Discussion:
fSMORoleOwner in CN=Infrastructure DomainDNSZones & ForestDNSZones
(too old to reply)
dimsdale_007
2009-01-02 14:21:01 UTC
Permalink
I've ran around and around, google'd until my eyes are bleeding, I really
hope someone here can help.

Basically this forum
"http://www.mombu.com/microsoft/mom-general-discussion/t-mom-2005-alert-and-event-562604.html"
pretty much shows my issue in detail. But like the last person who posted on
the forum, I too keep getting the message "The role owner attribute could not
be read." when i try to change the fSMORoleOwner attribute using ADSIEDIT.

In case you don't want to read the forum, basically, the FSMORoleOwner is
showing "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"

I'm getting MOM alerts "The script 'AD Replication Monitoring' encountered a
runtime error. Failed to obtain the InfrastructureMaster using a well known
GUID.
The error returned was: 'Failed to get the 'fSMORoleOwner' attribute from
the object
'LDAP://DomainController1.company.com/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=DomainDnsZones,DC=Company_Name,DC=com>'.
The error returned was: 'There is no such object on the server.'
(0x80072030)' (0x80072030)"

When I look in ADUC, it shows that DomainController3 is the Infrastructure
Master, but the DomainDNSZones & ForestDNSZones are incorrect, and displays
the GUID of an older server. I'm assumnig someone before me just took the
old Infrastructure Master offline, decommissioned it, DC3 seized the role,
now AD is boogered up.

Does anyone have any ideas?
Paul Bergson
2009-01-02 15:22:27 UTC
Permalink
It sounds like you could have a situation where an old dc was never properly
removed (Crashed and rebuilt) from AD

Check the link below and look through and see if this helps out.
http://support.microsoft.com/?id=216498
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
Post by dimsdale_007
I've ran around and around, google'd until my eyes are bleeding, I really
hope someone here can help.
Basically this forum
"http://www.mombu.com/microsoft/mom-general-discussion/t-mom-2005-alert-and-event-562604.html"
pretty much shows my issue in detail. But like the last person who posted on
the forum, I too keep getting the message "The role owner attribute could not
be read." when i try to change the fSMORoleOwner attribute using ADSIEDIT.
In case you don't want to read the forum, basically, the FSMORoleOwner is
showing "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I'm getting MOM alerts "The script 'AD Replication Monitoring' encountered a
runtime error. Failed to obtain the InfrastructureMaster using a well known
GUID.
The error returned was: 'Failed to get the 'fSMORoleOwner' attribute from
the object
'LDAP://DomainController1.company.com/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=DomainDnsZones,DC=Company_Name,DC=com>'.
The error returned was: 'There is no such object on the server.'
(0x80072030)' (0x80072030)"
When I look in ADUC, it shows that DomainController3 is the Infrastructure
Master, but the DomainDNSZones & ForestDNSZones are incorrect, and displays
the GUID of an older server. I'm assumnig someone before me just took the
old Infrastructure Master offline, decommissioned it, DC3 seized the role,
now AD is boogered up.
Does anyone have any ideas?
dimsdale_007
2009-01-02 16:43:01 UTC
Permalink
I've tried that article, when I use NTDSUTIL and go through the instructions,
the current production servers are the only ones listed. So metadata cleanup
isn't helping sad to say.
Post by Paul Bergson
It sounds like you could have a situation where an old dc was never properly
removed (Crashed and rebuilt) from AD
Check the link below and look through and see if this helps out.
http://support.microsoft.com/?id=216498
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
Post by dimsdale_007
I've ran around and around, google'd until my eyes are bleeding, I really
hope someone here can help.
Basically this forum
"http://www.mombu.com/microsoft/mom-general-discussion/t-mom-2005-alert-and-event-562604.html"
pretty much shows my issue in detail. But like the last person who posted on
the forum, I too keep getting the message "The role owner attribute could not
be read." when i try to change the fSMORoleOwner attribute using ADSIEDIT.
In case you don't want to read the forum, basically, the FSMORoleOwner is
showing "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I'm getting MOM alerts "The script 'AD Replication Monitoring' encountered a
runtime error. Failed to obtain the InfrastructureMaster using a well known
GUID.
The error returned was: 'Failed to get the 'fSMORoleOwner' attribute from
the object
'LDAP://DomainController1.company.com/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=DomainDnsZones,DC=Company_Name,DC=com>'.
The error returned was: 'There is no such object on the server.'
(0x80072030)' (0x80072030)"
When I look in ADUC, it shows that DomainController3 is the Infrastructure
Master, but the DomainDNSZones & ForestDNSZones are incorrect, and displays
the GUID of an older server. I'm assumnig someone before me just took the
old Infrastructure Master offline, decommissioned it, DC3 seized the role,
now AD is boogered up.
Does anyone have any ideas?
Marcin
2009-01-02 15:40:28 UTC
Permalink
Can you clarify what you mean by "DomainDNSZones & ForestDNSZones are
incorrect, and displays the GUID of an older server"?
Also note that "seizing" of Opreation Master roles does not happen
automatically - as a matter of fact, as long as the previous Infrastructure
Master role has been decommissioned prior to the role transfer, seizing the
role would be the proper way to proceed. Btw - have you attempted to seize
the role using the procedure described in
http://support.microsoft.com/kb/255504 (you can actually attempt to run it
while connected to DomainController3)?

