Error Demoting Domain Controller
-
@wirestyle22 said in Error Demoting Domain Controller:
The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."
Sounds like there might be corruption in the LDAP DB on that server - I wonder if you need to use ADSI edit to clean up the DB on that machine? Don't ask me how though.
-
@Dashrender found this: http://khellman.blogspot.com/2014/02/ad-ds-operation-failed-dcpromo-error.html
-
Event Viewer > Directory Service lists warning:
Ownership of the following FSMO role is set to a server which is deleted or does not exist.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Infrastructure.
Does this mean that someone at some point disconnected a domain without demoting it?
-
netdom query fsmonever returns with that listed from any domain controller. I'm confused how this happened. -
I am guessing you want to demote DC2? That bit is unclear.
Here:
https://technet.microsoft.com/en-us/library/cc816893(v=ws.10).aspx -
@momurda Yes I'm demoting DC2 on each subdomain.
-
Is the user you using to do this an Enterprise Admin?
-
@momurda said in Error Demoting Domain Controller:
I am guessing you want to demote DC2? That bit is unclear.
Here:
https://technet.microsoft.com/en-us/library/cc816893(v=ws.10).aspxI followed this and the old domain server that is referenced in event viewer is not listed. Everything is listed as
netdom query fsmolisted. -
@momurda said in Error Demoting Domain Controller:
Is the user you using to do this an Enterprise Admin?
Yup
-
Ah well then it looks like adsiedit for you then.
-
@momurda First time. Good learning experience for me
-
@wirestyle22 said in Error Demoting Domain Controller:
@momurda First time. Good learning experience for me
Don't break AD!
-
Yes be careful. First and easiest place to look is under the Domain Controllers section in adsi edit
You can also use
dsquery to find the location and use adsiedit to view and delete the erroneous entry. -
@momurda This domain controller I'm looking for no longer exists though. It's just in event viewer.
The domain controllers listed in adsi edit are correct.
-
You might also get interesting results using
netdom query fsmo /domain:forest
netdom query fsmo /domain:child1
netdom query fsmo /domain:child2
from different DCs -
@wirestyle22
It might not exist 'for real' anymore but your AD thinks it does, somewhere.
You have to find the reference to it within the depths of AD and get rid of it. -
@wirestyle22 said in Error Demoting Domain Controller:
@Dashrender found this: http://khellman.blogspot.com/2014/02/ad-ds-operation-failed-dcpromo-error.html
Using this link, Wire and I did find that his Domain did have a left over Forest based entry in ADSI edit for the DC that no longer exists. Now trying to find the best way to resolve the problem.
It's likely the DC was removed without running through DCPromo. It's likely that ADSI edit Metadata cleanup will be needed.
-
Update: Within ASDI Edit we connected to:
DC=ForestDNSZone,DC=subdomain,DC=rootdomain,DC=comCN=Infrastructure(Text File) listsfSMORoleOwnerin the Attribute Editor. The value showed a lot of garbled code instead of clean names, etc. A part of it was referencing the Domain Controller that hasn't been in production for a long time. -
I logged into a domain controller on the root domain using enterprise admin credentials and was able to edit
fSMORoleOwnerin the Attribute Editor. I then attempted to demote the Domain Controller again and got past the initial error, but it then gave me an access denied error. I had already gone into sites and services to disable the deleted protection so I spent a long time trying to figure out why this was occurring. It simply had not replicated to the DC yet.Domain Controller successfully demoted.
Big shoutouts to @Dashrender for going completely out of his way to help me resolve this issue. Can't thank you enough man.
-
@wirestyle22 said in Error Demoting Domain Controller:
ForestDNSZone
I'm trying to do this now and my ADSI edit doesn't show the ForestDNSZone. Assuming my TLD/Domain was contoso.com, I should be plugging in this, right? No worky... Not sure why.
http://i.imgur.com/hvqjF5V.png
