Scenario:

During the demotion of a domain controller, when we run dcpromo to start the process we quickly encountered an error “The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.” which interrupts the demotion process.

Further Diagnosis:

This occurred for us on some Windows Server 2008 R2 servers as we were in the lengthy progress of upgrading Active Directory from 2003 and 2008 R2 to 2012 R2 now Novell eDirectory is phased out.

So far, the error message implies an issue with with operational masters or flexible single master operation (FSMO) which is two names for the same thing. Confusingly the F in FSMO is also sometimes called floating rather than flexible and in much documentation for Server 2008 onward you see just operational masters used instead as that is the official name now.

In command prompt or PowerShell, the command netdom query fsmo says the operational masters are where they should be so its not immediately clear where the issue lies. However the event log shows an error and warning and in the detail of those logs there was mention of the Infrastructure Master through the mention of “Dn: CN=Infrastructure,DC=DomainDnsZones,DC=domain,DC=ac,DC=uk” in the logs.

At this point, to verify that something is wrong with the location of the Infrastructure Master we look at the records held in Active Directory using ADSIEdit to check that the location of the Infrastructure Master in the fSMORoleOwner attributes is correct. You need to do this from the domain controller that has the Infrastructure Master role.

  1. Launch ADSI Edit (search for ASDIEdit).
  2. Right click on the ADSI Edit in the side bar and choose Connect to…
  3. Change connection point to CN=Configuration,DC=domain,DC=ac,DC=uk
  4. Leave Computer as Default if your currently logged into the Domain Controller with Infrastructure Master role, else change this as needed.
  5. Click Okay.

This should add a new section in the side bar. You should now also add additional connections for connection points below.

  • DC=ForestDnsZones,DC=domain,DC=ac,DC=uk
  • DC=DomainDnsZones,DC=domain,DC=ac,DC=uk

Looking at the properties of CN=Infrastructure within both DC=ForestDnsZones and DC=DomainDnsZones shows an attribute called fSMORoleOwner which contains incorrect information referencing a server that no longer exists along with random numbers and letters when it should be fairly clean and readable.

Solution:

To get the exact string of text for the two fSMORoleOwner attributes in DC=ForestDnsZones and DC=DomainDnsZones, you can look at an attribute in CN=Configuration we added first. The attribute is called distinguishedName in the properties of CN=NTDS Settings of the domain controller from the other connection point added first called CN=Configuration,DC=domain,DC=ac,DC=uk. See screenshot for where this is… (Click to enlarge.)

configuration

Copy the string of text in this field and paste it into the fSMORoleOwner mentioned earlier in DC=ForestDnsZones,DC=domain,DC=ac,DC=uk and DC=DomainDnsZones,DC=domain,DC=ac,DC=uk which should then resolve the problem. Shown in below screenshots… (Click to enlarge.)

After making a correction to the two attributes that were wrong, when we next ran dcpromo to demote a domain controller everyone worked as expected. I don’t know the route cause of the issue but since correcting it, it has not occurred again.