hth
Marcin
Post by dimsdale_007
I've ran around and around, google'd until my eyes are bleeding, I really
hope someone here can help.
Basically this forum
"http://www.mombu.com/microsoft/mom-general-discussion/t-mom-2005-alert-and-event-562604.html"
pretty much shows my issue in detail. But like the last person who posted on
the forum, I too keep getting the message "The role owner attribute could not
be read." when i try to change the fSMORoleOwner attribute using ADSIEDIT.
In case you don't want to read the forum, basically, the FSMORoleOwner is
showing "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I'm getting MOM alerts "The script 'AD Replication Monitoring' encountered a
runtime error. Failed to obtain the InfrastructureMaster using a well known
GUID.
The error returned was: 'Failed to get the 'fSMORoleOwner' attribute from
the object
'LDAP://DomainController1.company.com/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=DomainDnsZones,DC=Company_Name,DC=com>'.
The error returned was: 'There is no such object on the server.'
(0x80072030)' (0x80072030)"
When I look in ADUC, it shows that DomainController3 is the Infrastructure
Master, but the DomainDNSZones & ForestDNSZones are incorrect, and displays
the GUID of an older server. I'm assumnig someone before me just took the
old Infrastructure Master offline, decommissioned it, DC3 seized the role,
now AD is boogered up.
Does anyone have any ideas?
dimsdale_007
2009-01-02 17:00:01 UTC
Permalink
From ADSIEDIT, if I connect to DomainDNSZones or ForestDNSZones, then expand
down and click on DC=DomainDNSZones, DC=CompanyName,DC=com, then open up
CN=Infrastructure, then find fSMORoleOwner, is displays "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"

When I try to replace it with the correct value of "CN=NTDS
Settings,CN=DomainController3,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I get the "The role owner attribute could not be read" message.

I haven't tried to seize the role yet, the reason is if I look at the
Operations Masters for the domain in ADUC, and click on the Infrastructure
tab, it's showing DomainController3 as the Infrastructure Master. Also in
ADSIEDIT, if I expand Domain, then click on DC=Company_Name,DC=com, and open
up the CN=Infrastructure properties, the fSMORoleOwner in that particular
location shows the correct key "CN=NTDS
Settings,CN=DomainController3,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com", which is strange.

Also one more thing to note as a problem I ran frsdiag, and there are other
servers showing up that shouldn't be. Basically, under ADSIEDIT, I expand
Domain, then DC=Company_Name,DC=com, then CN=System, then CN=File Replication
Service, then CN=Domain System Volume (SYSVOL share), there's 6 servers
showing there that do no exist anymore. Is it OK to delete these out from
ADSIEDIT or is there another way it should be handled? I'm not sure why none
of these servers are showing up when i try to do metedata cleanup.

Thanks,
Post by Marcin
Can you clarify what you mean by "DomainDNSZones & ForestDNSZones are
incorrect, and displays the GUID of an older server"?
Also note that "seizing" of Opreation Master roles does not happen
automatically - as a matter of fact, as long as the previous Infrastructure
Master role has been decommissioned prior to the role transfer, seizing the
role would be the proper way to proceed. Btw - have you attempted to seize
the role using the procedure described in
http://support.microsoft.com/kb/255504 (you can actually attempt to run it
while connected to DomainController3)?
hth
Marcin
Post by dimsdale_007
I've ran around and around, google'd until my eyes are bleeding, I really
hope someone here can help.
Basically this forum
"http://www.mombu.com/microsoft/mom-general-discussion/t-mom-2005-alert-and-event-562604.html"
pretty much shows my issue in detail. But like the last person who posted on
the forum, I too keep getting the message "The role owner attribute could not
be read." when i try to change the fSMORoleOwner attribute using ADSIEDIT.
In case you don't want to read the forum, basically, the FSMORoleOwner is
showing "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I'm getting MOM alerts "The script 'AD Replication Monitoring' encountered a
runtime error. Failed to obtain the InfrastructureMaster using a well known
GUID.
The error returned was: 'Failed to get the 'fSMORoleOwner' attribute from
the object
'LDAP://DomainController1.company.com/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=DomainDnsZones,DC=Company_Name,DC=com>'.
The error returned was: 'There is no such object on the server.'
(0x80072030)' (0x80072030)"
When I look in ADUC, it shows that DomainController3 is the Infrastructure
Master, but the DomainDNSZones & ForestDNSZones are incorrect, and displays
the GUID of an older server. I'm assumnig someone before me just took the
old Infrastructure Master offline, decommissioned it, DC3 seized the role,
now AD is boogered up.
Does anyone have any ideas?
Marcin
2009-01-02 18:18:46 UTC
Permalink
Have you considered performing DNS cleanup by switching it to non-AD
integrated format, removing the default application partitions using
ntdsutil, and reverting back to the orginal configuration afterwards?
As far as metadata cleanup is concerned, follow the MS KB article that Paul
has provided in his response (http://support.microsoft.com/kb/216498), which
includes a reference to the item you mentioned below...

