Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET

Failed DCPROMO Demote of Server 2008 R2 DC

Home Forums Microsoft Networking and Management Services Active Directory Failed DCPROMO Demote of Server 2008 R2 DC

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author

  • Dominus1701

    I’m trying to remove a 2008 R2 Domain Controller from my domain. I run through DCPROMO and it fails saying:

    The operation failed because:

    Active Directory Domain Services could not transfer the remaining data in directory partition DC=DomainDnsZones,DC=[domain],DC=local to
    Active Directory Domain Controller \\red.[domain].local.

    “The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.”

    Looking at the event logs I get this bit of information:
    EVENT ID: 2091

    Ownership of the following FSMO role is set to a server which is deleted or does not exist.
    Operations which require contacting a FSMO operation master will fail until this condition is corrected.

    FSMO Role: CN=Infrastructure,DC=DomainDnsZones,DC=[domain],DC=local
    FSMO Server DN: CN=NTDS Settings\0ADEL:0484546d-5c60-4f08-9cfa-fa79b970d626,CN=CRIMSON\0ADEL:fbeda01d-bcde-4c8f-81f3-4da3e26e9044,CN=Servers,CN=Lexington,CN=Sites,CN=Configuration,DC=[domain],DC=local

    “CRIMSON” is a very old Domain Controller that failed like 7 years ago. I did have to seize the FSMO roles when that happened – all of which are now being handled by a server called “RED”. I performed metadata cleanup (via NTDSUTIL) at that time too.

    As you can see, the FMSO roles are being handled properly:

    PS C:\Windows\system32> netdom query fsmo
    Schema master red.[domain].local
    Domain naming master red.[domain].local
    PDC red.[domain].local
    RID pool manager red.[domain].local
    Infrastructure master red.[domain].local
    The command completed successfully.

    The domain has been functioning properly since that time with NO issues at all. I’ve even added two additional domain controllers and added/removed countless member servers and workstations in that time.

    Searching Google, I’ve checked things like bogus DNS records, seized the FSMO roles again (to the same server, so they actually “transferred” without issue), forced replication among my three DCs, and searched for things with ASDI Edit. Nothing I’ve tried is allowing me to see where remnants of CRIMSON are lingering in the Active Directory, so I can’t “clean” it out.

    I’ve been tempted to use NTDSUTIL to “remove selected server….” with the DN supplied in the event logs, but I’m not wanting to nuke my Active Directory. So I’m here asking for other thigs look for and try so I can remove this machine and move on.


    Certainly if you can fix the AD problem and allow a graceful depromo demotion, that’s the way to go.

    Failing that, one thing you can try is to disconnect the DC you are attempting to demote and run for a while. If everything is stable, DNS, DHCP and all FSMO roles transferred and there are no serious errors, you can remove it by removing AD references to it (Google ‘metadata cleanup’, I think its adsiedit.mmc) and also remove references to the dearly departed from DNS. Make sure it’s not the default DNS server and not a DHCP server (running without it will let you know quickly if this is the case.)

    This kind of forced removal is part of Jeff Middleton’s Swing Migration process. I purchased his documentation and have used it on a couple of servers successfully.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.