Thursday 13 February 2014

AD DS operation failed - Dcpromo error - FSMO role broken

I was about to remove a domain controller of a customer so many times before when the error below appeared.

Active Directory Domain Services Installation Wizard
---------------------------
The operation failed because:

Active Directory Domain Services could not transfer the remaining data in directory partition DC=ForestDnsZones,DC=company,DC=com to
Active Directory Domain Controller \\DC.company.com.

"The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."


Very strange considering that running "netdom query fsmo" gives the result that one of the other domain controllers owns all FSMO roles. The Event Viewer is in this case your best friend.

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          2014-02-01 14:44:13
Event ID:      2091
Task Category: Replication
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      DC.COMPANY.COM
Description:
Ownership of the following FSMO role is set to a server which is deleted or does not exist. 
   

The DC mentioned in the Event Viewer warning was an old Windows Server DC removed more than 5 years ago!

Let's move on, make sure to open ADSIEdit on the affected FSMO Role owner and make the necessary changes there.


How to obtain the correct setting:
  1. On the affected role owner open ADSIEdit.
  2. Click on Default Naming Context [DC.Company.Com].
  3. Click on DC=Company,DC=Com.
  4. Double click on CN=Infrastructure at the bottom of the list of folders.
  5. Locate the fSMORoleOwner attribute and click on it.
  6. Click the Edit button.
  7. CTRL+C to copy the contents of the attribute.
  8. Click CANCEL twice.

  1. Correct the problematic settings:
    1. Right click the ADSI Edit root and click on Connect to…
    2. Use the following connection point:
      1. DC=DomainDNSZones,DC=Company,DC=Com
    3. Click on Default Naming Context [DC.Company.Com] to populate it.
    4. Click on DC=DomainDNSZones,DC=Company,DC=Com folder.
    5. Double click on CN=Infrastructure.
    6. Locate the fSMORoleOwner attribute and click on it.
    7. Click the Edit button.
    8. CTRL+V to paste the correct setting.
    9. Click OK and then Apply.
    10. Repeat steps 2.1-2.9 to correct DC=ForestDNSZones,DC=Comapny,DC=Com.

Once the above steps were completed on the FSMO Role owner for Infrastructure I was able to properly demote the DC.

49 comments:

  1. Thanks for this, i was having trouble with similar instructions found elsewhere, but this was the most clear and concise. In my case I was missing correcting the value on DomainDNSZones as well as ForestDNSZones

    ReplyDelete
  2. No problem, glad to hear that it worked out :)

    ReplyDelete
  3. After going through, it spits out Operation failed with an error code. The role owner attribute could not be read.

    Any Ideas.

    ReplyDelete
  4. So after following the steps above you get the error message when you retry to remove the domain controller?

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. Great article. Went through a slew of sites and this was the only one that helped fixed my issue with demoting a DC. The script Microsoft has you run didn't do anything in KB949257.

    ReplyDelete
  7. Worked for me on a 2008 to 2012, rebuild an old DC and pointers must have been wrong on adsiedit. This fixed it.

    ReplyDelete
  8. Doing a quick demotion on a Sunday and ran into this issue - found your post immediately and it no doubt saved tons of time! Thanks!

    ReplyDelete
  9. thanks so much, i appreciate your work, even though i am doing it in lab before going to prod, but the solution really helped me

    ReplyDelete
  10. Saved me an evening, as well. Thanks!!

    ReplyDelete
  11. All I can say is your article was the best and easiest to follow, Can't thank you enough for taking the time to post it.

    ReplyDelete
  12. @Kevin Long @Proud Papa I'm glad my article could help you.

    ReplyDelete
  13. This guide really saved my bacon. It worked perfectly and was so quick!
    I wasted hours Googling and researching. This was done in a live, customer-facing environment that served thousands of users and could NOT go down.

    ReplyDelete
  14. I'm getting errors as well.:

    Operation failed. Error code: 0x20ae
    The role owner attribute could not be read.