hth
Marcin
Post by dimsdale_007
From ADSIEDIT, if I connect to DomainDNSZones or ForestDNSZones, then expand
down and click on DC=DomainDNSZones, DC=CompanyName,DC=com, then open up
CN=Infrastructure, then find fSMORoleOwner, is displays "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
When I try to replace it with the correct value of "CN=NTDS
Settings,CN=DomainController3,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I get the "The role owner attribute could not be read" message.
I haven't tried to seize the role yet, the reason is if I look at the
Operations Masters for the domain in ADUC, and click on the Infrastructure
tab, it's showing DomainController3 as the Infrastructure Master. Also in
ADSIEDIT, if I expand Domain, then click on DC=Company_Name,DC=com, and open
up the CN=Infrastructure properties, the fSMORoleOwner in that particular
location shows the correct key "CN=NTDS
Settings,CN=DomainController3,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com",
which is strange.
Also one more thing to note as a problem I ran frsdiag, and there are other
servers showing up that shouldn't be. Basically, under ADSIEDIT, I expand
Domain, then DC=Company_Name,DC=com, then CN=System, then CN=File Replication
Service, then CN=Domain System Volume (SYSVOL share), there's 6 servers
showing there that do no exist anymore. Is it OK to delete these out from
ADSIEDIT or is there another way it should be handled? I'm not sure why none
of these servers are showing up when i try to do metedata cleanup.
Thanks,
Post by Marcin
Can you clarify what you mean by "DomainDNSZones & ForestDNSZones are
incorrect, and displays the GUID of an older server"?
Also note that "seizing" of Opreation Master roles does not happen
automatically - as a matter of fact, as long as the previous
Infrastructure
Master role has been decommissioned prior to the role transfer, seizing the
role would be the proper way to proceed. Btw - have you attempted to seize
the role using the procedure described in
http://support.microsoft.com/kb/255504 (you can actually attempt to run it
while connected to DomainController3)?
hth
Marcin
Post by dimsdale_007
I've ran around and around, google'd until my eyes are bleeding, I really
hope someone here can help.
Basically this forum
"http://www.mombu.com/microsoft/mom-general-discussion/t-mom-2005-alert-and-event-562604.html"
pretty much shows my issue in detail. But like the last person who
posted
on
the forum, I too keep getting the message "The role owner attribute
could
not
be read." when i try to change the fSMORoleOwner attribute using ADSIEDIT.
In case you don't want to read the forum, basically, the FSMORoleOwner is
showing "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I'm getting MOM alerts "The script 'AD Replication Monitoring'
encountered
a
runtime error. Failed to obtain the InfrastructureMaster using a well known
GUID.
The error returned was: 'Failed to get the 'fSMORoleOwner' attribute from
the object
'LDAP://DomainController1.company.com/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=DomainDnsZones,DC=Company_Name,DC=com>'.
The error returned was: 'There is no such object on the server.'
(0x80072030)' (0x80072030)"
When I look in ADUC, it shows that DomainController3 is the
Infrastructure
Master, but the DomainDNSZones & ForestDNSZones are incorrect, and displays
the GUID of an older server. I'm assumnig someone before me just took the
old Infrastructure Master offline, decommissioned it, DC3 seized the role,
now AD is boogered up.
Does anyone have any ideas?
dimsdale_007
2009-01-02 18:49:01 UTC
Permalink
I'm not sure how much havok switching to non-AD DNS would cause, this domain
has nearly 2000 DNS entries.

As for the KB Article, that's what I used before, I mentioned below that the
servers aren't showing up in the NTDSUTIL when I connect to the domain and do
the list servers. It's a situation where I see things wrong, but all roads
to fix them have a block at the end.

