Thursday, 13 February 2014

AD DS operation failed - Dcpromo error - FSMO role broken

I was about to remove a domain controller of a customer so many times before when the error below appeared.

Active Directory Domain Services Installation Wizard
The operation failed because:

Active Directory Domain Services could not transfer the remaining data in directory partition DC=ForestDnsZones,DC=company,DC=com to
Active Directory Domain Controller \\

"The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."

Very strange considering that running "netdom query fsmo" gives the result that one of the other domain controllers owns all FSMO roles. The Event Viewer is in this case your best friend.

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          2014-02-01 14:44:13
Event ID:      2091
Task Category: Replication
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      DC.COMPANY.COM
Ownership of the following FSMO role is set to a server which is deleted or does not exist. 

The DC mentioned in the Event Viewer warning was an old Windows Server DC removed more than 5 years ago!

Let's move on, make sure to open ADSIEdit on the affected FSMO Role owner and make the necessary changes there.

How to obtain the correct setting:
  1. On the affected role owner open ADSIEdit.
  2. Click on Default Naming Context [DC.Company.Com].
  3. Click on DC=Company,DC=Com.
  4. Double click on CN=Infrastructure at the bottom of the list of folders.
  5. Locate the fSMORoleOwner attribute and click on it.
  6. Click the Edit button.
  7. CTRL+C to copy the contents of the attribute.
  8. Click CANCEL twice.

  1. Correct the problematic settings:
    1. Right click the ADSI Edit root and click on Connect to…
    2. Use the following connection point:
      1. DC=DomainDNSZones,DC=Company,DC=Com
    3. Click on Default Naming Context [DC.Company.Com] to populate it.
    4. Click on DC=DomainDNSZones,DC=Company,DC=Com folder.
    5. Double click on CN=Infrastructure.
    6. Locate the fSMORoleOwner attribute and click on it.
    7. Click the Edit button.
    8. CTRL+V to paste the correct setting.
    9. Click OK and then Apply.
    10. Repeat steps 2.1-2.9 to correct DC=ForestDNSZones,DC=Comapny,DC=Com.

Once the above steps were completed on the FSMO Role owner for Infrastructure I was able to properly demote the DC.


  1. Thanks for this, i was having trouble with similar instructions found elsewhere, but this was the most clear and concise. In my case I was missing correcting the value on DomainDNSZones as well as ForestDNSZones

  2. No problem, glad to hear that it worked out :)

  3. After going through, it spits out Operation failed with an error code. The role owner attribute could not be read.

    Any Ideas.

  4. So after following the steps above you get the error message when you retry to remove the domain controller?

  5. This comment has been removed by the author.

  6. Great article. Went through a slew of sites and this was the only one that helped fixed my issue with demoting a DC. The script Microsoft has you run didn't do anything in KB949257.

  7. Worked for me on a 2008 to 2012, rebuild an old DC and pointers must have been wrong on adsiedit. This fixed it.

  8. Doing a quick demotion on a Sunday and ran into this issue - found your post immediately and it no doubt saved tons of time! Thanks!

  9. thanks so much, i appreciate your work, even though i am doing it in lab before going to prod, but the solution really helped me

  10. Saved me an evening, as well. Thanks!!

  11. All I can say is your article was the best and easiest to follow, Can't thank you enough for taking the time to post it.

  12. @Kevin Long @Proud Papa I'm glad my article could help you.

  13. Thanks a lot! You saved me :)

  14. This guide really saved my bacon. It worked perfectly and was so quick!
    I wasted hours Googling and researching. This was done in a live, customer-facing environment that served thousands of users and could NOT go down.

  15. I'm getting errors as well.:

    Operation failed. Error code: 0x20ae
    The role owner attribute could not be read.

    000020AE: SvcErr: DSID-03152965, problem 5003 (WILL_NOT_PERFORM), data 0

    This is on a 2008R2 DC that I am trying to get rid of. This error happens after copying the correct info into the fsMORoleOwner attribute in the DomainDNSZones area. I also get the same error in ForestDNSZones area. So, I have to cancel out, so the good settings don't stay.

  16. First, thank you for putting this together for us. However, in your first set of instructions I am not seeing #3 or #4 when using the ADSIEdit on server 2008R2. Am I missing something?

  17. I am showing the incorrect value for the ForestDNSZone Infrastructure FSMO for both the old DC and the new DC. Should I set both the correct DC?

  18. How can I found the correct value?

  19. Just needed to do the same for ForestDNS... and off the dcpromo went! Thank you!

  20. WORKED LIKE A CHARM!! I just had to do it on another DC as the first one gave the error "Operation failed. Error code: 0x20ae
    The role owner attribute could not be read.". In my case, the settings were incorrect on both domain and Forest. HUGE THANKS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  21. operation failed. the role owner attribute could not be read

  22. Used this article a couple of times but on the lastest issue, changes applied and correct DC now showing as fsmoroleowner however still have the same error when using dcpromo. Any ideas?

  23. Thank you, after tracing it back the the FSMO role owner I was able to make the change to the ForestDNSZones and then demote the remote DC.

  24. Perfect. I'm not sure why this happend and why we need to do this, it was a DC that was decommissioned >12 years back (and I've removed DC role from more servers since) but this fixed it. Thanks.

  25. You're steps don't follow your images (at least in my situation), makes it very confusing and hard to follow.

  26. This was the solution, big thanks!

  27. Operation failed. The Role owner attribute could not be read

    Any help on this.....

  28. This worked for me like a charm! Thanks for the article.

  29. This is by far the most helpful explanation of this process I found. Was pulling my hair out all morning. Thank you!

  30. Muito obrigado, resolveu meu problema. \O/

  31. This worked for me. Great stuff, let's go champ!

  32. Great Article. 2 points that maybe obvious to others. 1) this needs to be done on the current PDC or the FSMO role master. Doing it on the DC that you are trying to demote throws up errors. 2) Replace the Company in "DC=DomainDNSZones,DC=Company,DC=Com" with the appropriate Domain name for your situation. Besides that this has worked like a charm for me many times.

  33. Thank You. I've been stressing about this because I saw other posts that suggested most likely I would get read errors, etc, and would have to run AD scripts etc, but it just worked!

  34. Really appreciate this, it helped me entirely where others were failing to fully explain! Bravo!

  35. This worked, as some other suggested, I had to make the changes from the new FSMO role holder and all is now well. Thanks!

  36. Thank you for this! I am still pretty green and was tasked with replacing the two '08R2 DC's at my biggest customer. This helped me with the last step of the process!

  37. Thanx man, you're my hero ! :)

  38. I changed the settings on the FSMO role master, but these changes don't flow through to the DC I can't demote. And there I can't change the settings because I get Operation failed. Error code: 0x20ae

  39. Great thank you. I have got there old DC and now i can demote currently DC withouzt problem. Thank you

  40. You wouldn't believe how many enterprises are still using this legacy tech!

    Ran into this conundrum migrating 13 million+ user objects in AD to a more stable, and current [win2019] env. So very grateful for this technical direction.

    Had to plug the new(accurate) ForestDNS & DomainDNSZones information into ADSIEdit FROM the current FSMO Role holder.

    Thanks a ton!

  41. Perfect, worked like a charm