Thursday, 13 February 2014

AD DS operation failed - Dcpromo error - FSMO role broken

I was about to remove a domain controller of a customer so many times before when the error below appeared.

Active Directory Domain Services Installation Wizard
---------------------------
The operation failed because:

Active Directory Domain Services could not transfer the remaining data in directory partition DC=ForestDnsZones,DC=company,DC=com to
Active Directory Domain Controller \\DC.company.com.

"The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."


Very strange considering that running "netdom query fsmo" gives the result that one of the other domain controllers owns all FSMO roles. The Event Viewer is in this case your best friend.

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          2014-02-01 14:44:13
Event ID:      2091
Task Category: Replication
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      DC.COMPANY.COM
Description:
Ownership of the following FSMO role is set to a server which is deleted or does not exist. 
   

The DC mentioned in the Event Viewer warning was an old Windows Server DC removed more than 5 years ago!

Let's move on, make sure to open ADSIEdit on the affected FSMO Role owner and make the necessary changes there.


How to obtain the correct setting:
  1. On the affected role owner open ADSIEdit.
  2. Click on Default Naming Context [DC.Company.Com].
  3. Click on DC=Company,DC=Com.
  4. Double click on CN=Infrastructure at the bottom of the list of folders.
  5. Locate the fSMORoleOwner attribute and click on it.
  6. Click the Edit button.
  7. CTRL+C to copy the contents of the attribute.
  8. Click CANCEL twice.

  1. Correct the problematic settings:
    1. Right click the ADSI Edit root and click on Connect to…
    2. Use the following connection point:
      1. DC=DomainDNSZones,DC=Company,DC=Com
    3. Click on Default Naming Context [DC.Company.Com] to populate it.
    4. Click on DC=DomainDNSZones,DC=Company,DC=Com folder.
    5. Double click on CN=Infrastructure.
    6. Locate the fSMORoleOwner attribute and click on it.
    7. Click the Edit button.
    8. CTRL+V to paste the correct setting.
    9. Click OK and then Apply.
    10. Repeat steps 2.1-2.9 to correct DC=ForestDNSZones,DC=Comapny,DC=Com.

Once the above steps were completed on the FSMO Role owner for Infrastructure I was able to properly demote the DC.
Upplagd av kl.
Etiketter:

49 comments:

  1. Unknown15 January 2015 at 13:02

    Thanks for this, i was having trouble with similar instructions found elsewhere, but this was the most clear and concise. In my case I was missing correcting the value on DomainDNSZones as well as ForestDNSZones

    ReplyDelete
  2. khellman15 January 2015 at 13:06

    No problem, glad to hear that it worked out :)

    ReplyDelete
  3. Unknown19 March 2015 at 08:07

    After going through, it spits out Operation failed with an error code. The role owner attribute could not be read.

    Any Ideas.

    ReplyDelete
  4. khellman19 March 2015 at 11:51

    So after following the steps above you get the error message when you retry to remove the domain controller?

    ReplyDelete
  5. Ahmed El Gamil6 August 2015 at 23:45

    This comment has been removed by the author.

    ReplyDelete
  6. Tyler Adler9 December 2015 at 17:26

    This was excellent, thank you.

    ReplyDelete
  7. khellman11 December 2015 at 13:56

    :)

    ReplyDelete
  8. Unknown17 January 2016 at 21:39

    Great article. Went through a slew of sites and this was the only one that helped fixed my issue with demoting a DC. The script Microsoft has you run didn't do anything in KB949257.

    ReplyDelete
  9. Unknown23 March 2016 at 05:14

    Worked for me on a 2008 to 2012, rebuild an old DC and pointers must have been wrong on adsiedit. This fixed it.

    ReplyDelete
  10. ServerDude11 April 2016 at 03:04

    Doing a quick demotion on a Sunday and ran into this issue - found your post immediately and it no doubt saved tons of time! Thanks!

    ReplyDelete
  11. Unknown25 May 2016 at 17:43

    thanks so much, i appreciate your work, even though i am doing it in lab before going to prod, but the solution really helped me

    ReplyDelete
  12. Anonymous14 July 2016 at 03:33

    Saved me an evening, as well. Thanks!!

    ReplyDelete
  13. Unknown20 July 2016 at 13:02

    All I can say is your article was the best and easiest to follow, Can't thank you enough for taking the time to post it.

    ReplyDelete
  14. khellman8 August 2016 at 09:44

    @Kevin Long @Proud Papa I'm glad my article could help you.

    ReplyDelete
  15. Vishwajeet Kadam18 November 2016 at 12:20

    Thanks a lot! You saved me :)

    ReplyDelete
  16. Tavis12 April 2017 at 21:58

    This guide really saved my bacon. It worked perfectly and was so quick!
    I wasted hours Googling and researching. This was done in a live, customer-facing environment that served thousands of users and could NOT go down.

    ReplyDelete
  17. Eleni28 July 2017 at 17:09

    super! Thank you

    ReplyDelete
  18. khellman8 August 2017 at 13:49

    :)

    ReplyDelete
  19. Joe H.15 September 2017 at 02:36

    I'm getting errors as well.:

    Operation failed. Error code: 0x20ae
    The role owner attribute could not be read.

    000020AE: SvcErr: DSID-03152965, problem 5003 (WILL_NOT_PERFORM), data 0

    This is on a 2008R2 DC that I am trying to get rid of. This error happens after copying the correct info into the fsMORoleOwner attribute in the DomainDNSZones area. I also get the same error in ForestDNSZones area. So, I have to cancel out, so the good settings don't stay.