Since DomainController3 is showing up as the Infrastructure Master in ADUC,
but NOT in the DC=Infrastructure Master setting in ADSIEDIT, would it hurt
anything to attempt to seize the role from DomainController3? Another
option, do you think transferring the role to another Domain Controller would
clear up the issues in this environment? The goal here is to be able to get
the fSMORoleOwner correct in the "CN=Infrastructure" object
Post by Marcin
Have you considered performing DNS cleanup by switching it to non-AD
integrated format, removing the default application partitions using
ntdsutil, and reverting back to the orginal configuration afterwards?
As far as metadata cleanup is concerned, follow the MS KB article that Paul
has provided in his response (http://support.microsoft.com/kb/216498), which
includes a reference to the item you mentioned below...
hth
Marcin
Post by dimsdale_007
From ADSIEDIT, if I connect to DomainDNSZones or ForestDNSZones, then expand
down and click on DC=DomainDNSZones, DC=CompanyName,DC=com, then open up
CN=Infrastructure, then find fSMORoleOwner, is displays "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
When I try to replace it with the correct value of "CN=NTDS
Settings,CN=DomainController3,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I get the "The role owner attribute could not be read" message.
I haven't tried to seize the role yet, the reason is if I look at the
Operations Masters for the domain in ADUC, and click on the Infrastructure
tab, it's showing DomainController3 as the Infrastructure Master. Also in
ADSIEDIT, if I expand Domain, then click on DC=Company_Name,DC=com, and open
up the CN=Infrastructure properties, the fSMORoleOwner in that particular
location shows the correct key "CN=NTDS
Settings,CN=DomainController3,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com",
which is strange.
Also one more thing to note as a problem I ran frsdiag, and there are other
servers showing up that shouldn't be. Basically, under ADSIEDIT, I expand
Domain, then DC=Company_Name,DC=com, then CN=System, then CN=File Replication
Service, then CN=Domain System Volume (SYSVOL share), there's 6 servers
showing there that do no exist anymore. Is it OK to delete these out from
ADSIEDIT or is there another way it should be handled? I'm not sure why none
of these servers are showing up when i try to do metedata cleanup.
Thanks,
Post by Marcin
Can you clarify what you mean by "DomainDNSZones & ForestDNSZones are
incorrect, and displays the GUID of an older server"?
Also note that "seizing" of Opreation Master roles does not happen
automatically - as a matter of fact, as long as the previous Infrastructure
Master role has been decommissioned prior to the role transfer, seizing the
role would be the proper way to proceed. Btw - have you attempted to seize
the role using the procedure described in
http://support.microsoft.com/kb/255504 (you can actually attempt to run it
while connected to DomainController3)?
hth
Marcin
Post by dimsdale_007
I've ran around and around, google'd until my eyes are bleeding, I really
hope someone here can help.
Basically this forum
"http://www.mombu.com/microsoft/mom-general-discussion/t-mom-2005-alert-and-event-562604.html"
pretty much shows my issue in detail. But like the last person who
posted
on
the forum, I too keep getting the message "The role owner attribute
could
not
be read." when i try to change the fSMORoleOwner attribute using ADSIEDIT.
In case you don't want to read the forum, basically, the FSMORoleOwner is
showing "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I'm getting MOM alerts "The script 'AD Replication Monitoring'
encountered
a
runtime error. Failed to obtain the InfrastructureMaster using a well known
GUID.
The error returned was: 'Failed to get the 'fSMORoleOwner' attribute from
the object
'LDAP://DomainController1.company.com/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=DomainDnsZones,DC=Company_Name,DC=com>'.
The error returned was: 'There is no such object on the server.'
(0x80072030)' (0x80072030)"
When I look in ADUC, it shows that DomainController3 is the Infrastructure
Master, but the DomainDNSZones & ForestDNSZones are incorrect, and displays
the GUID of an older server. I'm assumnig someone before me just took the
old Infrastructure Master offline, decommissioned it, DC3 seized the role,
now AD is boogered up.
Does anyone have any ideas?
Marcin
2009-01-02 23:43:36 UTC
Permalink
Note that the Infrastructure Master that you are viewing via ADUC (Domain
Controller 3) is assigned to your default domain partition
(DC=company,DC=com), while the one you are referencing via ADSIEDIT is
actually the infrastructure master for one of the DNS application partitions
(in your case, you seem to have a problem with the DC=DomainDNSZones,
DC=CompanyName,DC=com) - so they represent two separate entities.
You might want to try running the script listed at
http://support.microsoft.com/kb/949257 - while ultimately this is equivalent
to the manual change you are attempting, it eliminates the chance for a
potential typo...

