none
Schema Master role owner is a deleted DC

    Question

  • Good day, 

    just want to ask for advice and recommendation to this error. we have a windows server 2003 32 bit domain controller, also windows server 2003 R2 64 bit sp2 DC and it holds FSMO(Schema master,Domain Naming master,PDC,RID,Infrastructure) no error running netdom query fsmo says it holds 5 roles. we are planning to migrate it to windows server 2008 r2 and move it to windows server 2012  or above in future.. 

    we are successfully add windows server 2008 r2 as a domain controller. and it seems forestprep and domainprep are done by the old administrator and raising domain function and forest function are done. 

    after successfull adding of windows server 2008 r2 i run the command netdom query fsmo to check the roles it says schema master *** warning: role owner is a deleted DC: CN=NTDS Settings\0ADEL: other roles is ok (Domain Naming master,PDC,RID,Infrastructure)  and it points to windows server 2003 r2 64 bit. 

    AS for summary

    windows server 2003 r2 64 bit Domain Controller (old) -- Schema Master, Domain Naming master , PDC,RID, Infrastructure are pointing to itself

    windows server 2008 r2 Domain controller (new) - Domain Naming master, PDC, RID , Infrastructure are pointing to windows server 2003 r2 64 bit except the schema master it says schema master *** warning: role owner is a deleted DC: CN=NTDS Settings\0ADEL:--------, CN=windows server 2003 r2 64 bit, CN=servers, cn= default-first-site-name,cn=sites,cn=configuration,dc=domainname

    Thanks for any recommendation and guidance in advance.. 

    Saturday, January 21, 2017 2:48 AM

All replies

  • Hi

     You can configure fsmo roles owner with adsedit;

    https://blogs.technet.microsoft.com/the_9z_by_chris_davis/2011/12/20/forestdnszones-or-domaindnszones-fsmo-says-the-role-owner-attribute-could-not-be-read/

    Also you can sieze the roles with ntdstuil;

    https://support.microsoft.com/en-us/help/255504/using-ntdsutil.exe-to-transfer-or-seize-fsmo-roles-to-a-domain-controller

    And if you have deleted dc&reeocrds on your domain,you should perfrom metadata cleanup;

    https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx?f=255&mspperror=-2147217396


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Saturday, January 21, 2017 11:37 AM
  • I would first advise to check the health status of both DCs using dcdiag and check the AD replication health status between both DCs using repadmin command. This will give you more details about the failures you experience as more than what you highlighted could be found.

    As your WS 2003 DC is reporting to be the holder, please try first to move the FSMO roles to the new DC and then check if you still have the same issue. If the transfer could not be done then try to re-size the role on your WS 2003 DC. If this does not help too and you are planning to decommission your WS 2003 DC then you can proceed as the following assuming that your new DC is a DC/DNS/GC server and AD replication is working properly:

    • Shutdown your WS 2003 DC
    • Seize the FSMO roles on your new DC
    • Do a metadata cleanup: run dsa.msc and remove the old DC computer account then run dssite.msc and remove the old DC NTDS settings then its reference there

    Of course, you need to take system state backups of your DCs before proceeding with any changes.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Sunday, January 22, 2017 10:22 PM
  • Thanks Burak and mr. X . here's my outline just want to verify if i miss out something.

    1. Choose sever to become a role holder. Add as a DC/DNS /GC—verify replication first.
    2. Transfer 5 roles to a newly add DC/DNS/GC which is windows server 2008 r2 server. *note schema owner deleted
    3. If schema master cant transfer using gui or command line remove windows server 2003 r2(old dc) into network and SEIZE PROCESS must be done.
    4. *SEIZE PROCESS --- go to the new server that is DC/DNS/GC. don not bring server back into network, forcibly demote windows server 2003 r2 (old dc). perform metadata cleanup
    5.   *METADATA CLEANUP PROCESS--- in new server DC/DNS/GC,(do i need to change ip address and computer name of old DC before bringing back into network). we just want to use it as an ordinary server because it has a shared folder needed into client pc. 
    6.  in the DCHP SERVER which is windows server 2003 r2(old dc), change dns ip in DHCP CONFIGURATION, all vlan must be use ip dns point to the new server windows server 2008 r2(new dc), all static ip specially servers need to change dns static ip.. do i need to deauthorize it first before demoting it as DC.?
    7. 5 VERIFY IF WINS SERVER OR SETTINGS NEED TO ADD INTO NEW SERVER DC/DNS/GC..

    also i am looking to dns record .. we have a primary(windows server 2003 32 bit-old dc) and seconday (windows server 2003 r2 64 bit-old dc that holds 5 FMSO roles) dns TYPE  into forward lookupzone all of active directory integrated are replicated in a new dc. do you have any advice for dns zone transfer of primary and seconday DNS TYPE to a new DC/DNS/GC windows server 2008 r2. 

    dont want to miss out something since this is my first time to migrate Active directory / Domain Controller.. Thanks again for guidance. 

