Hello everyone

When trying to remove a forest dc had the following error

"The operation failed because:

Active Directory Domain Services could not transfer the remaining data in directory partition DC=ForestDnsZones,DC=Domain,DC=Local to Active Directory Domain Controller \\Server03.Domain.local

"The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles".

I ran the netdom query fsmo command on the server, and here is the output

C:\Windows\system32>netdom query fsmo
Schema master               Server03.domain.local
Domain naming master        Server03.domain.local
PDC                         Server03.domain.local
RID pool manager            Server03.domain.local
Infrastructure master       Server03.domain.local
The command completed successfully.

When a run the command dsquery * CN=Infrastructure,DC=ForestDnsZones,DC=domain,DC=local -attr fSMORoleOwner

i have this output

  fSMORoleOwner

  CN=NTDS Settings\0ADEL:f618fad9-1438-4e7b-aa18-c7d7eca7b7d1,CN=SRVDC01\0ADEL:1
40cb1c4-78be-4f15-a596-fa12395ebf42,CN=Servers,CN=Default-First-Site-Name,CN=Sit
es,CN=Configuration,DC=domain,DC=local

The server CN=SRVDC01 It does not exist in the structure

and through the ADSIEDIT can not find the CN = Infrastructure field

Can anyone help me?

Thanks

• Edited by Bruno.Jeronimo 19 hours 57 minutes ago

Have you tried dcpromo /forceremoval?
Will.

• Edited by Will Szymkowski- 20 hours 44 minutes ago

Can you run "DCPROMO /FORCEREMOVAL" and see if it helps. Also , please check the below link who had similar issue.

http://www.zerohoursleep.com/2011/07/dcpromo-out-fails-with-the-directory-service-is-missing-mandatory-configuration-information-and-is-unable-to-determine-the-ownership-of-floating-single-master-operation-roles/

-Umesh.S.K

 

Hi,

Thanks...do you think is safe to run DCPROMO /FORCEREMOVAL ?

I have 3 more DC

Thanks

hi Bruno,

Is your plan to demote entire forest or any particular DC? I guess you want to demote SRVDC01 which is causing problem right? If yes, you can run the above command on SRVDC01 since SRVDC03 currently holds all FSMO roles as per your netdom query.

- Umesh.S.K

Hi Umesh

Yes, my plan is to demote only SRVDC02.

SRVDC01 currently does not exist in my forest.

How can i clean this record (SRVDC01)

Thanks

Hi Bruno,

Please perform metadata cleanup. Also ensure there are no DNS records for SRVDC01.

https://technet.microsoft.com/en-us/library/cc816907%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396#bkmk_graphical

-Umesh.S.K

• Edited by Umesh S K 20 hours 2 minutes ago

Thanks,

It must be performed before or after the demote of SRVDC02

Thanks

Please perform it before demoting SRVDC02. Once metadata cleanup is done, ensure there is no replication issues. Also check AD health by running dcdiag and see no errors are shown up. Please give it some time for replication to complete. You may not see successful replication immediately after running metadata cleanup.

- Umesh.S.K

Also be aware that when you perform a metadata cleanup this does not cleanup SRV records in DNS (_msdcs.domain.com folder). It also does not remove Computer objects in AD Sits and Service either. I suggest that you look in those locations as well and simply delete any entries of the DC you are doing the metadata cleanup for. Will.

Hi,

Once you do meta data clean-up please remove the computer entry manually from below in DNS console.

Dnsmgmt.msc [Dns Management]
A.Expand the forward lookup zones\_msdcs folder
i. Make sure only the actual domain controllers are listed, delete wrong Alias recordsremove wrong name server records
ii. Select the container [forward lookup zones\_msdcs.domain.com\dc\_sites_\sitename\_tcp] > delete incorrect _ldap and _kerberos records are listed.
iii. Select the container [forward lookup zones\_msdcs.domain.com\dc\_tcp] and delete incorrect _ldap and _kerberos records
iv. Expand the [forward lookup zones\_msdcs.domain.com\domains\guid\_tcp] and delete incorrect _ldap entries
v. Select [forward lookup zones\_msdcs.domain.com\gc] delete incorrect HostA records
vi. Expand the [forward lookup zones\_msdcs.domain.com\gc\_sites\sitename\_tcp] delete incorrect _ldap entries
vii.Select the [forward lookup zones\_msdcs.domain.com\gc\_tcp] delete incorrect _ldap entries
viii. Select the [forward lookup zones\_msdcs.domain.com\pdc\_tcp] delete incorrect _ldap entries
 
B.Expand the forward lookup zones\domain.com folder
i.Delete Host(A) records of dcs which are non-existant.
ii.Correct the NameServer (NS) records
iii. Follow steps similar to A ii >> A viii
 