hth
Marcin
Post by dimsdale_007
I'm not sure how much havok switching to non-AD DNS would cause, this domain
has nearly 2000 DNS entries.
As for the KB Article, that's what I used before, I mentioned below that the
servers aren't showing up in the NTDSUTIL when I connect to the domain and do
the list servers. It's a situation where I see things wrong, but all roads
to fix them have a block at the end.
Since DomainController3 is showing up as the Infrastructure Master in ADUC,
but NOT in the DC=Infrastructure Master setting in ADSIEDIT, would it hurt
anything to attempt to seize the role from DomainController3? Another
option, do you think transferring the role to another Domain Controller would
clear up the issues in this environment? The goal here is to be able to get
the fSMORoleOwner correct in the "CN=Infrastructure" object
Post by Marcin
Have you considered performing DNS cleanup by switching it to non-AD
integrated format, removing the default application partitions using
ntdsutil, and reverting back to the orginal configuration afterwards?
As far as metadata cleanup is concerned, follow the MS KB article that Paul
has provided in his response (http://support.microsoft.com/kb/216498), which
includes a reference to the item you mentioned below...
hth
Marcin
Post by dimsdale_007
From ADSIEDIT, if I connect to DomainDNSZones or ForestDNSZones, then expand
down and click on DC=DomainDNSZones, DC=CompanyName,DC=com, then open up
CN=Infrastructure, then find fSMORoleOwner, is displays "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
When I try to replace it with the correct value of "CN=NTDS
Settings,CN=DomainController3,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I get the "The role owner attribute could not be read" message.
I haven't tried to seize the role yet, the reason is if I look at the
Operations Masters for the domain in ADUC, and click on the
Infrastructure
tab, it's showing DomainController3 as the Infrastructure Master. Also in
ADSIEDIT, if I expand Domain, then click on DC=Company_Name,DC=com, and open
up the CN=Infrastructure properties, the fSMORoleOwner in that particular
location shows the correct key "CN=NTDS
Settings,CN=DomainController3,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com",
which is strange.
Also one more thing to note as a problem I ran frsdiag, and there are other
servers showing up that shouldn't be. Basically, under ADSIEDIT, I expand
Domain, then DC=Company_Name,DC=com, then CN=System, then CN=File Replication
Service, then CN=Domain System Volume (SYSVOL share), there's 6 servers
showing there that do no exist anymore. Is it OK to delete these out from
ADSIEDIT or is there another way it should be handled? I'm not sure
why
none
of these servers are showing up when i try to do metedata cleanup.
Thanks,
Post by Marcin
Can you clarify what you mean by "DomainDNSZones & ForestDNSZones are
incorrect, and displays the GUID of an older server"?
Also note that "seizing" of Opreation Master roles does not happen
automatically - as a matter of fact, as long as the previous Infrastructure
Master role has been decommissioned prior to the role transfer,
seizing
the
role would be the proper way to proceed. Btw - have you attempted to seize
the role using the procedure described in
http://support.microsoft.com/kb/255504 (you can actually attempt to
run
it
while connected to DomainController3)?
hth
Marcin
Post by dimsdale_007
I've ran around and around, google'd until my eyes are bleeding, I really
hope someone here can help.
Basically this forum
"http://www.mombu.com/microsoft/mom-general-discussion/t-mom-2005-alert-and-event-562604.html"
pretty much shows my issue in detail. But like the last person who
posted
on
the forum, I too keep getting the message "The role owner attribute
could
not
be read." when i try to change the fSMORoleOwner attribute using ADSIEDIT.
In case you don't want to read the forum, basically, the
FSMORoleOwner
is
showing "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I'm getting MOM alerts "The script 'AD Replication Monitoring'
encountered
a
runtime error. Failed to obtain the InfrastructureMaster using a
well
known
GUID.
The error returned was: 'Failed to get the 'fSMORoleOwner' attribute from
the object
'LDAP://DomainController1.company.com/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=DomainDnsZones,DC=Company_Name,DC=com>'.
The error returned was: 'There is no such object on the server.'
(0x80072030)' (0x80072030)"
When I look in ADUC, it shows that DomainController3 is the Infrastructure
Master, but the DomainDNSZones & ForestDNSZones are incorrect, and displays
the GUID of an older server. I'm assumnig someone before me just
took
the
old Infrastructure Master offline, decommissioned it, DC3 seized the role,
now AD is boogered up.
Does anyone have any ideas?
Jorge de Almeida Pinto [MVP - DS]
2009-01-02 22:45:48 UTC
Permalink
just get the DN of the NTDS Settings object of the CURRENT INFRA FSMO for
the AD domain and specify that as the INFRA FSMO for both DOmainDNSZones and
ForestDNSZones. Use either LDP or ADsiedit

OR....

