Problems demoting a domain controller – change the FSMO master

I’m playing around with some stuff at home while I wait to start a new job. Part of “playing” involves setting up a SQL cluster which of course I need a domain for. I originally decided to use a virtual machine for the domain controller and then opted to use my host server instead. Anyway, I needed to demote the old domain controller and move everything over to my host. Which it turns out is not as simple as transferring the FSMO roles. Basically, when I ran dcpromo to demote the old DC I ran into the error below.

Directory Service is missing mandatory configuration information…unable to determine ownership of floating single-master operation roles

Ok, I thought I transferred those but apparently not. My first step was to use ntdsutil to transfer over the roles. Then I decided to seize them since the demotion was still failing. Here are the steps for that.

1. Logon to the server that will be the new FSMO master.
2. Start –> Run –> type ndsutil and hit enter.
3. Type roles and hit enter.
4. Type connections and hit enter.
5. Type connect to server <servername> and replace <servername > with the name of the server that will be the new FSMO master.
6. Seizing roles will first try to gracefully transfer so you might as well just start there. Type the following commands to seize each role.
Seize infrastructure master
Seize naming master
Seize PDC
Seize RID master
Seize schema master
7. If you don’t run into an error you are good to go. If you do then proceed on.

So seizing the roles didn’t work so now we move onto adsiedit. On each of these you want to change the hostname to match your new FSMO master. When you check the attribute the format needs to look like the one below:

CN=NTDS Settings,CN=CHANGE-THIS<hostname>,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=famlan,DC=local

In bold red letters where it says CHANGE-THIS<hostname> type in the host name of the new FSMO master. IE DC01 or PDC01 or whatever you named your server.

First change the ForestDNSZones …

1. Run Adsiedit.msc
2. Connect to the server which hold the infrastructure Role
3. Connect to DC=ForestDnsZones,DC=<domain>,DC=<suffix>.
4. Open the properties for the Infrastructure object.
5. Check the fSMORoleOwner attribute.
6. Specify an infrastructure role owner that is online for the partition. You can do this by manually modifying the fSMORoleOwner attribute on the object.

Now the DomainDNSZone …

1. Run Adsiedit.msc
2. Connect to the server which hold the infrastructure Role
3. Connect to DC=DomainDnsZones,DC=<domain>,DC=<suffix>.
4. Open the properties for the Infrastructure object.
5. Check the fSMORoleOwner attribute.
6. Specify an infrastructure role owner that is online for the partition. You can do this by manually modifying the fSMORoleOwner attribute on the object.

After all that go back to the DC you are going to demote and run dcpromo again. Everything should work like a charm.

1 Comment

 Add your comment
  1. Excellent write-up Mike! I’ve always appreciated your technical mind.

    Sometimes it’s easier just to dump the old DC once you have a new one up and remove it from AD. I’ve successfully used the procedures in the links below for all OS versions of domain controllers.

    http://support.microsoft.com/kb/216498 – The steps for 2003 with SP1 also work for 2008 and 2008R2
    http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx – Perhaps the most thorough write-up you will find on the subject. Just pick and choose the stuff you need. You usually don’t need most of it.

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.