Zero Hour Sleep
7Jul/1114

DCPromo out fails with: The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.

While trying to demote, dcpromo out, a domain controller the operation might fail with the following error

"The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."

As you can notice, in my case, the partition at problems was DC=ForestDnsZones,DC=domain,DC=int.

To investigate more the problem I issued a dsquery command

dsquery * CN=Infrastructure,DC=ForestDnsZones,DC=domain,DC=int -attr fSMORoleOwner

The result clearly shows, as indicated in the event viewer, that the fSMORoleOwner is set to an orphaned object CN=NTDS Settings\0ADEL:xxxxxx

Now that we know what is the problem let's solve it.

I opened ADSIEdit.msc and connected to: CN=Infrastructure,DC=ForestDnsZones,DC=domain,DC=int

right click -> Properties on "infrastructure" and looked for the fSMORoleOwner attribute and remove the \0ADEL:xxxxxx from CN=NTDS Settings\0ADEL:xxxxxx. In my case the domain controller was still active it is just the \0ADEL:xxxxxx part that was wrong.

All looked pretty good, however when I tried to apply the changes I was faced with another error "The role owner attribute could not be read".

The solution to that last bit was to repeat all the steps while connected to the domain controller holding the schema master role instead and voila I was able to demote the DC without any issues.

Enjoyed the post, what is next?

Grab our FULL RSS feed! or Email Updates then share it

About Antoine Khater

I have been working in IT consultancy and solution integration since 1998 and I consider myself lucky to be, one in a few, making a living out of my passion. I am also member of the famous Experts Exchange (profile here) online community where I try my best to share what I have learned along the road.
Tagged as: , Leave a comment
  • Billb

    I have this same problem but could not apply even though I was connected to the Schema Master.

  • Ryand

    This worked perfectly for me.  I had to do the same thing for CN=Infrastructure,DC=DomainDnsZones as well.  Nice!

  • http://whygoogle.me/ akhater

    Glad it helped !

  • Jim F

    How do you know what your 0ADEL number should be?  In my case, the server no longer existed.  I just changed the server name, leaving the 0ADEL numbers, and got the error “The role owner attribute could not be read.” so then I just removed both the 0ADEL number sets and it accepted it on the FSMO server.

    CN=NTDS SettingsADEL:4d64f42d-8273-91fe-8079-f72438927336,CN=DEAD-SERVERADEL:81a154f2-4423-9581-a5d9-174287d852dc,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=mydomain,DC=local

    CN=NTDS Settings,CN=WORKING-SERVER,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=mydomain,DC=local

    But then the server I was trying to demote still failed, and an ADSI edit on that machine to enter the same fSMORoleOwner returns “The role owner attribute could not be read.”

    So are these 0ADEL numbers pointers to records in the AD?  How do I determine what they should be, to correcly identify my fSMORoleOwner.

  • http://twitter.com/nicasmic Warren

    I had this exact same problem.  The FSMO was for an orphan server that was not demoted properly 6+ years ago.  This attribute must be the correct server with the full 0ADEL string. Â
    This document: http://support.microsoft.com/kb/949257 solved the problem completely. It has a vbs script which scouts out and looks for the correct setting then changes it.   HIGHLY RECOMMEND you try that.
    Once this attribute had the correct setting and after waiting for it to replicate across all DC’s I was able to demote a Win2k8 DC.  Previously I had no issue demoting Win2k3 servers.  It appears that the demoting checks in 2008 look at this field but the 2003 server demotion step doesn’t.

  • kbj

    Script worked great – replicated changes and demotion succeeded

  • http://twitter.com/zgambitx Carlos Serpa

    This worked perfectly, thank you.

  • Constantine Serocco

    Many thanks!
    worked perfectly!

  • aryana

    Thnx so much
    fixed my problem too :)

  • jfccl

    Thanks very much! The fix worked great.

  • Koen Zomers

    Same here, had to change it there as well. And of course wait for it to be replicated. Then it worked fine. Thanks for sharing guys!

  • James Lee

    What parts of the script do you have to edit to make it successful in your environment?

  • http://twitter.com/tomrimal Tom Rimala

    Thanks a bunch :-) This solved my problem after a couple of hours searching for a solution: “The solution to that last bit was to repeat all the steps while connected to the domain controller holding the schema master role instead and voila I was able to demote the DC without any issues.”

  • Chad

    I am experiencing this same issue, but when running this command, I receive the following output: dsquery Failed: ‘DC=ForestDnsZones’ is an unknown parameter..?

    Any ideas?

« Cannot install the Certificate Authority Web Enrollment component Outlook mail forwarding rule to external address not working »

Latest Tweets