AD DS Operation Failed – directory service is missing mandatory configuration – Event ID 2091 – FSMO Role Broken

We went to run a DCPromo on a temporary DC to remove it from a domain and received the following error:

Active Directory Domain Services Installation Wizard

The operation failed because:

Active Directory Domain Services could not transfer the remaining data in directory partition DC=ForestDNSZones,DC=DOMAIN,DC=LOCAL to Active Directory Domain Controller \\SBS.DOMAIN.LOCAL.

“The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.

In the temporary DC’s Event Logs we found the following:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          3/12/2011 12:29:37 PM
Event ID:      2091
Task Category: Replication
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      TempDC.DOMAIN.LOCAL
Description:

Ownership of the following FSMO role is set to a server which is deleted or does not exist.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Infrastructure,DC=ForestDnsZones,DC=DOMAIN,DC=LOCAL
FSMO Server DN: CN=NTDS Settings\0ADEL:b3541fc4-50cc-4c12-96be-e5239b314bea,CN=OLD-DC\0ADEL:da50a8ba-dbc7-4219-8d68-ffa03b38c030,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=LOCAL
User Action:
1. Determine which server should hold the role in question.
2. Configuration view may be out of date. If the server in question has been promoted recently, verify that the Configuration partition has replicated from the new server recently.  If the server in question has been demoted recently and the role transferred, verify that this server has replicated the partition (containing the latest role ownership) lately.
3. Determine whether the role is set properly on the FSMO role holder server. If the role is not set, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
4. Verify that replication of the FSMO partition between the FSMO role holder server and this server is occurring successfully.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.

The referenced OLD-DC was an original Windows Server from eight years ago!

Long story short, make sure to open ADSIEdit _on the affected FSMO Role owner_ and make the necessary changes there. When we tried to change the required settings on TempDC we kept getting errors.

1. Obtain the correct setting:
   1. On the affected role owner open ADSIEdit.
   2. Click on Default Naming Context [SBS.Domain.Local].
   3. Click on DC=Domain,DC=Local.
   4. Double click on CN=Infrastructure at the bottom of the list of folders.
   5. Locate the fSMORoleOwner attribute and click on it.
   6. Click the Edit button.
   7. CTRL+C to copy the contents of the attribute.
   8. Click CANCEL twice.
2. Correct the problematic settings:
   1. Right click the ADSI Edit root and click on Connect to…
   2. Use the following connection point:
      1. DC=DomainDNSZones,DC=Domain,DC=Local
      2. 
   3. Click on Default Naming Context [SBS.Domain.Local] to populate it.
   4. Click on DC=DomainDNSZones,DC=Domain,DC=Local folder.
   5. Double click on CN=Infrastructure.
   6. Locate the fSMORoleOwner attribute and click on it.
   7. Click the Edit button.
   8. CTRL+V to paste the correct setting.
   9. Click OK and then Apply.
   10. Repeat steps 2.1-2.9 to correct DC=ForestDNSZones,DC=Domain,DC=Local.

Once the above steps were completed on the FSMO Role owner for Infrastructure we were able to properly demote the temporary DC.

NOTE

The error we kept receiving when trying to edit the FSMO Role owner setting on TempDC was the following:

ADSIEdit

Operation failed. Error code: 0x20ae
The role owner attribute could not be read.

000020AE: SvcErr: DSID-03152965, problem 5003 (WILL_NOT_PERFORM), data 0

The above message took a while to decipher that we were being told to move our FSMO editing operations over to the Role Owner!

Further Reading

• Microsoft KB949257: Error message when you run the “Adprep /rodcprep” command in Windows Server 2008: “Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Contoso,DC=com”
  • We could not get the script to run properly. Though, we were attempting to run it on the TempDC instead of the FSMO Role Owner.
• Microsoft Forums: dcpromo remove domain controller failed
  • Helped to guide us into the right direction.
• Microsoft KB867464: Event ID 4515 is logged in the DNS Server log in Windows Server 2003
  • Error is completely irrelevant. OPTION 1 showed us how to get connected to ForestDNSZones and DomainDNSZones in ADSIEdit.
• TechArena Forums: Infrastructure FSMO role owner attibute [sic] not correct in root do
  • The realization that we needed to be on the Role Owner came from here.
  • 
  • Thanks Michael!
• We opened a ticket on the Microsoft Partner Forum: DCPromo Fail – AD DS could not transfer the remaining data in directory partition … missing mandatory configuration. FSMO.
  • Green Yi’s reply helped us to focus in on finding the solution.

Original Post: http://blog.mpecsinc.ca/2011/03/ad-ds-operation-failed-directory.html

Philip Elder
Microsoft High Availability MVP
MPECS Inc.
www.s2d.rocks !
Our Web Site
Our Cloud Service