DCPromo out fails with: The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.

While trying to demote, dcpromo out, a domain controller the operation might fail with the following error

“The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.”

As you can notice, in my case, the partition at problems was DC=ForestDnsZones,DC=domain,DC=int.

To investigate more the problem I issued a dsquery command

dsquery * CN=Infrastructure,DC=ForestDnsZones,DC=domain,DC=int -attr fSMORoleOwner

The result clearly shows, as indicated in the event viewer, that the fSMORoleOwner is set to an orphaned object CN=NTDS Settings\0ADEL:xxxxxx

Now that we know what is the problem let’s solve it.

I opened ADSIEdit.msc and connected to: CN=Infrastructure,DC=ForestDnsZones,DC=domain,DC=int

right click -> Properties on “infrastructure” and looked for the fSMORoleOwner attribute and remove the \0ADEL:xxxxxx from CN=NTDS Settings\0ADEL:xxxxxx. In my case the domain controller was still active it is just the \0ADEL:xxxxxx part that was wrong.

All looked pretty good, however when I tried to apply the changes I was faced with another error “The role owner attribute could not be read“.

The solution to that last bit was to repeat all the steps while connected to the domain controller holding the schema master role instead and voila I was able to demote the DC without any issues.

I have been working in IT consultancy and solution integration since 1998 and I consider myself lucky to be, one in a few, making a living out of my passion. I am also member of the famous Experts Exchange (profile here) online community where I try my best to share what I have learned along the road.

Posted in Operating Systems Tagged with: ,
15 comments on “DCPromo out fails with: The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.
  1. Billb says:

    I have this same problem but could not apply even though I was connected to the Schema Master.

    • Chad says:

      I am experiencing this same issue, but when running this command, I receive the following output: dsquery Failed: ‘DC=ForestDnsZones’ is an unknown parameter..?

      Any ideas?

  2. Ryand says:

    This worked perfectly for me.  I had to do the same thing for CN=Infrastructure,DC=DomainDnsZones as well.  Nice!

  3. Jim F says:

    How do you know what your 0ADEL number should be?  In my case, the server no longer existed.  I just changed the server name, leaving the 0ADEL numbers, and got the error “The role owner attribute could not be read.” so then I just removed both the 0ADEL number sets and it accepted it on the FSMO server.

    CN=NTDS SettingsADEL:4d64f42d-8273-91fe-8079-f72438927336,CN=DEAD-SERVERADEL:81a154f2-4423-9581-a5d9-174287d852dc,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=mydomain,DC=local

    CN=NTDS Settings,CN=WORKING-SERVER,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=mydomain,DC=local

    But then the server I was trying to demote still failed, and an ADSI edit on that machine to enter the same fSMORoleOwner returns “The role owner attribute could not be read.”

    So are these 0ADEL numbers pointers to records in the AD?  How do I determine what they should be, to correcly identify my fSMORoleOwner.

  4. Warren says:

    I had this exact same problem.  The FSMO was for an orphan server that was not demoted properly 6+ years ago.  This attribute must be the correct server with the full 0ADEL string.
    This document: http://support.microsoft.com/kb/949257 solved the problem completely. It has a vbs script which scouts out and looks for the correct setting then changes it.   HIGHLY RECOMMEND you try that.
    Once this attribute had the correct setting and after waiting for it to replicate across all DC’s I was able to demote a Win2k8 DC.  Previously I had no issue demoting Win2k3 servers.  It appears that the demoting checks in 2008 look at this field but the 2003 server demotion step doesn’t.

  5. Carlos Serpa says:

    This worked perfectly, thank you.

  6. Constantine Serocco says:

    Many thanks!
    worked perfectly!

  7. aryana says:

    Thnx so much
    fixed my problem too 🙂

  8. jfccl says:

    Thanks very much! The fix worked great.

  9. Tom Rimala says:

    Thanks a bunch 🙂 This solved my problem after a couple of hours searching for a solution: “The solution to that last bit was to repeat all the steps while connected to the domain controller holding the schema master role instead and voila I was able to demote the DC without any issues.”

Leave a Reply

Your email address will not be published. Required fields are marked *

*