Thursday, 13 February 2014

AD DS operation failed - Dcpromo error - FSMO role broken

I was about to remove a domain controller of a customer so many times before when the error below appeared.

Active Directory Domain Services Installation Wizard
---------------------------
The operation failed because:

Active Directory Domain Services could not transfer the remaining data in directory partition DC=ForestDnsZones,DC=company,DC=com to
Active Directory Domain Controller \\DC.company.com.

"The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."


Very strange considering that running "netdom query fsmo" gives the result that one of the other domain controllers owns all FSMO roles. The Event Viewer is in this case your best friend.

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          2014-02-01 14:44:13
Event ID:      2091
Task Category: Replication
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      DC.COMPANY.COM
Description:
Ownership of the following FSMO role is set to a server which is deleted or does not exist. 
   

The DC mentioned in the Event Viewer warning was an old Windows Server DC removed more than 5 years ago!

Let's move on, make sure to open ADSIEdit on the affected FSMO Role owner and make the necessary changes there.


How to obtain the correct setting:
  1. On the affected role owner open ADSIEdit.
  2. Click on Default Naming Context [DC.Company.Com].
  3. Click on DC=Company,DC=Com.
  4. Double click on CN=Infrastructure at the bottom of the list of folders.
  5. Locate the fSMORoleOwner attribute and click on it.
  6. Click the Edit button.
  7. CTRL+C to copy the contents of the attribute.
  8. Click CANCEL twice.

  1. Correct the problematic settings:
    1. Right click the ADSI Edit root and click on Connect to…
    2. Use the following connection point:
      1. DC=DomainDNSZones,DC=Company,DC=Com
    3. Click on Default Naming Context [DC.Company.Com] to populate it.
    4. Click on DC=DomainDNSZones,DC=Company,DC=Com folder.
    5. Double click on CN=Infrastructure.
    6. Locate the fSMORoleOwner attribute and click on it.
    7. Click the Edit button.
    8. CTRL+V to paste the correct setting.
    9. Click OK and then Apply.
    10. Repeat steps 2.1-2.9 to correct DC=ForestDNSZones,DC=Comapny,DC=Com.

Once the above steps were completed on the FSMO Role owner for Infrastructure I was able to properly demote the DC.

39 comments:

  1. Thanks for this, i was having trouble with similar instructions found elsewhere, but this was the most clear and concise. In my case I was missing correcting the value on DomainDNSZones as well as ForestDNSZones

    ReplyDelete
  2. No problem, glad to hear that it worked out :)

    ReplyDelete
  3. After going through, it spits out Operation failed with an error code. The role owner attribute could not be read.

    Any Ideas.

    ReplyDelete
  4. So after following the steps above you get the error message when you retry to remove the domain controller?

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. Great article. Went through a slew of sites and this was the only one that helped fixed my issue with demoting a DC. The script Microsoft has you run didn't do anything in KB949257.

    ReplyDelete
  7. Worked for me on a 2008 to 2012, rebuild an old DC and pointers must have been wrong on adsiedit. This fixed it.

    ReplyDelete
  8. Doing a quick demotion on a Sunday and ran into this issue - found your post immediately and it no doubt saved tons of time! Thanks!

    ReplyDelete
  9. thanks so much, i appreciate your work, even though i am doing it in lab before going to prod, but the solution really helped me

    ReplyDelete
  10. Saved me an evening, as well. Thanks!!

    ReplyDelete
  11. All I can say is your article was the best and easiest to follow, Can't thank you enough for taking the time to post it.

    ReplyDelete
  12. @Kevin Long @Proud Papa I'm glad my article could help you.

    ReplyDelete
  13. Thanks a lot! You saved me :)

    ReplyDelete
  14. This guide really saved my bacon. It worked perfectly and was so quick!
    I wasted hours Googling and researching. This was done in a live, customer-facing environment that served thousands of users and could NOT go down.

    ReplyDelete
  15. I'm getting errors as well.:

    Operation failed. Error code: 0x20ae
    The role owner attribute could not be read.

    000020AE: SvcErr: DSID-03152965, problem 5003 (WILL_NOT_PERFORM), data 0

    This is on a 2008R2 DC that I am trying to get rid of. This error happens after copying the correct info into the fsMORoleOwner attribute in the DomainDNSZones area. I also get the same error in ForestDNSZones area. So, I have to cancel out, so the good settings don't stay.

    ReplyDelete
  16. First, thank you for putting this together for us. However, in your first set of instructions I am not seeing #3 or #4 when using the ADSIEdit on server 2008R2. Am I missing something?

    ReplyDelete
  17. I am showing the incorrect value for the ForestDNSZone Infrastructure FSMO for both the old DC and the new DC. Should I set both the correct DC?

    ReplyDelete
  18. Just needed to do the same for ForestDNS... and off the dcpromo went! Thank you!

    ReplyDelete
  19. WORKED LIKE A CHARM!! I just had to do it on another DC as the first one gave the error "Operation failed. Error code: 0x20ae
    The role owner attribute could not be read.". In my case, the settings were incorrect on both domain and Forest. HUGE THANKS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    ReplyDelete
  20. operation failed. the role owner attribute could not be read

    ReplyDelete
  21. Used this article a couple of times but on the lastest issue, changes applied and correct DC now showing as fsmoroleowner however still have the same error when using dcpromo. Any ideas?

    ReplyDelete
  22. Thank you, after tracing it back the the FSMO role owner I was able to make the change to the ForestDNSZones and then demote the remote DC.

    ReplyDelete
  23. Perfect. I'm not sure why this happend and why we need to do this, it was a DC that was decommissioned >12 years back (and I've removed DC role from more servers since) but this fixed it. Thanks.

    ReplyDelete
  24. You're steps don't follow your images (at least in my situation), makes it very confusing and hard to follow.

    ReplyDelete
  25. This was the solution, big thanks!

    ReplyDelete
  26. Operation failed. The Role owner attribute could not be read

    Any help on this.....

    ReplyDelete
  27. This worked for me like a charm! Thanks for the article.
    Cheers!

    ReplyDelete
  28. This is by far the most helpful explanation of this process I found. Was pulling my hair out all morning. Thank you!

    ReplyDelete
  29. Muito obrigado, resolveu meu problema. \O/

    ReplyDelete