When you try to do a clean system installation for a domain upgrade, you will demote the old DC. Following error come up:
Ownership of the following FSMO role is set to a server which is deleted or does not exist.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Infrastructure,DC=ForestDnsZones,DC=wellingtonsc,DC=vic,DC=edu,DC=au
FSMO Server DN: CN=NTDS Settings\0ADEL:82d8aa04-5a98-4813-9e15-4d205177a144,CN=WSC01-2003\0ADEL:1770854d-d989-41db-a770-31f1930f36e2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wellingtonsc,DC=vic,DC=edu,DC=au
- Determine which server should hold the role in question.
- Configuration view may be out of date. If the server in question has been promoted recently, verify that the Configuration partition has replicated from the new server recently. If the server in question has been demoted recently and the role transferred, verify that this server has replicated the partition (containing the latest role ownership) lately.
- Determine whether the role is set properly on the FSMO role holder server. If the role is not set, utilize NTDSUTIL.EXE to transfer or seize the role. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
- Verify that replication of the FSMO partition between the FSMO role holder server and this server is occurring successfully.
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.
This can be caused by several reasons:
Hard ware fault caused the losing of FSMO holder, incorrect demote DC.
First we need to create a VBS with notepad, save as fixfsmo.vbs:
const ADS_NAME_INITTYPE_GC = 3 const ADS_NAME_TYPE_1779 = 1 const ADS_NAME_TYPE_CANONICAL = 2 set inArgs = WScript.Arguments if (inArgs.Count = 1) then ' Assume the command line argument is the NDNC (in DN form) to use. NdncDN = inArgs(0) Else Wscript.StdOut.Write "usage: cscript fixfsmo.vbs NdncDN" End if if (NdncDN <> "") then ' Convert the DN form of the NDNC into DNS dotted form. Set objTranslator = CreateObject("NameTranslate") objTranslator.Init ADS_NAME_INITTYPE_GC, "" objTranslator.Set ADS_NAME_TYPE_1779, NdncDN strDomainDNS = objTranslator.Get(ADS_NAME_TYPE_CANONICAL) strDomainDNS = Left(strDomainDNS, len(strDomainDNS)-1) Wscript.Echo "DNS name: " & strDomainDNS ' Find a domain controller that hosts this NDNC and that is online. set objRootDSE = GetObject("LDAP://" & strDomainDNS & "/RootDSE") strDnsHostName = objRootDSE.Get("dnsHostName") strDsServiceName = objRootDSE.Get("dsServiceName") Wscript.Echo "Using DC " & strDnsHostName ' Get the current infrastructure fsmo. strInfraDN = "CN=Infrastructure," & NdncDN set objInfra = GetObject("LDAP://" & strInfraDN) Wscript.Echo "infra fsmo is " & objInfra.fsmoroleowner ' If the current fsmo holder is deleted, set the fsmo holder to this domain controller. if (InStr(objInfra.fsmoroleowner, "\0ADEL:") > 0) then ' Set the fsmo holder to this domain controller. objInfra.Put "fSMORoleOwner", strDsServiceName objInfra.SetInfo ' Read the fsmo holder back. set objInfra = GetObject("LDAP://" & strInfraDN) Wscript.Echo "infra fsmo changed to:" & objInfra.fsmoroleowner End if End if
To move the role from lost computer object to the current computer.
Run CMD with Admin privilege:
cscript fixfsmo.vbs DC=DomainDnsZones,DC=contoso,DC=com cscript fixfsmo.vbs DC=ForestDnsZones,DC=centoso,DC=com