Share via

FSMO issues can't demote properly

Donald Frank Budnick 1 Reputation point
2022-10-18T14:21:49.687+00:00

I am unable to correct entries in adsiedit and get the following text for this command.

ldifde -f Infra_DomainDNSZones.ldf -d "CN=Infrastructure,DC=DomainDnsZones,DC=mydomain,DC=Local" -l fSMORoleOwner
Results in Word
dn: CN=Infrastructure,DC=DomainDnsZones,DC=MyDomain,DC=local
changetype: add
fSMORoleOwner:
CN=NTDS Settings\0ADEL:90ac7dd3-e0ad-4f1a-adf7-bc80829142ea,CN=OLD DOMAIN CONTROLLER\0AD
EL:72213d36-d6c3-40bf-986b-6550bb04688e,CN=Servers,CN=Default-First-Site,CN=Si
tes,CN=Configuration,DC=MyDomainName,DC=local

ldifde -f Infra_ForestDNSZones.ldf -d "CN=Infrastructure,DC=ForestDnsZones,DC=mydomain,DC=Local" -l fSMORoleOwner
Results in Word after clearing entry using adsiedit and now operation failed error code:0x20ae
The Role owner attribute could not be read when try to enter correct info
Currently FSMORoleOwner <not set> as I cleared it when trying to change it
dn: CN=Infrastructure,DC=ForestDnsZones,DC=MyDomain,DC=local
changetype: add

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2022-10-18T14:34:07.337+00:00

    Not sure what you're trying to do? If the PDC emulator has failed then you could seize roles to another healthy one.
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds

    then perform some cleanup prior to rebuild
    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
    https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

    --please don't forget to upvote and Accept as answer if the reply is helpful--

  2. Donald Frank Budnick 1 Reputation point
    2022-10-18T15:38:49.273+00:00

    The remnants only show in adsiedit and when using the commands I posted

  3. Donald Frank Budnick 1 Reputation point
    2022-10-18T17:42:14.373+00:00

    I am sorry DSP but based on my subject "FSMO issues can't demote properly" I am not sure why you are asking.

    0 comments
  4. Anonymous
    2022-10-18T17:46:08.143+00:00

    based on my subject "FSMO issues can't demote properly" I am not sure why you are asking.

    Ok, with this limited info the simplest solution may be to remove problem one from network, sieze roles (if needed) to another healthy one.
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds

    then perform cleanup to remove remnants
    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
    https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

    then rebuild failed one if that's the goal.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

  5. Donald Frank Budnick 1 Reputation point
    2022-10-18T19:05:08.623+00:00

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.