logo active directory

DCPromo Fails – The directory service is missing mandatory configuration information

On a Server 2008 R2 machine, I had an issue demoting from being a Domain Controller, after moving the FSMO roles onto a new machine. This was after a second domain controller died. I am not sure of the previous history of where the FSMO roles were for this client.

Two new DC’s were created and promoted, after cleaning up DNS to remove the old configuration of the dead DC.

The Error

I was provided with the following error in a dialog box and in the event log

dcpromoerror

 

Image Credit

Event ID: 2022

The operations master roles held by this directory server could not transfer to the following remote directory server. 
 
Remote directory server: 
\\EDU-NEWAD02.EDU.local 
 
This is preventing removal of this directory server. 
 
User Action 
Investigate why the remote directory server might be unable to accept the operations master roles, or manually transfer all the roles that are held by this directory server to the remote directory server. Then, try to remove this directory server again. 
 
Additional Data 
Error value:
5005 The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.

There was also a second Event ID: 2091

Ownership of the following FSMO role is set to a server which is deleted or does not exist. 
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected. 
 
FSMO Role: CN=Infrastructure,DC=ForestDnsZones,DC=EDU,DC=local 
FSMO Server DN: CN=NTDS Settings\0ADEL:bf05e3dc-9acf-4de5-9358-89bc719fb445,CN=EDU-AD01\0ADEL:dbe9f89d-aa5c-4ad0-bee6-618aa0f1fa31,CN=Servers,CN=MainOffice,CN=Sites,CN=Configuration,DC=EDU,DC=local
The Cause

So basically, the FSMO roles moved sucessfully, and running the following on each domain controller;

netdom query fsmo

Showed the correct server holding the roles.

The first dialog box when performing DCPromo.exe shows the name of the new secondary domain controller, however the second event ID, points to an issue in the schema where the OLD record of the dead DC is still been used.

You can see this by opening ADSI Edit;

  1. Right click the ADSI Edit root and click on Connect to…
  2. Use the following connection point: DC=DomainDNSZones,DC=Company,DC=Com
  3. Click on Default Naming Context [DC.Company.Com] to populate it.
  4. Click on DC=DomainDNSZones,DC=Company,DC=Com folder.
  5. Double click on CN=Infrastructure.
  6. Locate the fSMORoleOwner attribute

2015-01-29_08-41-462015-01-29_08-45-11

Above, you can see 0ADEL in the fSMORoleOwner, which refers to a deleted object (the dead DC).

The issue was caused by the second new domain controller having the same IP address as the old Dead domain controller, which lead to the remaining DC getting confused, thinking its missing friend was still alive, and corrupting the editing of the fSMORole Owner.

I tried to fix this following this article, but was given an error about security and not allowed to overwrite it.

The solution

Microsoft KB949257 holds the fix, however due to talking about Read-Only Domain Controllers, most people skip over this, however the script provided does work.

You must run it on the FSMO role holder, and then wait for replication. I left mine overnight, and once checked in the morning, I was getting the correct attribute when viewing in ASDI Edit.

2015-01-29_08-59-36

Although you may find you have not re-used the OLD DC IP address, you may find this issue still applies to yourself.

Credit also to this blog post wrote by Chris Davis for pointing me back to the Microsoft KB Article as the fix.

The Script

Open Notepad, drop the below into it, save as FixfSMO.vbs, run in elevated command prompt “cscript c:\location\FixfFSMO.vbs”.

Someone online had issues running the VBS as they were trying to fix the issue where by the value in ASDI was cleared (), and overcame this by running

  • cscript fixfsmo.vbs dc=forestdnszones,dc=mydomain,dc=org
    then for domain zone:
  • cscript fixfsmo.vbs dc=domaindnszones,dc=mydomain,dc=org
const ADS_NAME_INITTYPE_GC = 3 
const ADS_NAME_TYPE_1779 = 1 
const ADS_NAME_TYPE_CANONICAL = 2

set inArgs = WScript.Arguments

if (inArgs.Count = 1) then 
    ' Assume the command line argument is the NDNC (in DN form) to use. 
    NdncDN = inArgs(0) 
Else 
    Wscript.StdOut.Write "usage: cscript fixfsmo.vbs NdncDN" 
End if

if (NdncDN <> "") then

    ' Convert the DN form of the NDNC into DNS dotted form. 
    Set objTranslator = CreateObject("NameTranslate") 
    objTranslator.Init ADS_NAME_INITTYPE_GC, "" 
    objTranslator.Set ADS_NAME_TYPE_1779, NdncDN 
    strDomainDNS = objTranslator.Get(ADS_NAME_TYPE_CANONICAL) 
    strDomainDNS = Left(strDomainDNS, len(strDomainDNS)-1) 
     
    Wscript.Echo "DNS name: " & strDomainDNS

    ' Find a domain controller that hosts this NDNC and that is online. 
    set objRootDSE = GetObject("LDAP://" & strDomainDNS & "/RootDSE") 
    strDnsHostName = objRootDSE.Get("dnsHostName") 
    strDsServiceName = objRootDSE.Get("dsServiceName") 
    Wscript.Echo "Using DC " & strDnsHostName

    ' Get the current infrastructure fsmo. 
    strInfraDN = "CN=Infrastructure," & NdncDN 
    set objInfra = GetObject("LDAP://" & strInfraDN) 
    Wscript.Echo "infra fsmo is " & objInfra.fsmoroleowner

    ' If the current fsmo holder is deleted, set the fsmo holder to this domain controller.

    if (InStr(objInfra.fsmoroleowner, "\0ADEL:") > 0) then

        ' Set the fsmo holder to this domain controller. 
        objInfra.Put "fSMORoleOwner",  strDsServiceName 
        objInfra.SetInfo

        ' Read the fsmo holder back. 
        set objInfra = GetObject("LDAP://" & strInfraDN) 
        Wscript.Echo "infra fsmo changed to:" & objInfra.fsmoroleowner

    End if

End if

Regards

Dean

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.