteGood Job and thank you for help.
Thanks for the help! Really useful
ReplyDeleteStill actual :)
ReplyDeleteWe use Microsoft AD with a Samba backup. I easily found how to transfer the 5 fsmo roles, but samba showed the old AD for DomainDnsZones and ForestDnsZones. I spent a lot of time trying to figure out how to move these roles. Your post written way back in 2011 was the best documentation I found and it worked beautifully. Thank you so much.
ReplyDeleteThanks A lot!!!
ReplyDeleteFor anyone receiving the final error run "netdom query FSMO" and find the infrastructure master. Then make the changes from that domain controller, not from the controller you are trying to demote
ReplyDeleteWow, 13 years and 2 days later, I found this post and it got me quickly out of a jam trying to get an old 2008 R2 domain controller out of a freshly migrated system. Thanks for the post!
ReplyDelete-MD in Indy
Still legit in 2024! Just used it for a 2011 SBS/2008 DC. This is probably one of my favorite articles that I've run across in my career, and I'm surprised after all the orphaned DCs that I've encountered, this is the first time I've experienced this issue. Thanks!
ReplyDeleteSaved me! 10/07/24
ReplyDelete