    ReplyDelete
  20. Unknown27 March 2018 at 21:16

    First, thank you for putting this together for us. However, in your first set of instructions I am not seeing #3 or #4 when using the ADSIEdit on server 2008R2. Am I missing something?

    ReplyDelete
  21. Unknown24 July 2018 at 16:49

    I am showing the incorrect value for the ForestDNSZone Infrastructure FSMO for both the old DC and the new DC. Should I set both the correct DC?

    ReplyDelete
  22. Unknown19 August 2018 at 06:17

    How can I found the correct value?

    ReplyDelete
  23. XTJohn27 December 2018 at 01:54

    Just needed to do the same for ForestDNS... and off the dcpromo went! Thank you!

    ReplyDelete
  24. Goldie28 January 2019 at 22:46

    WORKED LIKE A CHARM!! I just had to do it on another DC as the first one gave the error "Operation failed. Error code: 0x20ae
    The role owner attribute could not be read.". In my case, the settings were incorrect on both domain and Forest. HUGE THANKS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    ReplyDelete
  25. Unknown29 April 2019 at 07:41

    Thank you so much.

    ReplyDelete
  26. Unknown10 May 2019 at 17:55

    operation failed. the role owner attribute could not be read

    ReplyDelete
  27. Stewrat13 June 2019 at 15:35

    Used this article a couple of times but on the lastest issue, changes applied and correct DC now showing as fsmoroleowner however still have the same error when using dcpromo. Any ideas?

    ReplyDelete
  28. Andrew Robinson4 July 2019 at 12:13

    Thank you, after tracing it back the the FSMO role owner I was able to make the change to the ForestDNSZones and then demote the remote DC.

    ReplyDelete
  29. Jasper24 July 2019 at 14:48

    Perfect. I'm not sure why this happend and why we need to do this, it was a DC that was decommissioned >12 years back (and I've removed DC role from more servers since) but this fixed it. Thanks.

    ReplyDelete
  30. mmurphy124 July 2019 at 19:26

    You're steps don't follow your images (at least in my situation), makes it very confusing and hard to follow.

    ReplyDelete
  31. Unknown16 August 2019 at 16:19

    This was the solution, big thanks!

    ReplyDelete
  32. Andrea13 September 2019 at 13:02

    Operation failed. The Role owner attribute could not be read

    Any help on this.....

    ReplyDelete
  33. testshehan18 September 2019 at 09:59

    This worked for me like a charm! Thanks for the article.
    Cheers!

    ReplyDelete
  34. Zallman20 September 2019 at 20:46

    This is by far the most helpful explanation of this process I found. Was pulling my hair out all morning. Thank you!

    ReplyDelete
  35. Everaldo Santos Cabral23 September 2019 at 20:54

    Muito obrigado, resolveu meu problema. \O/

    ReplyDelete
  36. brett9 October 2019 at 17:18

    Genius

    ReplyDelete
  37. Unknown13 January 2020 at 13:50

    This worked for me. Great stuff, let's go champ!

    ReplyDelete
  38. PCSTed27 February 2020 at 19:01

    Great Article. 2 points that maybe obvious to others. 1) this needs to be done on the current PDC or the FSMO role master. Doing it on the DC that you are trying to demote throws up errors. 2) Replace the Company in "DC=DomainDNSZones,DC=Company,DC=Com" with the appropriate Domain name for your situation. Besides that this has worked like a charm for me many times.

    ReplyDelete
  39. mmurphy122 April 2020 at 03:46

    Thank You. I've been stressing about this because I saw other posts that suggested most likely I would get read errors, etc, and would have to run AD scripts etc, but it just worked!

    ReplyDelete
  40. Cwal2122 April 2020 at 22:36

    Really appreciate this, it helped me entirely where others were failing to fully explain! Bravo!

    ReplyDelete
  41. Adam3 May 2020 at 21:19

    This worked, as some other suggested, I had to make the changes from the new FSMO role holder and all is now well. Thanks!

    ReplyDelete
  42. Unknown13 May 2020 at 17:06

    Thank you for this! I am still pretty green and was tasked with replacing the two '08R2 DC's at my biggest customer. This helped me with the last step of the process!

    ReplyDelete
  43. Matei Baniceru5 July 2020 at 23:13

    Thanx man, you're my hero ! :)

    ReplyDelete
  44. OsisX6 August 2020 at 00:16

    I changed the settings on the FSMO role master, but these changes don't flow through to the DC I can't demote. And there I can't change the settings because I get Operation failed. Error code: 0x20ae

    ReplyDelete
  45. Unknown17 August 2020 at 11:30

    Great thank you. I have got there old DC and now i can demote currently DC withouzt problem. Thank you

    ReplyDelete
  46. itsBrendan18 August 2020 at 04:24

    You wouldn't believe how many enterprises are still using this legacy tech!

    Ran into this conundrum migrating 13 million+ user objects in AD to a more stable, and current [win2019] env. So very grateful for this technical direction.

    Had to plug the new(accurate) ForestDNS & DomainDNSZones information into ADSIEdit FROM the current FSMO Role holder.

    Thanks a ton!

    ReplyDelete
  47. AndyH18 November 2020 at 14:49

    Perfect, worked like a charm

    ReplyDelete

Subscribe to: Post Comments (Atom)