Dssite.msc [Sites and Services]
A.Expand the [Sites\Sitename\Servers] delete incorrect servers
B.Delete incorrect subnet configurations [Sites\Subnets]
C.Delete incorrect site links [Sites\IP]
 
Make sure the domain controllers are pointing to the correct dns servers in tcp\ip settings.
Force replication repadmin /syncall

Hi Bruno,

Please perform metadata cleanup. Also ensure there are no DNS records for SRVDC01.

https://technet.microsoft.com/en-us/library/cc816907%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396#bkmk_graphical

-Umesh.S.K

Hi Umesh

I try do perform metadata cleanup using the link, but i have the following error

C:\Windows\system32>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: remove selected server SRVDC01
Binding to localhost ...
Connected to localhost using credentials of locally logged on user.
LDAP error 0x22(34 (Invalid DN Syntax).
Ldap extended error message is 0000208F: NameErr: DSID-03100225, problem 2006 (B
AD_NAME), data 8350, best match of:
        'CN=Ntds Settings,SRVDC01'

Win32 error returned is 0x208f(The object name has bad syntax.)
)
Unable to determine the domain hosted by the Active Directory Domain Controller
(5). Please use the connection menu to specify it.

Thanks

Hi Bruno,

Can you try with this command?

C:\Windows\system32>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: remove selected server SRVDC01 on SRVDC02

-Umesh.S.K

Hi Umesh

Same error.

I also run the following query

select operation target: Select site 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC
=local
Domain - DC=Domain,DC=Local
No current server
No current Naming Context
select operation target: List servers in site
Found 4 server(s)
0 - CN=SRVDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,
DC=Domain,DC=Local
1 - CN=SRVDC05,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,
DC=Domain,DC=Local
2 - CN=SRVDC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,
DC=Domain,DC=Local
3 - CN=SRVDC04,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,
DC=Domain,DC=Local
select operation target:


and the server SRVDC01 does not appear.

Thanks

https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3

you can use above script to do autoamtic metadata clean-up

Hi Purvesh

Thanks, but no luck only appear

SRVDC02

SRVDC03

SRVDC04

SRVDC05

Thanks

So your crashed DC does not appear in list in that case remove the DC entry from Manual steps i have posted above.

you can delete that entry cn=ntds settings 0adel using below blog.

http://blogs.technet.com/b/the_9z_by_chris_davis/archive/2011/12/20/forestdnszones-or-domaindnszones-fsmo-says-the-role-owner-attribute-could-not-be-read.aspx

Hi Purvesh,

I have check all steps of the manual above but i can't find any reference to the server SRVDC01.

Thanks

Hi Bruno,

Can I know the steps you followed to demote SRVDC01? Did you transfer the role to SRVDC03 prior to demote? Was it holding all FSMO roles?

Please provide us the output of the below. You can upload it to portal from where we can download.

repadmin /syncall

repadmin /kcc

repadmin /showrepl

dcdiag /test:dns

ping SRVDC01

Thanks,

Umesh.S.K

Hi Bruno,

Can I know the steps you followed to demote SRVDC01? Did you transfer the role to SRVDC03 prior to demote? Was it holding all FSMO roles?

Please provide us the output of the below. You can upload it to portal from where we can download.

repadmin /syncall

repadmin /kcc

repadmin /showrepl

dcdiag /test:dns

ping SRVDC01

Thanks,

Umesh.S.K

Hi,

It was not me that I performed the removal of the server, so I do not know what steps were made.

repadmin /syncall

CALLBACK MESSAGE: The following replication is in progress:

    From: 1ea349c0-d79a-4452-b4af-c70c7a76533f._msdcs.domain.local

    To  : e2255fdb-3a7b-483a-9dc8-018ead92145e._msdcs.domain.local

CALLBACK MESSAGE: The following replication completed successfully:

    From: 1ea349c0-d79a-4452-b4af-c70c7a76533f._msdcs.domain.local

    To  : e2255fdb-3a7b-483a-9dc8-018ead92145e._msdcs.domain.local

CALLBACK MESSAGE: The following replication is in progress:

    From: e2255fdb-3a7b-483a-9dc8-018ead92145e._msdcs.domain.local

    To  : e86c64e2-f78c-4791-86d7-59d0f085b922._msdcs.domain.local

CALLBACK MESSAGE: The following replication completed successfully:

    From: e2255fdb-3a7b-483a-9dc8-018ead92145e._msdcs.domain.local

    To  : e86c64e2-f78c-4791-86d7-59d0f085b922._msdcs.domain.local

CALLBACK MESSAGE: The following replication is in progress:

    From: 03bfb39c-cb4e-4fbb-a56e-3f594f9891c1._msdcs.domain.local

    To  : e86c64e2-f78c-4791-86d7-59d0f085b922._msdcs.domain.local

CALLBACK MESSAGE: The following replication completed successfully:

    From: 03bfb39c-cb4e-4fbb-a56e-3f594f9891c1._msdcs.domain.local

    To  : e86c64e2-f78c-4791-86d7-59d0f085b922._msdcs.domain.local

CALLBACK MESSAGE: SyncAll Finished.

