On a Server 2008 R2 machine, I had an issue demoting from being a Domain Controller, after moving the FSMO roles onto a new machine. This was after a second domain controller died. I am not sure of the previous history of where the FSMO roles were for this client.
Two new DC’s were created and promoted, after cleaning up DNS to remove the old configuration of the dead DC.
I was provided with the following error in a dialog box and in the event log
Event ID: 2022
The operations master roles held by this directory server could not transfer to the following remote directory server. Remote directory server: \\EDU-NEWAD02.EDU.local This is preventing removal of this directory server. User Action Investigate why the remote directory server might be unable to accept the operations master roles, or manually transfer all the roles that are held by this directory server to the remote directory server. Then, try to remove this directory server again. Additional Data Error value: 5005 The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.
There was also a second Event ID: 2091
Ownership of the following FSMO role is set to a server which is deleted or does not exist. Operations which require contacting a FSMO operation master will fail until this condition is corrected. FSMO Role: CN=Infrastructure,DC=ForestDnsZones,DC=EDU,DC=local FSMO Server DN: CN=NTDS Settings\0ADEL:bf05e3dc-9acf-4de5-9358-89bc719fb445,CN=EDU-AD01\0ADEL:dbe9f89d-aa5c-4ad0-bee6-618aa0f1fa31,CN=Servers,CN=MainOffice,CN=Sites,CN=Configuration,DC=EDU,DC=local
So basically, the FSMO roles moved sucessfully, and running the following on each domain controller;
netdom query fsmo
Showed the correct server holding the roles.
The first dialog box when performing DCPromo.exe shows the name of the new secondary domain controller, however the second event ID, points to an issue in the schema where the OLD record of the dead DC is still been used.
You can see this by opening ADSI Edit;
- Right click the ADSI Edit root and click on Connect to…
- Use the following connection point: DC=DomainDNSZones,DC=Company,DC=Com
- Click on Default Naming Context [DC.Company.Com] to populate it.
- Click on DC=DomainDNSZones,DC=Company,DC=Com folder.
- Double click on CN=Infrastructure.
- Locate the fSMORoleOwner attribute
Above, you can see 0ADEL in the fSMORoleOwner, which refers to a deleted object (the dead DC).
The issue was caused by the second new domain controller having the same IP address as the old Dead domain controller, which lead to the remaining DC getting confused, thinking its missing friend was still alive, and corrupting the editing of the fSMORole Owner.
I tried to fix this following this article, but was given an error about security and not allowed to overwrite it.
Microsoft KB949257 holds the fix, however due to talking about Read-Only Domain Controllers, most people skip over this, however the script provided does work.
You must run it on the FSMO role holder, and then wait for replication. I left mine overnight, and once checked in the morning, I was getting the correct attribute when viewing in ASDI Edit.
Although you may find you have not re-used the OLD DC IP address, you may find this issue still applies to yourself.
Open Notepad, drop the below into it, save as FixfSMO.vbs, run in elevated command prompt “cscript c:\location\FixfFSMO.vbs”.
Someone online had issues running the VBS as they were trying to fix the issue where by the value in ASDI was cleared (), and overcame this by running
- cscript fixfsmo.vbs dc=forestdnszones,dc=mydomain,dc=org
then for domain zone:
- cscript fixfsmo.vbs dc=domaindnszones,dc=mydomain,dc=org
const ADS_NAME_INITTYPE_GC = 3 const ADS_NAME_TYPE_1779 = 1 const ADS_NAME_TYPE_CANONICAL = 2 set inArgs = WScript.Arguments if (inArgs.Count = 1) then ' Assume the command line argument is the NDNC (in DN form) to use. NdncDN = inArgs(0) Else Wscript.StdOut.Write "usage: cscript fixfsmo.vbs NdncDN" End if if (NdncDN <> "") then ' Convert the DN form of the NDNC into DNS dotted form. Set objTranslator = CreateObject("NameTranslate") objTranslator.Init ADS_NAME_INITTYPE_GC, "" objTranslator.Set ADS_NAME_TYPE_1779, NdncDN strDomainDNS = objTranslator.Get(ADS_NAME_TYPE_CANONICAL) strDomainDNS = Left(strDomainDNS, len(strDomainDNS)-1) Wscript.Echo "DNS name: " & strDomainDNS ' Find a domain controller that hosts this NDNC and that is online. set objRootDSE = GetObject("LDAP://" & strDomainDNS & "/RootDSE") strDnsHostName = objRootDSE.Get("dnsHostName") strDsServiceName = objRootDSE.Get("dsServiceName") Wscript.Echo "Using DC " & strDnsHostName ' Get the current infrastructure fsmo. strInfraDN = "CN=Infrastructure," & NdncDN set objInfra = GetObject("LDAP://" & strInfraDN) Wscript.Echo "infra fsmo is " & objInfra.fsmoroleowner ' If the current fsmo holder is deleted, set the fsmo holder to this domain controller. if (InStr(objInfra.fsmoroleowner, "\0ADEL:") > 0) then ' Set the fsmo holder to this domain controller. objInfra.Put "fSMORoleOwner", strDsServiceName objInfra.SetInfo ' Read the fsmo holder back. set objInfra = GetObject("LDAP://" & strInfraDN) Wscript.Echo "infra fsmo changed to:" & objInfra.fsmoroleowner End if End if