none
DCPROMO FAILS -The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.

    Question

  • Hi Experts,                           

    We have 4 AD sites and working properly. Due to some requirement we need to decommission DCs in one site.  We are trying to demote DC roles in 2 servers but they are throwing attached errors.

     

    I tried to follow given link and changed the orphan entry as mentioned. But still this error persists. Replication and communication is properly happening in all sites.

     

    http://www.zerohoursleep.com/2011/07/dcpromo-out-fails-with-the-directory-service-is-missing-mandatory-configuration-information-and-is-unable-to-determine-the-ownership-of-floating-single-master-operation-roles/

     

     

    When I tried to fire dsquery * CN=Infrastructure,DC=ForestDnsZones,DC=xxx,DC=net -attr fSMORoleOwner

     

    I got below mentioned result which shows that there is some orphan entry. DC01 doesn’t exists in our network more.

     

    CN=NTDS Settings\0ADEL:413b675f-3da2-4c09-b801-6358e839268f,CN=DC01\0ADEL:de8559b2-255b-4603-8f07-608df9e61a73,CN=Servers,CN=GVA,CN=Sites,CN=Configuration,DC=XXX,DC=net 

     

    I changed the entry according to link.

    CN=NTDS Settings,CN=EUDC2,CN=Servers,CN=AUS,CN=Sites,CN=Configuration,DC=XXX,DC=net 

     

     

    Event Log Errors-01

     

    The operations master roles held by this directory server could not transfer to the following remote directory server.

     

    Remote directory server:

    \\EUDC2.xxx.net

     

    This is preventing removal of this directory server.

     

    User Action

    Investigate why the remote directory server might be unable to accept the operations master roles, or manually transfer all the roles that are held by this directory server to the remote directory server. Then, try to remove this directory server again.

     

    Additional Data

    Error value:

    5005 The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.

    Extended error value:

    0

    Internal ID:

    52498735

    Event Log Errors-02

     

    Ownership of the following FSMO role is set to a server which is deleted or does not exist.

     

    Operations which require contacting a FSMO operation master will fail until this condition is corrected.

     

    FSMO Role: CN=Infrastructure,DC=DomainDnsZones,DC=xxx,DC=net

    FSMO Server DN: CN=NTDS Settings\0ADEL:413b675f-3da2-4c09-b801-6358e839268f,CN=DC01\0ADEL:de8559b2-255b-4603-8f07-608df9e61a73,CN=Servers,CN=USA,CN=Sites,CN=Configuration,DC=XXX,DC=net

     

    User Action:

     

    1. Determine which server should hold the role in question.

    2. Configuration view may be out of date. If the server in question has been promoted recently, verify that the Configuration partition has replicated from the new server recently.  If the server in question has been demoted recently and the role transferred, verify that this server has replicated the partition (containing the latest role ownership) lately.

    3. Determine whether the role is set properly on the FSMO role holder server. If the role is not set, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.

    4. Verify that replication of the FSMO partition between the FSMO role holder server and this server is occurring successfully.

     

    The following operations may be impacted:

    Schema: You will no longer be able to modify the schema for this forest.

    Domain Naming: You will no longer be able to add or remove domains from this forest.

    PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.

    RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.

    Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

     

    Any Suggestion apart from that Link pls?


     


    Regards Suman B. Singh
    Thursday, November 17, 2011 7:39 AM

Answers

All replies

  • It looks to be at some point of time FSMO role is been seized from the failed DC, but its metadata cleanupp has not been performed and it became a lingering object.

    My suggestion is use dcpromo /forceremoval and perform metadata cleanup to remove the dc and its references. You can refer below article to remove references of earlier removed dc from the AD.

    Perform Metadata Cleanup Or Remove References of a Failed DC/Domain

    http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/ 

    The error "FSMO Server DN: CN=NTDS Settings\0ADEL:413b675f-3da2-4c09-b801-6358e839268f,CN=DC01\0ADEL:de8559b2-255b-4603-8f07-608df9e61a73,CN=Servers,CN=USA,CN=Sites,CN=Configuration,DC=XXX,DC=net" looks to be presence of stale entry or lingering object in the environment.

