Error Demoting Domain Controller
-
Disclaimer: Have not needed to troubleshoot a domain to this degree before.
I am moving from 2008 R2 to 2012 R2 in both instances just as an fyi.
We have a root domain with two subdomains. On the root domain and each of the subdomains we have two domain controllers (DC1 + DC2). I successfully added one new domain controller into each subdomain (DC3). I verified that we had global catalogue servers in addition to these two domain controllers. I checked the bridgehead servers and they are set to DC1+2.rootdomain.com I transferred FSMO roles from each DC2 to DC3.
netdom query fsmoSchema Master: DC1.rootdomain.com
Domain naming master: DC1.rootdomain.com
PDC: DC3.subdomain.rootdomain.com
RID pool manager: DC3.subdomain.rootdomain.com
Infrastructure master: DC3.subdomain.rootdomain.comWhen I attempt to perform
dcpromoI get the following error:The operation failed because:
"Active Directory Domain Services could not transfer the remaining data in directory partition ______________________________________.
The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."
I attempted to
dcdiagto narrow down the issue. These were the results:Failed Test NCSecDesc: Error replicating directory changes in filtered set. Access rights for the naming context: DC=ForestDNSZones,DC=Example,DC=Org
Note: I read about NCSecDesc and microsoft says you can disregard this error if you aren't using read only domain controllers.
Failed Test SystemLog: 2 of the errors are printer drivers and the last one is a onenote 2010 driver for printing.
Everything else passes. One thing to note is that during the FrsEvent test it does inform me there are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replicating problems may cause group policy problems. It then passed the test.
I went into event viewer and saw nothing suspicious. Any error or warning I researched and nothing stands out as being a problem.
Is there anything that I have neglected to do here?
-
@wirestyle22 said in Error Demoting Domain Controller:
The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."
Sounds like there might be corruption in the LDAP DB on that server - I wonder if you need to use ADSI edit to clean up the DB on that machine? Don't ask me how though.
-
@Dashrender found this: http://khellman.blogspot.com/2014/02/ad-ds-operation-failed-dcpromo-error.html
-
Event Viewer > Directory Service lists warning:
Ownership of the following FSMO role is set to a server which is deleted or does not exist.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Infrastructure.
Does this mean that someone at some point disconnected a domain without demoting it?
-
netdom query fsmonever returns with that listed from any domain controller. I'm confused how this happened. -
I am guessing you want to demote DC2? That bit is unclear.
Here:
https://technet.microsoft.com/en-us/library/cc816893(v=ws.10).aspx -
@momurda Yes I'm demoting DC2 on each subdomain.
-
Is the user you using to do this an Enterprise Admin?
-
@momurda said in Error Demoting Domain Controller:
I am guessing you want to demote DC2? That bit is unclear.
Here:
https://technet.microsoft.com/en-us/library/cc816893(v=ws.10).aspxI followed this and the old domain server that is referenced in event viewer is not listed. Everything is listed as
netdom query fsmolisted. -
@momurda said in Error Demoting Domain Controller:
Is the user you using to do this an Enterprise Admin?
Yup
-
Ah well then it looks like adsiedit for you then.
-
@momurda First time. Good learning experience for me
-
@wirestyle22 said in Error Demoting Domain Controller:
@momurda First time. Good learning experience for me
Don't break AD!
-
Yes be careful. First and easiest place to look is under the Domain Controllers section in adsi edit
You can also use
dsquery to find the location and use adsiedit to view and delete the erroneous entry. -
@momurda This domain controller I'm looking for no longer exists though. It's just in event viewer.
The domain controllers listed in adsi edit are correct.
-
You might also get interesting results using
netdom query fsmo /domain:forest
netdom query fsmo /domain:child1
netdom query fsmo /domain:child2
from different DCs -
@wirestyle22
It might not exist 'for real' anymore but your AD thinks it does, somewhere.
You have to find the reference to it within the depths of AD and get rid of it. -
@wirestyle22 said in Error Demoting Domain Controller:
@Dashrender found this: http://khellman.blogspot.com/2014/02/ad-ds-operation-failed-dcpromo-error.html
Using this link, Wire and I did find that his Domain did have a left over Forest based entry in ADSI edit for the DC that no longer exists. Now trying to find the best way to resolve the problem.
It's likely the DC was removed without running through DCPromo. It's likely that ADSI edit Metadata cleanup will be needed.
-
Update: Within ASDI Edit we connected to:
DC=ForestDNSZone,DC=subdomain,DC=rootdomain,DC=comCN=Infrastructure(Text File) listsfSMORoleOwnerin the Attribute Editor. The value showed a lot of garbled code instead of clean names, etc. A part of it was referencing the Domain Controller that hasn't been in production for a long time. -
I logged into a domain controller on the root domain using enterprise admin credentials and was able to edit
fSMORoleOwnerin the Attribute Editor. I then attempted to demote the Domain Controller again and got past the initial error, but it then gave me an access denied error. I had already gone into sites and services to disable the deleted protection so I spent a long time trying to figure out why this was occurring. It simply had not replicated to the DC yet.Domain Controller successfully demoted.
Big shoutouts to @Dashrender for going completely out of his way to help me resolve this issue. Can't thank you enough man.