use the script specified in: http://support.microsoft.com/kb/949257
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
I've ran around and around, google'd until my eyes are bleeding, I really
hope someone here can help.
Basically this forum
"http://www.mombu.com/microsoft/mom-general-discussion/t-mom-2005-alert-and-event-562604.html"
pretty much shows my issue in detail. But like the last person who posted on
the forum, I too keep getting the message "The role owner attribute could not
be read." when i try to change the fSMORoleOwner attribute using ADSIEDIT.
In case you don't want to read the forum, basically, the FSMORoleOwner is
showing "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I'm getting MOM alerts "The script 'AD Replication Monitoring' encountered a
runtime error. Failed to obtain the InfrastructureMaster using a well known
GUID.
The error returned was: 'Failed to get the 'fSMORoleOwner' attribute from
the object
'LDAP://DomainController1.company.com/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=DomainDnsZones,DC=Company_Name,DC=com>'.
The error returned was: 'There is no such object on the server.'
(0x80072030)' (0x80072030)"
When I look in ADUC, it shows that DomainController3 is the Infrastructure
Master, but the DomainDNSZones & ForestDNSZones are incorrect, and displays
the GUID of an older server. I'm assumnig someone before me just took the
old Infrastructure Master offline, decommissioned it, DC3 seized the role,
now AD is boogered up.
Does anyone have any ideas?
dimsdale_007
2009-01-07 15:27:01 UTC
Permalink
Just a reference in my original problem statement, ADSIEDIT gave me an error
"The role owner attribute could not be read.".

I had to put in a change management ticket before I could make the change, I
will try the script 1st, if that fails I'll try to seize the role on DC3, if
both fail, I'll try to seize/transfer the role to DC4. If it works tonight,
I'll give you guys an update.

Thanks for the help from everyone BTW!!
Post by Jorge de Almeida Pinto [MVP - DS]
just get the DN of the NTDS Settings object of the CURRENT INFRA FSMO for
the AD domain and specify that as the INFRA FSMO for both DOmainDNSZones and
ForestDNSZones. Use either LDP or ADsiedit
OR....
use the script specified in: http://support.microsoft.com/kb/949257
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
I've ran around and around, google'd until my eyes are bleeding, I really
hope someone here can help.
Basically this forum
"http://www.mombu.com/microsoft/mom-general-discussion/t-mom-2005-alert-and-event-562604.html"
pretty much shows my issue in detail. But like the last person who posted on
the forum, I too keep getting the message "The role owner attribute could not
be read." when i try to change the fSMORoleOwner attribute using ADSIEDIT.
In case you don't want to read the forum, basically, the FSMORoleOwner is
showing "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I'm getting MOM alerts "The script 'AD Replication Monitoring' encountered a
runtime error. Failed to obtain the InfrastructureMaster using a well known
GUID.
The error returned was: 'Failed to get the 'fSMORoleOwner' attribute from
the object
'LDAP://DomainController1.company.com/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=DomainDnsZones,DC=Company_Name,DC=com>'.
The error returned was: 'There is no such object on the server.'
(0x80072030)' (0x80072030)"
When I look in ADUC, it shows that DomainController3 is the Infrastructure
Master, but the DomainDNSZones & ForestDNSZones are incorrect, and displays
the GUID of an older server. I'm assumnig someone before me just took the
old Infrastructure Master offline, decommissioned it, DC3 seized the role,
now AD is boogered up.
Does anyone have any ideas?
Jorge de Almeida Pinto [MVP - DS]
2009-01-07 22:54:53 UTC
Permalink
glad to help out
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
Just a reference in my original problem statement, ADSIEDIT gave me an error
"The role owner attribute could not be read.".
I had to put in a change management ticket before I could make the change, I
will try the script 1st, if that fails I'll try to seize the role on DC3, if
both fail, I'll try to seize/transfer the role to DC4. If it works tonight,
I'll give you guys an update.
Thanks for the help from everyone BTW!!
Post by Jorge de Almeida Pinto [MVP - DS]
just get the DN of the NTDS Settings object of the CURRENT INFRA FSMO for
the AD domain and specify that as the INFRA FSMO for both DOmainDNSZones and
ForestDNSZones. Use either LDP or ADsiedit
OR....
use the script specified in: http://support.microsoft.com/kb/949257
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
I've ran around and around, google'd until my eyes are bleeding, I really
hope someone here can help.
Basically this forum
"http://www.mombu.com/microsoft/mom-general-discussion/t-mom-2005-alert-and-event-562604.html"
pretty much shows my issue in detail. But like the last person who
posted
on
the forum, I too keep getting the message "The role owner attribute
could
not
be read." when i try to change the fSMORoleOwner attribute using ADSIEDIT.
In case you don't want to read the forum, basically, the FSMORoleOwner is
showing "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I'm getting MOM alerts "The script 'AD Replication Monitoring'
encountered
a
runtime error. Failed to obtain the InfrastructureMaster using a well known
GUID.
The error returned was: 'Failed to get the 'fSMORoleOwner' attribute from
the object
'LDAP://DomainController1.company.com/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=DomainDnsZones,DC=Company_Name,DC=com>'.
The error returned was: 'There is no such object on the server.'
(0x80072030)' (0x80072030)"
When I look in ADUC, it shows that DomainController3 is the
Infrastructure
Master, but the DomainDNSZones & ForestDNSZones are incorrect, and displays
the GUID of an older server. I'm assumnig someone before me just took the
old Infrastructure Master offline, decommissioned it, DC3 seized the role,
now AD is boogered up.
Does anyone have any ideas?
dimsdale_007
2009-01-08 18:34:03 UTC
Permalink
This didn't work either. The script comes back with "(20, 5) (null): The
specified domain either does not exist or could not be contacted."