     


    • Edited by Aries M Thursday, January 26, 2017 2:02 AM
    Wednesday, January 25, 2017 7:42 AM
  • Hi,
    It seems that the outline works for me. And in my experience of the questions as above:
    5. It depends if the old name and IP address are needed in you environment. If some shared folder on the old DC server and you want to keep it, maybe, the old name and IP should be kept to avoid some unknown problems.
    6. In my experience, no need, but you could do it anyway.
    As you said, you are using AD integrated zones, this will *automatically* replicate to all DCs within their replication scope settings.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Monday, January 30, 2017 2:59 AM
    Moderator
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, February 3, 2017 8:15 AM
    Moderator
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Good day ,

    im still working on it, still verifying the replication and checking health status since dont want to commit a mistake. provided my dcdiag and repadmin to old dc and new dc that we are planning to migrate roles.. 

    server6-old DC (windows server 2003 r2 64 bit)

    --https://1drv.ms/t/s!AtcO2I8z25HAa2m9mujyLixv1ek  (dcdiag)

    --https://1drv.ms/t/s!AtcO2I8z25HAbCQ6g9p9sOsyX00 (replsummary)

    --https://1drv.ms/t/s!AtcO2I8z25HAbRvYwvnC8LHaGR4 (dcdiag2)

    --https://1drv.ms/t/s!AtcO2I8z25HAbjChPPG6B_5QDI0 (showrepl)


    server30-new DC (windows server 2008 r2 64 bit)

    --https://1drv.ms/t/s!AtcO2I8z25HAc01997yvtxqxmdU (dcdiag)

    --https://1drv.ms/t/s!AtcO2I8z25HAclQtZ78V76Uq8Po (showrepl)

    --https://1drv.ms/t/s!AtcO2I8z25HAcS0QWeWFX0N_5B4 (replsummary)

    want to verify if im able to fix the issue to schema role is deleted if server6 tells that it holds the 5 roles why other DC it says role owner is deleted in server6 is it because of replication problem, Thanks for your guidance , hope that my migration process will be succesfull. Thank you very much and so much appreciated answering my post. 

    Monday, February 6, 2017 3:07 AM
  • Hi,
    Appreciate for the feedback, and if you have any questions, please feel free to contact us.
    Best Regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, February 7, 2017 5:23 AM
    Moderator
  • Good day, 

    another question, upon examination, one of Domain controller does not have any site upon checking active directory users and computers under domain controllers. why this is happen?  This is in same forest/ and all of domain controllers has default site link except this, we can name it server5.  can i use this instruction?

    1. In the Active Directory Sites and Services snap-in, right-click the computer you want to move in the left pane, click Move, and the Move Server box appears.
    2. Select the site to move the computer to, and click OK.

    After adding a new DC/DNS/GC in active directory site and services doesn't have any automatically generated settings points to server5. Is there any other solution in schema role is deleted aside of seizing the roles since the domain controller that is holding schema is still online and says it holds it using netdom query fsmo command while in dcdiag it shows it is deleted and in other DC shows it is deleted.?

    sorry i have so many questions.. thank you so much again.. 


    • Edited by Aries M Monday, February 13, 2017 2:55 AM
    Monday, February 13, 2017 2:52 AM
  • Good day, 

    Just want to share, since the actual fsmo role owner is active and it says it holds the 5 roles including schema running netdom query fsmo into it, but in the other Domain Controller it tells something schema role owner is deleted NTDS Settings\0ADEL:--------, .. i just go to the fsmo role owner, in adsiedit i edit the FSMOroleholder i deleted the "\0adel:---".. and it works .. i transfered schema roles into new 2008 r2 which is DC/DNS/GC without seizing it. i just leave the old DC windows server 2003/ old FSMO holder because i need 1 more 2008 r2 DC/DNS to completely decomission all 2003 DC. 

    Moving forward .. we have a 1 primary DNS Type (win 2003 server) and 2 secondary DNS type including new promoted 2008 r2 server.. i am planning to change it as active directory integrated zone.. what are the things to consider.. like do i need to stop first the secondary DNS type that is pulling information  into primary DNS type . ? or i can directly change the primary DNS TYpe into active directory integrated. 

    Again ,Thank You very much for advice. 


    Tuesday, April 18, 2017 3:19 AM
  • So old dc not ad integrated dns?if it is stand alone,check this article first;

    https://support.microsoft.com/en-us/help/816101/how-to-convert-dns-primary-server-to-active-directory-integrated

    or if old dc ad integrated dns,just you need to promote new dc with dns,then change dns settings from everywhere to point to new dc as primary..


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, April 18, 2017 9:47 AM
  • So old dc not ad integrated dns?if it is stand alone,check this article first;

    https://support.microsoft.com/en-us/help/816101/how-to-convert-dns-primary-server-to-active-directory-integrated

    or if old dc ad integrated dns,just you need to promote new dc with dns,then change dns settings from everywhere to point to new dc as primary..


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Yes, it is stand alone .. we have a primary DNS  and 2 secondary DNS including the new domain controller all of this is also domain controllers. if i change primary to active directory integrated zone, is it all secondary will be automatically change to active directory integrated zone?  or is there any process before i change primary dns to active directory integ. zone since it has 2 secondary that is pulling information to primary. 

    sorry bout my question, dont want to missed out process that is needed..  thank you very much ..  

    Thursday, April 20, 2017 2:54 AM
  • Hi

     You should convert this primary server to ad integrated first,so if second dc is already ad integrated no need to convert this,if not also you should convert that.

    You can check the procedure on the article my previous message.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, April 20, 2017 9:02 AM