SyncAll terminated with no errors.

repadmin /kcc

Repadmin: running command /kcc against full DC localhost

Default-First-Site-Name

Current Site Options: (none)

Consistency check on localhost successful.


repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost

Default-First-Site-Name\SRVDC03

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: e86c64e2-f78c-4791-86d7-59d0f085b922

DSA invocationID: 7c7f1cb8-71c7-4232-bb41-b0063fc1ce4a



==== INBOUND NEIGHBORS ======================================



DC=domain,local

    Default-First-Site-Name\SRVDC02 via RPC

        DSA object GUID: e2255fdb-3a7b-483a-9dc8-018ead92145e

        Last attempt @ 2015-07-17 15:17:33 was successful.

    Default-First-Site-Name\SRVDC04 via RPC

        DSA object GUID: 03bfb39c-cb4e-4fbb-a56e-3f594f9891c1

        Last attempt @ 2015-07-17 15:18:25 was successful.



CN=Configuration,DC=domain,local

    Default-First-Site-Name\SRVDC02 via RPC

        DSA object GUID: e2255fdb-3a7b-483a-9dc8-018ead92145e

        Last attempt @ 2015-07-17 15:18:12 was successful.

    Default-First-Site-Name\SRVDC04 via RPC

        DSA object GUID: 03bfb39c-cb4e-4fbb-a56e-3f594f9891c1

        Last attempt @ 2015-07-17 15:18:12 was successful.



CN=Schema,CN=Configuration,DC=domain,local

    Default-First-Site-Name\SRVDC04 via RPC

        DSA object GUID: 03bfb39c-cb4e-4fbb-a56e-3f594f9891c1

        Last attempt @ 2015-07-17 14:59:35 was successful.

    Default-First-Site-Name\SRVDC02 via RPC

        DSA object GUID: e2255fdb-3a7b-483a-9dc8-018ead92145e

        Last attempt @ 2015-07-17 14:59:35 was successful.



DC=DomainDnsZones,DC=domain,local

    Default-First-Site-Name\SRVDC04 via RPC

        DSA object GUID: 03bfb39c-cb4e-4fbb-a56e-3f594f9891c1

        Last attempt @ 2015-07-17 15:18:45 was successful.

    Default-First-Site-Name\SRVDC02 via RPC

        DSA object GUID: e2255fdb-3a7b-483a-9dc8-018ead92145e

        Last attempt @ 2015-07-17 15:18:51 was successful.



DC=ForestDnsZones,DC=domain,local

    Default-First-Site-Name\SRVDC02 via RPC

        DSA object GUID: e2255fdb-3a7b-483a-9dc8-018ead92145e

        Last attempt @ 2015-07-17 14:59:35 was successful.

    Default-First-Site-Name\SRVDC04 via RPC

        DSA object GUID: 03bfb39c-cb4e-4fbb-a56e-3f594f9891c1

        Last attempt @ 2015-07-17 14:59:35 was successful.


dcdiag /test:dns

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = SRVDC03

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\SRVDC03

      Starting test: Connectivity

         ......................... SRVDC03 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\SRVDC03

   
      Starting test: DNS

         

         DNS Tests are running and not hung. Please wait a few minutes...

         ......................... SRVDC03 passed test DNS

   
   Running partition tests on : ForestDnsZones

   
   Running partition tests on : DomainDnsZones

   
   Running partition tests on : Schema

   
   Running partition tests on : Configuration

   
   Running partition tests on : Domain

   
   Running enterprise tests on : Domain.local

      Starting test: DNS

         Test results for domain controllers:

            
            DC: SRVDC03.Domain.local

            Domain: Domain.local

            

                  
               TEST: Dynamic update (Dyn)
                  Warning: Failed to delete the test record dcdiag-test-record in zone Domain.local
         
               SRVDC03                     PASS PASS PASS PASS WARN PASS n/a  
         ......................... Domain.pt passed test DNS

ping SRVDC01

C:\Users\administrator.domain\Desktop>ping SRVDC01
Ping request could not find host SRVDC01. Please check the name and try again.

Thanks

Hi Bruno,

I would like to help...

FSMO role is held b SRVDC03, right?

Do the metadata cleanup is done successfully to remove SRVDC01? if the success, please remove the DNS record of SRVDC01 i.e A host record, guid in srv record..., and remove the Server name in the AD site.