So I ran netdom query /domain /verify and 1 of the 6 domain controllers
which currently holds the RID & PDC roles comes up with this for status
"ERROR! (the specified domain either does not exist or could not be
contacted.) The other 5 DC's pull back the domain status correctly.

I also tried to seize the role, and an error came back saying role seizure
not necessary.

Any other ideas?
Post by Jorge de Almeida Pinto [MVP - DS]
glad to help out
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
Just a reference in my original problem statement, ADSIEDIT gave me an error
"The role owner attribute could not be read.".
I had to put in a change management ticket before I could make the change, I
will try the script 1st, if that fails I'll try to seize the role on DC3, if
both fail, I'll try to seize/transfer the role to DC4. If it works tonight,
I'll give you guys an update.
Thanks for the help from everyone BTW!!
Post by Jorge de Almeida Pinto [MVP - DS]
just get the DN of the NTDS Settings object of the CURRENT INFRA FSMO for
the AD domain and specify that as the INFRA FSMO for both DOmainDNSZones and
ForestDNSZones. Use either LDP or ADsiedit
OR....
use the script specified in: http://support.microsoft.com/kb/949257
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
I've ran around and around, google'd until my eyes are bleeding, I really
hope someone here can help.
Basically this forum
"http://www.mombu.com/microsoft/mom-general-discussion/t-mom-2005-alert-and-event-562604.html"
pretty much shows my issue in detail. But like the last person who
posted
on
the forum, I too keep getting the message "The role owner attribute
could
not
be read." when i try to change the fSMORoleOwner attribute using ADSIEDIT.
In case you don't want to read the forum, basically, the FSMORoleOwner is
showing "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I'm getting MOM alerts "The script 'AD Replication Monitoring'
encountered
a
runtime error. Failed to obtain the InfrastructureMaster using a well known
GUID.
The error returned was: 'Failed to get the 'fSMORoleOwner' attribute from
the object
'LDAP://DomainController1.company.com/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=DomainDnsZones,DC=Company_Name,DC=com>'.
The error returned was: 'There is no such object on the server.'
(0x80072030)' (0x80072030)"
When I look in ADUC, it shows that DomainController3 is the Infrastructure
Master, but the DomainDNSZones & ForestDNSZones are incorrect, and displays
the GUID of an older server. I'm assumnig someone before me just took the
old Infrastructure Master offline, decommissioned it, DC3 seized the role,
now AD is boogered up.
Does anyone have any ideas?
Jorge de Almeida Pinto [MVP - DS]
2009-01-09 08:49:47 UTC
Permalink
if you do a :

