Tuesday, 15 March 2011

AD DS Operation Failed – directory service is missing mandatory configuration – Event ID 2091 – FSMO Role Broken

We went to run a DCPromo on a temporary DC to remove it from a domain and received the following error:

image

Active Directory Domain Services Installation Wizard

The operation failed because:

Active Directory Domain Services could not transfer the remaining data in directory partition DC=ForestDNSZones,DC=DOMAIN,DC=LOCAL to Active Directory Domain Controller \\SBS.DOMAIN.LOCAL.

“The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.

In the temporary DC’s Event Logs we found the following:

image

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          3/12/2011 12:29:37 PM
Event ID:      2091
Task Category: Replication
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      TempDC.DOMAIN.LOCAL
Description:

Ownership of the following FSMO role is set to a server which is deleted or does not exist.
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
 
FSMO Role: CN=Infrastructure,DC=ForestDnsZones,DC=DOMAIN,DC=LOCAL
FSMO Server DN: CN=NTDS Settings\0ADEL:b3541fc4-50cc-4c12-96be-e5239b314bea,CN=OLD-DC\0ADEL:da50a8ba-dbc7-4219-8d68-ffa03b38c030,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=LOCAL
 
User Action:
 
1. Determine which server should hold the role in question.
2. Configuration view may be out of date. If the server in question has been promoted recently, verify that the Configuration partition has replicated from the new server recently.  If the server in question has been demoted recently and the role transferred, verify that this server has replicated the partition (containing the latest role ownership) lately.
3. Determine whether the role is set properly on the FSMO role holder server. If the role is not set, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
4. Verify that replication of the FSMO partition between the FSMO role holder server and this server is occurring successfully.
 
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

The referenced OLD-DC was an original Windows Server from eight years ago!

Long story short, make sure to open ADSIEdit _on the affected FSMO Role owner_ and make the necessary changes there. When we tried to change the required settings on TempDC we kept getting errors.

  1. Obtain the correct setting:
    1. On the affected role owner open ADSIEdit.
    2. Click on Default Naming Context [SBS.Domain.Local].
    3. Click on DC=Domain,DC=Local.
    4. Double click on CN=Infrastructure at the bottom of the list of folders.
    5. Locate the fSMORoleOwner attribute and click on it.
    6. Click the Edit button.
    7. CTRL+C to copy the contents of the attribute.
    8. Click CANCEL twice.
  2. Correct the problematic settings:
    1. Right click the ADSI Edit root and click on Connect to…
    2. Use the following connection point:
      1. DC=DomainDNSZones,DC=Domain,DC=Local
      2. image
    3. Click on Default Naming Context [SBS.Domain.Local] to populate it.
    4. Click on DC=DomainDNSZones,DC=Domain,DC=Local folder.
    5. Double click on CN=Infrastructure.
    6. Locate the fSMORoleOwner attribute and click on it.
    7. Click the Edit button.
    8. CTRL+V to paste the correct setting.
    9. Click OK and then Apply.
    10. Repeat steps 2.1-2.9 to correct DC=ForestDNSZones,DC=Domain,DC=Local.

Once the above steps were completed on the FSMO Role owner for Infrastructure we were able to properly demote the temporary DC.

NOTE

The error we kept receiving when trying to edit the FSMO Role owner setting on TempDC was the following:

image

ADSIEdit

Operation failed. Error code: 0x20ae
The role owner attribute could not be read.

000020AE: SvcErr: DSID-03152965, problem 5003 (WILL_NOT_PERFORM), data 0

The above message took a while to decipher that we were being told to move our FSMO editing operations over to the Role Owner!

Further Reading

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

78 comments:

  1. Thanks Bro, saved me

    ReplyDelete
  2. Thanks, from me as well, saved my butt too!!! Great post!

    ReplyDelete
  3. Thanks, the post saved my Day (or better Night)

    ReplyDelete
  4. Thanks bro, you save my life!

    ReplyDelete
  5. Fantastic article, got hit by this at 10:30pm, my heart was sinking. Why don't MS publish this?

