Just recently I was asked by a client to migrate their Active Directory 2008 R2 servers to Windows Server 2016. All was going well until I needed to demote the old domain controllers and ran DCPROMO. I was presented with the error Active Directory could not transfer the remaining data in directory partition. Then below it stated The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles. Before starting with the fix I would just note that every step here is important. Missing some of the details and skipping over things (you may think you know) will slow you down in the long run.
There seemed to be a lot of information and advice about this online unfortunately a lot of it was not very helpful and we had enough knowledge in the team to filter out what we needed from various sources. I next took a look in the event log and saw event ID 2091 and event ID 2022 logged. Event ID 2091 gives you the most information and should tell you the source of your problem.
As you can see in the above event log where it says CN=D this is the name of an old server that incidentally predated anyone in the existing IT team. Somehow this old server was still hanging on to ownership of the Infrastructure master FSMO role. The reason that we didn’t think this would be an issue is that all of the FSMO roles had already been transferred to another server and NTDSUTIL had confirmed this. Therefore to resolve the issue we needed to:
a) Take ownership of the role.
b) Assign the role to the domain controller we wanted it to be on.
The fix in the end was fairly simple and involved a few steps which initially had us concerned but ultimately they were harmless and resolved the issue in a few minutes.
Locating the correct settings
The correct setting for the Infrastructure master FSMO role holder can be found by doing the following from the domain controller that you are trying to demote.
1. The correct setting can be found by going to start>run and typing adsiedit.msc
2. Then right click on ASDI Edit and click Connect to.
3. Select the radio button to Select a well known Naming Context. Then select the Default naming context and click OK.
4. Click on DC=YOURDOMAIN,DC=Local.
5. Find CN=Infrastructure which should be separate entry at the bottom, then double click on it.
6. Double click on the fSMORoleOwner attribute and copy the contents.
7. Click Cancel and Cancel again.
Change the incorrect setting
Again the below should be done from the domain controller that you are trying to demote.
1. Go to start>run and type adsiedit.msc
2. Then right click on ASDI Edit and click Connect to.
3. It is important that you perform the next few steps accurately or you will see the wrong setting (there is more than one Infrastructure record!). Click ‘Select or type a Distinguished Name or Naming Context’.
4. In the box type:
DC=DomainDNSZones,DC=Domain,DC=Local
where DC=Domain,DC=Local is the distinguished name for your domain. Then click OK.
5. Click on DC=YOURDOMAIN,DC=Local.
6. Find CN=Infrastructure which should be separate entry at the bottom, then double click on it.
7. Then find the attribute fSMORoleOwner and double click on it. Paste the contents from the correct entry that you just copied above.
8. Then click OK and OK again.
9. Repeat steps 1-8 but instead of connecting to DC=DomainDNSZones,DC=Domain,DC=Local connect to:
DC=ForestDNSZones,DC=Domain,DC=Local
Problems changing the attribute
For some users the above fix works without issue but if like us you may have received the following: Operation failed. Error code 0x20ae. The role owner attribute could not be read.
Some articles stated that by simply changing the domain controller to the role owner (and running the above) and not the one being demoted solved this problem. We still had the same issue though and had to complete a few more steps.
Our problem seemed a bit deeper rooted than most of the articles we had read and we had to run a Microsoft script call fixfsmo.vbs before we could make the changes to adsiedit. Please note: We ran the script originally just on the DC=DomainDNSZones,DC=Domain,DC=Local however this also needs to be run on the DC=ForestDNSZones,DC=Domain,DC=Local in order to work. The script is available from Microsoft here. It doesn’t require any modifications to run and is run as below.