    000020AE: SvcErr: DSID-03152965, problem 5003 (WILL_NOT_PERFORM), data 0

    This is on a 2008R2 DC that I am trying to get rid of. This error happens after copying the correct info into the fsMORoleOwner attribute in the DomainDNSZones area. I also get the same error in ForestDNSZones area. So, I have to cancel out, so the good settings don't stay.

    ReplyDelete
  15. First, thank you for putting this together for us. However, in your first set of instructions I am not seeing #3 or #4 when using the ADSIEdit on server 2008R2. Am I missing something?

    ReplyDelete
  16. I am showing the incorrect value for the ForestDNSZone Infrastructure FSMO for both the old DC and the new DC. Should I set both the correct DC?

    ReplyDelete
  17. How can I found the correct value?

    ReplyDelete
  18. Just needed to do the same for ForestDNS... and off the dcpromo went! Thank you!

    ReplyDelete
  19. WORKED LIKE A CHARM!! I just had to do it on another DC as the first one gave the error "Operation failed. Error code: 0x20ae
    The role owner attribute could not be read.". In my case, the settings were incorrect on both domain and Forest. HUGE THANKS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    ReplyDelete
  20. operation failed. the role owner attribute could not be read

    ReplyDelete
  21. Used this article a couple of times but on the lastest issue, changes applied and correct DC now showing as fsmoroleowner however still have the same error when using dcpromo. Any ideas?

    ReplyDelete
  22. Thank you, after tracing it back the the FSMO role owner I was able to make the change to the ForestDNSZones and then demote the remote DC.

    ReplyDelete
  23. Perfect. I'm not sure why this happend and why we need to do this, it was a DC that was decommissioned >12 years back (and I've removed DC role from more servers since) but this fixed it. Thanks.

    ReplyDelete
  24. You're steps don't follow your images (at least in my situation), makes it very confusing and hard to follow.

    ReplyDelete
  25. This was the solution, big thanks!

    ReplyDelete
  26. Operation failed. The Role owner attribute could not be read

    Any help on this.....

    ReplyDelete
  27. This worked for me like a charm! Thanks for the article.
    Cheers!

    ReplyDelete
  28. This is by far the most helpful explanation of this process I found. Was pulling my hair out all morning. Thank you!

    ReplyDelete
  29. Muito obrigado, resolveu meu problema. \O/

    ReplyDelete
  30. This worked for me. Great stuff, let's go champ!

    ReplyDelete
  31. Great Article. 2 points that maybe obvious to others. 1) this needs to be done on the current PDC or the FSMO role master. Doing it on the DC that you are trying to demote throws up errors. 2) Replace the Company in "DC=DomainDNSZones,DC=Company,DC=Com" with the appropriate Domain name for your situation. Besides that this has worked like a charm for me many times.

    ReplyDelete
  32. Thank You. I've been stressing about this because I saw other posts that suggested most likely I would get read errors, etc, and would have to run AD scripts etc, but it just worked!

    ReplyDelete
  33. Really appreciate this, it helped me entirely where others were failing to fully explain! Bravo!

    ReplyDelete
  34. This worked, as some other suggested, I had to make the changes from the new FSMO role holder and all is now well. Thanks!

    ReplyDelete
  35. Thank you for this! I am still pretty green and was tasked with replacing the two '08R2 DC's at my biggest customer. This helped me with the last step of the process!

    ReplyDelete
  36. Thanx man, you're my hero ! :)

    ReplyDelete
  37. I changed the settings on the FSMO role master, but these changes don't flow through to the DC I can't demote. And there I can't change the settings because I get Operation failed. Error code: 0x20ae

    ReplyDelete
  38. Great thank you. I have got there old DC and now i can demote currently DC withouzt problem. Thank you

    ReplyDelete
  39. You wouldn't believe how many enterprises are still using this legacy tech!

    Ran into this conundrum migrating 13 million+ user objects in AD to a more stable, and current [win2019] env. So very grateful for this technical direction.

    Had to plug the new(accurate) ForestDNS & DomainDNSZones information into ADSIEdit FROM the current FSMO Role holder.

    Thanks a ton!

    ReplyDelete
  40. Perfect, worked like a charm

    ReplyDelete