    ReplyDelete
  6. Thanks alot, been looking out for a solution to this problem for a while now, glad i came across your blog.
    you made my day

    ReplyDelete
  7. Brilliant, worked first time!

    ReplyDelete
  8. Thanks great post and save my day too :)

    ReplyDelete
  9. Great post, your resolution worked like a charm and will help in future DC removals. Much better than what other users recommend a force removal!

    ReplyDelete
  10. I'm not sure I understand how to resolve the error when editing the fSMORoleOwner parameter with ADSIEDIT.

    "Operation failed. Error code: 0x20ae
    The role owner attribute could not be read."

    Can anyone shed some light on it?

    Olly

    ReplyDelete
  11. Thanks very much - solved my issue. Very clear instructions.

    Chris.

    ReplyDelete
  12. Thanks for this post. Totally solved my problem. Note - I did have to replace the generic DC=Domain with DC=myactualdomain in order to get it to connect properly in ADSI edit.
    Most probably know this but just in case... Thanks again!

    ReplyDelete
  13. Thanks for this post. Totally solved my problem. Note - I did have to replace the generic DC=Domain with DC=myactualdomain in order to get it to connect properly in ADSI edit.
    Most probably know this but just in case... Thanks again!

    ReplyDelete
  14. Hi, i have the exact same issue.
    I have tried to follow your document and i get to the point that when i try to edit the FSMO Role owner setting on the DC i get the error" Operation failed. Error code: 0x20ae
    The role owner attribute could not be read.

    000020AE: SvcErr: DSID-03152965, problem 5003 (WILL_NOT_PERFORM), data 0"
    How can i edit this?
    I went through your links below that and i still don't know how did you manage to edit it.
    Can you help?
    Thanks

    ReplyDelete
  15. Hi. Thanks for the post. Ran into the same problem this week and this helped fix it.

    ReplyDelete
  16. Hey, same here thanks for writing this up. Helped me just now as well.

    ReplyDelete
  17. Thanks - saved me too

    ReplyDelete
  18. Thanks for the link and the clarifying NOTE that made me re-read the article more carefully.

    ReplyDelete
  19. Thanks a lot for this worked first time much appreciated.

    ReplyDelete
  20. Thanks!! You save my night!!

    ReplyDelete
  21. Saved us. Thank you!

    Used ntdsutil to get Infrastructure master value. Used that for value in forest and domain fSMORoleOwner. You should submit a request to have this published to the MSKB.

    ReplyDelete
  22. Can't tell you how many untold hours you saved me with this post. If I had a first born son I'd name him after you. Thanks a million!

    ReplyDelete
  23. I was following a SWING migration and this is the part where i have to decommission the tempdc. the error occured, but i couldn't get to carry out the steps outlined above because i was working on the wrong server.

    i think the steps above is applicable on the tempdc, but with the error appearing everytime i click 'apply' i found out the problem is that i have to apply the changes on the main server.

    took me about 30min to read through the posts and figure out what's wrong.

    after making the change on the main DC, in ForestDNSZones and DomainDNSZones, the problem was resolved. I can decommission the TempDC.

    ReplyDelete
  24. I had this problem but this did not help unfortunately. The solution in my case was to follow the steps under "Transfer FSMO roles" here:

    http://support.microsoft.com/kb/255504/en-us

    ReplyDelete
  25. worked for me too as of march 2014. Would be nice to know why this happens. I assume a customer removed a DC improperly, seized the FSMO role for Infrastructure and this issues was silent until now. Any Ideas?

    ReplyDelete
  26. Thank you!!!

    ReplyDelete
  27. Awesome!! Saved my day..

    ReplyDelete
  28. well illustrated, it saved teh day.

    ReplyDelete
  29. well illustrated, it saved the day.

    ReplyDelete
  30. Thanks!!! I really appreciate this and I'm shocked (not really) this isn't a M$ KB.

    ReplyDelete
  31. I just wanted to add on this date I follow the instructions to the letter and after forcing a replication was able to decommission and DC and remove a subdomain from the forest. ~thank you

    ReplyDelete
  32. Awesome post...thank you so much. Just used this to cleanly demote an old Win2003 DC after installing a new Win2012 DC! The FSMO owner in the ForestDNSZones turned out to be the culprit. Saved me a ton of time for sure!