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/9f114f3f-e8ef-4ac6-846f-8e61d6324d9a


    Regards


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com 


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Thursday, November 17, 2011 8:58 AM
  • Hi Awinish,

    Thankx for reply. I was looking if can be fixed. :)


    Regards Suman B. Singh
    Thursday, November 17, 2011 9:24 AM
  • The way to go is to manually perform metadata clean up;

    check

    http://support.microsoft.com/kb/216498

     


    I hope that the information above helps you. This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
    Thursday, November 17, 2011 9:41 AM
  • I had a similar problem trying to demote a DC

    Turns out that the problem was due to an orphan entry, but it was inconsistent.

    My DSQUERY was returning the orphan entry, but the ADSIedit entry was correct.

    Eventually ran the VB Script found on http://support.microsoft.com/kb/949257 and it corrected the entries.

    I was then able to demote the DC

    ~mike

    Friday, April 13, 2012 6:01 AM
  • I am having the same problem and have reviewed the above suggestions but I don't believe any appear to be my problem. 

    We are re-purposing a DC that has just been replaced and I am attempting to demote it to a member server.  I am getting the same error message...

    "The operation failed because:

    Active Directory Domain Services could not transfer the remaining data in directory partition DC=DomainDnsZones,DC=xxxxx,DC=local to Active Directory Domain Controller \\CED-CT-DC02.xxxxx.local.

    The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."

    Yet when I check AD Replication with repadmin /showrepl from the server I am trying to demote it appears to be able to communicate with the server that the error message is telling me it can not (see below).  The underlined server below (CED-CT-DC02) is the owner of all fsmo roles.  Replication appears to be working from both sides.  What am I missing?

    DC=DomainDnsZones,DC=xxxxx,DC=local
        CED-Fairmount\CED-FRMT-DC03 via RPC
            DSA object GUID: 590e6162-4ef2-4a9c-8992-ebed0a43a630
            Last attempt @ 2014-06-18 14:06:57 was successful.
        LPR-Florida\LPR-FL-DC01 via RPC
            DSA object GUID: dcc5fc50-0266-4da5-9a55-24823940429e
            Last attempt @ 2014-06-18 14:14:34 was successful.
        CED-Connecticut\CED-CT-DC02 via RPC
            DSA object GUID: ab010f22-49ff-4c0b-9b14-2359b252c48c
            Last attempt @ 2014-06-18 14:14:34 was successful.


    Chuck R.

    Wednesday, June 18, 2014 6:57 PM
  • What dose the following command return?

    netdom query fsmo
    What dose the following commands return?

    dsquery * "CN=Infrastructure,DC=DomainDNSZones,DC=<DOMAIN>,DC=<com>" -attr fSMORoleOwner
    
    dsquery * "CN=Infrastructure,DC=ForestDNSZones,DC=<DOMAIN>,DC=<com>" -attr fSMORoleOwner

    Note: You have to replace <DOMAIN> and <COM> ti match your environement as well, run the first dsquery command once for each domain in the forest.

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, June 18, 2014 8:07 PM
  • Enfo, Just 5 minutes ago I found the issue and completed demoting of the server.  The fSMORoleOwner on the naming context "CN=Infrastructure,DC=DomainDNSZones,DC=<DOMAIN>,DC=<com>" was pointing to a server that hasn't been around since I came to the company. The script Mike (above) mentioned that he got from http://support.microsoft.com/kb/949257worked and I was able to successfully demote the server.  I also had to run the script for "CN=Infrastructure,DC=ForestDNSZones,DC=<DOMAIN>,DC=<com>" but after that I was good.  I do appreciate your quick reply to my post though.  Thank you!!!

     

    Chuck R.

    Wednesday, June 18, 2014 8:14 PM
  • This got me out of a jam - or at least in the right direction.  In my case, the missing server was the previous 2003 PDC that held all FSMO roles and was gracefully removed several years ago.  There was no metadata to clean up, but it was still listed in ADS&S in as a replication partner and in DNS as a Name server in all my zones.  It's important to note that if your removed server was forest and domain master, you need to check and edit both the domain and forest DNS zones for the FSMO role owner.   As Enfo Zipper mentioned, run the query for each:

    dsquery * "CN=Infrastructure,DC=DomainDNSZones,DC=<DOMAIN>,DC=<com>" -attr fSMORoleOwner

    dsquery * "CN=Infrastructure,DC=ForestDNSZones,DC=<DOMAIN>,DC=<com>" -attr fSMORoleOwner

    Then make sure use ADSIEDIT for both the domain and forest or you will still not be able to demote a member DC.

    Saturday, July 05, 2014 10:35 PM