Tagged: dcpromo 2008r2 fsmo
Dominus1701MemberNov 21, 2019 at 2:03 pm #624968
I’m trying to remove a 2008 R2 Domain Controller from my domain. I run through DCPROMO and it fails saying:
The operation failed because:
Active Directory Domain Services could not transfer the remaining data in directory partition DC=DomainDnsZones,DC=[domain],DC=local to
Active Directory Domain Controller \\red.[domain].local.
“The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.”
Looking at the event logs I get this bit of information:
EVENT ID: 2091
Ownership of the following FSMO role is set to a server which is deleted or does not exist.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Infrastructure,DC=DomainDnsZones,DC=[domain],DC=local
FSMO Server DN: CN=NTDS Settings\0ADEL:0484546d-5c60-4f08-9cfa-fa79b970d626,CN=CRIMSON\0ADEL:fbeda01d-bcde-4c8f-81f3-4da3e26e9044,CN=Servers,CN=Lexington,CN=Sites,CN=Configuration,DC=[domain],DC=local
“CRIMSON” is a very old Domain Controller that failed like 7 years ago. I did have to seize the FSMO roles when that happened – all of which are now being handled by a server called “RED”. I performed metadata cleanup (via NTDSUTIL) at that time too.
As you can see, the FMSO roles are being handled properly:
PS C:\Windows\system32> netdom query fsmo
Schema master red.[domain].local
Domain naming master red.[domain].local
RID pool manager red.[domain].local
Infrastructure master red.[domain].local
The command completed successfully.
The domain has been functioning properly since that time with NO issues at all. I’ve even added two additional domain controllers and added/removed countless member servers and workstations in that time.
Searching Google, I’ve checked things like bogus DNS records, seized the FSMO roles again (to the same server, so they actually “transferred” without issue), forced replication among my three DCs, and searched for things with ASDI Edit. Nothing I’ve tried is allowing me to see where remnants of CRIMSON are lingering in the Active Directory, so I can’t “clean” it out.
I’ve been tempted to use NTDSUTIL to “remove selected server….” with the DN supplied in the event logs, but I’m not wanting to nuke my Active Directory. So I’m here asking for other thigs look for and try so I can remove this machine and move on.
PistleParticipantAug 25, 2020 at 12:08 pm #652094
Certainly if you can fix the AD problem and allow a graceful depromo demotion, that’s the way to go.
Failing that, one thing you can try is to disconnect the DC you are attempting to demote and run for a while. If everything is stable, DNS, DHCP and all FSMO roles transferred and there are no serious errors, you can remove it by removing AD references to it (Google ‘metadata cleanup’, I think its adsiedit.mmc) and also remove references to the dearly departed from DNS. Make sure it’s not the default DNS server and not a DHCP server (running without it will let you know quickly if this is the case.)
This kind of forced removal is part of Jeff Middleton’s Swing Migration process. I purchased his documentation and have used it on a couple of servers successfully.
You must be logged in to reply to this topic.