    ReplyDelete
  33. Thanks for this awesome detailed documentation. I've used this at two different customer environments now and it has saved me hours of frustration. Nice work and good job giving credit where credit is due.

    ReplyDelete
  34. Thank you! This was really helpful!

    ReplyDelete
  35. Thank you, this was very helpful!

    ReplyDelete
  36. Thanks, it was very helpful!

    ReplyDelete
  37. It works for me too, thank you very much.

    ReplyDelete
  38. Still saving butts in late March 2016, thanks for this!!

    ReplyDelete
  39. Just keeps giving. Great post, saved days of work. Thank you!

    ReplyDelete
  40. April 2016 - Just saved me a few hours! Nice

    ReplyDelete
  41. ThathathathaNK You!!!

    ReplyDelete
  42. Great article
    If you get the error message that the holder can't be read run the Microsoft script and so its set resets the 0ael to the local server name AND THEN copy and paste to all the effected zones

    ReplyDelete
  43. Satish Y (India)

    Awesome!! You Saved my day...

    ReplyDelete
  44. Thank you! Saved me a few hours!

    ReplyDelete
  45. Excellent step by step - Understood it perfectly
    Worked Instantly

    ReplyDelete
  46. Great Post!! It worked like a charm. Thanks so much!!

    ReplyDelete
  47. great help, thanks

    ReplyDelete
  48. Great help, was banging me head against a wall until I followed this post. Thanks!

    ReplyDelete
  49. Helped me as well. Thanks!

    ReplyDelete
  50. Thanks. It helped.

    ReplyDelete
  51. Worked for me as well! Note that it did not take effect immediately, had to wait about 15 minutes before the affected DC was able to demote itself.

    ReplyDelete
  52. Thanks a mill. Worked a treat on my 2008 DC

    ReplyDelete
  53. Worked a charm.. Concise instructions... Brilliant. Many thanks

    ReplyDelete
  54. Hugely helpful in solving my problem, I can finally get on with my life again :)

    ReplyDelete
  55. Man was really banging on this one, worked like a charm. Thanks!

    ReplyDelete
  56. Best guide on this subject by a long shot.
    Really nicely done.
    Thank you so much.

    ReplyDelete
  57. Very useful info. Thanks you

    ReplyDelete
  58. Very helpful. This information is around but very cryptic. Your post is excellent.

    ReplyDelete
  59. Thank you so much for this, I was finally able to decommission an old 2008 DC successfully. The information is out there on the web but this is the only site I could find with it all in one place.

    ReplyDelete
  60. Hello,

    Good Job and thank you for help.

    ReplyDelete
  61. Thanks for the help! Really useful

    ReplyDelete
  62. Still actual :)

    ReplyDelete
  63. We use Microsoft AD with a Samba backup. I easily found how to transfer the 5 fsmo roles, but samba showed the old AD for DomainDnsZones and ForestDnsZones. I spent a lot of time trying to figure out how to move these roles. Your post written way back in 2011 was the best documentation I found and it worked beautifully. Thank you so much.

    ReplyDelete
  64. Thanks A lot!!!

    ReplyDelete
  65. For anyone receiving the final error run "netdom query FSMO" and find the infrastructure master. Then make the changes from that domain controller, not from the controller you are trying to demote

    ReplyDelete
  66. Wow, 13 years and 2 days later, I found this post and it got me quickly out of a jam trying to get an old 2008 R2 domain controller out of a freshly migrated system. Thanks for the post!

    -MD in Indy

    ReplyDelete
  67. Still legit in 2024! Just used it for a 2011 SBS/2008 DC. This is probably one of my favorite articles that I've run across in my career, and I'm surprised after all the orphaned DCs that I've encountered, this is the first time I've experienced this issue. Thanks!

    ReplyDelete
  68. Saved me! 10/07/24

    ReplyDelete

NOTE: All comments are moderated.