1. Login to the current FSMO role holder and open an elevated command window.
2. Run the script using the following command:
cscript fixfsmo.vbs DC=DomainDNSZones,DC=Domain,DC=Local
3. Then run the script again using this command:
cscript fixfsmo.vbs DC=ForestDNSZones,DC=Domain,DC=Local
4. Once this is complete you should be able to make the adsiedit changes mentioned earlier without any problems.
The contents of the script are as follows:
'-------fixfsmo.vbs------------------ const ADS_NAME_INITTYPE_GC = 3 const ADS_NAME_TYPE_1779 = 1 const ADS_NAME_TYPE_CANONICAL = 2 set inArgs = WScript.Arguments if (inArgs.Count = 1) then ' Assume the command line argument is the NDNC (in DN form) to use. NdncDN = inArgs(0) Else Wscript.StdOut.Write "usage: cscript fixfsmo.vbs NdncDN" End if if (NdncDN <> "") then ' Convert the DN form of the NDNC into DNS dotted form. Set objTranslator = CreateObject("NameTranslate") objTranslator.Init ADS_NAME_INITTYPE_GC, "" objTranslator.Set ADS_NAME_TYPE_1779, NdncDN strDomainDNS = objTranslator.Get(ADS_NAME_TYPE_CANONICAL) strDomainDNS = Left(strDomainDNS, len(strDomainDNS)-1) Wscript.Echo "DNS name: " & strDomainDNS ' Find a domain controller that hosts this NDNC and that is online. set objRootDSE = GetObject("LDAP://" & strDomainDNS & "/RootDSE") strDnsHostName = objRootDSE.Get("dnsHostName") strDsServiceName = objRootDSE.Get("dsServiceName") Wscript.Echo "Using DC " & strDnsHostName ' Get the current infrastructure fsmo. strInfraDN = "CN=Infrastructure," & NdncDN set objInfra = GetObject("LDAP://" & strInfraDN) Wscript.Echo "infra fsmo is " & objInfra.fsmoroleowner ' If the current fsmo holder is deleted, set the fsmo holder to this domain controller. if (InStr(objInfra.fsmoroleowner, "\0ADEL:") > 0) then ' Set the fsmo holder to this domain controller. objInfra.Put "fSMORoleOwner", strDsServiceName objInfra.SetInfo ' Read the fsmo holder back. set objInfra = GetObject("LDAP://" & strInfraDN) Wscript.Echo "infra fsmo changed to:" & objInfra.fsmoroleowner End if End if
Great Article,
I had the exact same issue, and this resolved it
Thanks
No problem, glad I could help!
Thanks admin
Great Article
Accidentally ran the vb script for the DomainDNSZone on the domain controller I want to demote instead of the PDC with all FSMO roles, so now the DC I want to decom shows itself as the fSMORoleOwner under adsiedit for DomainDNSZone and I still can’t edit it manually.
The ForrestDNSZones I did correctly.
Tried to move the role to a new DC and the default naming context shows that it moved but not the DNS zones.
Tried to rerun the v script on the FSMO role owner but it wont move the fSMORoleOwner under adsiedit for DomainDNSZone now.
Thinking of attempting the dcpromo again and rolling, unless there is another way to move this role? Thanks for the help
This worked perfect!
Just a side note in our environment, we did not have forest wide admin access to update the ForestDNSZones record, but only updating the DomainDNSZones worked in our case and were able to successfully demote the DC.
Thanks!
Thank you so much
You ROCK sir !! The process worked just right, including the fix for the error messages. Sure wish I had this information a few years ago when demoting another domain controller. Wound up having to ‘rip’ it from AD, caused quite a few problems. Thanks for putting this together.
Thank you .. for the detailed instruction .. Save me a lot of time to investigate and troubleshooting .. really appreciated ^___^
You Sire/Madam are a saint!
Thanks much for posting this! Fixed my issue too.
Kudos to you. This is 100% accurate.
Thanks, it solved my issue.
Thanks I had to run the script (from the server holding the roles !) and after that your other steps were not necessary anymore.
Thanks again!
Followed your instructions to a T – but then got the ‘read’ error. So went to the script. But then I get: C:\fixfsmo.vbs(20, 5) (null): Name translation: Could not find the name or insufficient right to see name.
What now? Any ideas? Others have experienced this same error, but not necessarily for running the same script, but for similar fsmo problems. Thx.
Dumb me. I had a period in there instead of a comma at a crucial place! Worked! thx!
Well… yes the script ran, but it didn’t solve the ‘read’ problem. I can clear out the field for the infrastructure and save it, but when I paste the correct info in there, “Operation failed. Error code: 0x20ae. The role owner attribute could not be read.”
Great doc. Life saver! I got the read error on the DC I was trying to demote. Ran it on the PDC, which is also holding the Infrastructure FSMO and it worked like a charm. Thumbs up!
Great article. Thank you for posting this – we had this problem and this helped resolve it.
I did have the Error code 0x20ae you warned about, but simply switching to Infrastructure FSMO role owner DC helped.
I tried some other similar articles however this had some additional details, specifically the fixfsmo.vbs script, which resoled my issue. Thank you so much.
Thank you for writing this article, that solved my problem.
As you suggested, I had do make the change at the DC which was the role owner before it worked.
Great Article,
I had the exact same issue, and this resolved it
Thanks
I got this error, fixfsmo.vbs :the specified domain either does not exist or could not be commented, I have Windows server 2012
Excellent article. I was also going through same issue and its resolved with the help of this article. Hats off to you sir.
Another successful DC demotion thanks to this article!
Very helpful article. I had all the issues you had including the error message. However running the fixfsmo.vbs twice on the new server for domain and forest fixed my issues. When I went back in to the adsi editor the deleted DC entry had been updated already with the new DC. Ran dcpromo and it worked fine.
Outstanding Article. The vbs script resolved the issue without any additional follow-up required. I’ll be adding this to our documentation for future issues.
Thanks!
Where do we send the beer! Thanks a ton.
This post is legendary… thanks so much!
thanks. It worked like a charm
Thank you very much
I searched very much this solution and nothing worked, but this solution it worked
Thank you, Gloria
I decided to change the record on the new server, not on the downgraded one. Thank you for the article. Without the need of scripts.
I’m encountering the same error but upon checking the FSMO holder of the ForestDNSZones it is already set to the correct domain controller
I found out that you should ideally be altering the DomainDNSZone and ForestDNSZone on the FSMO holder if you’re getting an error (maybe even if you’re not getting errors too), not the server you’re demoting. The change should replicate to the server you’re demoting after that (unless replication is also broken).
That’s what worked for me.
great info.. solve my problem
Awesome information – solved an identical issue we ran into. We initially got the same error message trying to fix the attributes with ADSIedit, but found it worked on the FSMO Role holder without having to use the script. Once the servers replicated dcpromo ran without a hitch.
This was incredibly helpful thank you. It covered all my issues and helped us resolve this exact problem.
I had done a metadata and DNS cleanup previously (or so I thought) for this ancient DC, but apparently it was still referenced here.
You sir are a legend, thank you for taking the time to post this info. I had found various similar info around when troubleshooting this and still hadn’t nailed it until I came across your post. Superb. This saved me a bunch of time and will be definitely be added to my domain migration guide troubleshooting appendices!
(Resolved when demoting old DC – Small Business Server 2011 (Server 2008R2) to Server 2019 migration)
Thanks so much for this article! It just helped me demote an old server 2008 r2 dc that was seeing all the same errors as you wrote including the “Operation failed. Error code 0x20ae. The role owner attribute could not be read.” error. The MS script worked perfectly too. Once I ran that script on the primary DC, I did not have to mess with ASDI Edit, in fact, when I tried, I got an error that prevented me from saving the changes and then I looked at the settings on my server (referenced in step 6/7) and noticed the settings were already correct – the script must fix them. Thanks again!
Great article and exactly what i was looking for. Worked a treat!
Thanks for posting
In a world that constantly wastes my time, this article saved me hours of time. May happiness find you often! Thank you for taking the time to post this.
Thank you for posting this. I was chasing my tail trying to resolve this issue. Your guide made it easy. I also ran into the ‘Operation failed’ error message. Tried running the script but didn’t sort issue for me. Running the ADSIEDIT commands from the server I was transferring the roles to sorted it for me.
Thank you very much for providing this information.
First, I also received the same error as described in “Problems changing the attribute” but after switching to the DC holding the FSMO roles I could change it and demotion of the old DC was not a problem anymore. Thanks!
This was helpful! It did not work when trying it on the server I was trying to demote, but it did work when I tried it on the new DC holding all of the migrated FSMO roles. Thanks!
Just running the script on the current FSMO role holder worked for me.
After this I was abble to demote the other server.
Thank you so much!