NETDOM QUERY FSMO

do all the DCs listed still exist in your environment?
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
This didn't work either. The script comes back with "(20, 5) (null): The
specified domain either does not exist or could not be contacted."
So I ran netdom query /domain /verify and 1 of the 6 domain controllers
which currently holds the RID & PDC roles comes up with this for status
"ERROR! (the specified domain either does not exist or could not be
contacted.) The other 5 DC's pull back the domain status correctly.
I also tried to seize the role, and an error came back saying role seizure
not necessary.
Any other ideas?
Post by Jorge de Almeida Pinto [MVP - DS]
glad to help out
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
Just a reference in my original problem statement, ADSIEDIT gave me an error
"The role owner attribute could not be read.".
I had to put in a change management ticket before I could make the
change,
I
will try the script 1st, if that fails I'll try to seize the role on
DC3,
if
both fail, I'll try to seize/transfer the role to DC4. If it works tonight,
I'll give you guys an update.
Thanks for the help from everyone BTW!!
Post by Jorge de Almeida Pinto [MVP - DS]
just get the DN of the NTDS Settings object of the CURRENT INFRA FSMO for
the AD domain and specify that as the INFRA FSMO for both
DOmainDNSZones
and
ForestDNSZones. Use either LDP or ADsiedit
OR....
use the script specified in: http://support.microsoft.com/kb/949257
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before
implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
I've ran around and around, google'd until my eyes are bleeding, I really
hope someone here can help.
Basically this forum
"http://www.mombu.com/microsoft/mom-general-discussion/t-mom-2005-alert-and-event-562604.html"
pretty much shows my issue in detail. But like the last person who
posted
on
the forum, I too keep getting the message "The role owner attribute
could
not
be read." when i try to change the fSMORoleOwner attribute using ADSIEDIT.
In case you don't want to read the forum, basically, the
FSMORoleOwner
is
showing "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I'm getting MOM alerts "The script 'AD Replication Monitoring'
encountered
a
runtime error. Failed to obtain the InfrastructureMaster using a
well
known
GUID.
The error returned was: 'Failed to get the 'fSMORoleOwner' attribute from
the object
'LDAP://DomainController1.company.com/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=DomainDnsZones,DC=Company_Name,DC=com>'.
The error returned was: 'There is no such object on the server.'
(0x80072030)' (0x80072030)"
When I look in ADUC, it shows that DomainController3 is the Infrastructure
Master, but the DomainDNSZones & ForestDNSZones are incorrect, and displays
the GUID of an older server. I'm assumnig someone before me just
took
the
old Infrastructure Master offline, decommissioned it, DC3 seized the role,
now AD is boogered up.
Does anyone have any ideas?
dimsdale_007
2009-01-09 15:43:01 UTC
Permalink
Yes, all dc's are current & actually show up correctly with FSMO roles.
Post by Jorge de Almeida Pinto [MVP - DS]
NETDOM QUERY FSMO
do all the DCs listed still exist in your environment?
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
This didn't work either. The script comes back with "(20, 5) (null): The
specified domain either does not exist or could not be contacted."
So I ran netdom query /domain /verify and 1 of the 6 domain controllers
which currently holds the RID & PDC roles comes up with this for status
"ERROR! (the specified domain either does not exist or could not be
contacted.) The other 5 DC's pull back the domain status correctly.
I also tried to seize the role, and an error came back saying role seizure
not necessary.
Any other ideas?
Post by Jorge de Almeida Pinto [MVP - DS]
glad to help out
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
Just a reference in my original problem statement, ADSIEDIT gave me an error
"The role owner attribute could not be read.".
I had to put in a change management ticket before I could make the
change,
I
will try the script 1st, if that fails I'll try to seize the role on
DC3,
if
both fail, I'll try to seize/transfer the role to DC4. If it works tonight,
I'll give you guys an update.
Thanks for the help from everyone BTW!!
Post by Jorge de Almeida Pinto [MVP - DS]
just get the DN of the NTDS Settings object of the CURRENT INFRA FSMO for
the AD domain and specify that as the INFRA FSMO for both
DOmainDNSZones
and
ForestDNSZones. Use either LDP or ADsiedit
OR....
use the script specified in: http://support.microsoft.com/kb/949257
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
I've ran around and around, google'd until my eyes are bleeding, I really
hope someone here can help.
Basically this forum
"http://www.mombu.com/microsoft/mom-general-discussion/t-mom-2005-alert-and-event-562604.html"
pretty much shows my issue in detail. But like the last person who
posted
on
the forum, I too keep getting the message "The role owner attribute
could
not
be read." when i try to change the fSMORoleOwner attribute using ADSIEDIT.
In case you don't want to read the forum, basically, the
FSMORoleOwner
is
showing "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I'm getting MOM alerts "The script 'AD Replication Monitoring'
encountered
a
runtime error. Failed to obtain the InfrastructureMaster using a
well
known
GUID.
The error returned was: 'Failed to get the 'fSMORoleOwner' attribute from
the object
'LDAP://DomainController1.company.com/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=DomainDnsZones,DC=Company_Name,DC=com>'.
The error returned was: 'There is no such object on the server.'
(0x80072030)' (0x80072030)"
When I look in ADUC, it shows that DomainController3 is the Infrastructure
Master, but the DomainDNSZones & ForestDNSZones are incorrect, and displays
the GUID of an older server. I'm assumnig someone before me just
took
the
old Infrastructure Master offline, decommissioned it, DC3 seized the role,
now AD is boogered up.
Does anyone have any ideas?
Jorge de Almeida Pinto [MVP - DS]
2009-01-09 16:21:19 UTC
Permalink
check out DNS configuration.
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
Yes, all dc's are current & actually show up correctly with FSMO roles.
Post by Jorge de Almeida Pinto [MVP - DS]
NETDOM QUERY FSMO
do all the DCs listed still exist in your environment?
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
This didn't work either. The script comes back with "(20, 5) (null): The
specified domain either does not exist or could not be contacted."
So I ran netdom query /domain /verify and 1 of the 6 domain controllers
which currently holds the RID & PDC roles comes up with this for status
"ERROR! (the specified domain either does not exist or could not be
contacted.) The other 5 DC's pull back the domain status correctly.
I also tried to seize the role, and an error came back saying role seizure
not necessary.
Any other ideas?
Post by Jorge de Almeida Pinto [MVP - DS]
glad to help out
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before
implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
Just a reference in my original problem statement, ADSIEDIT gave me
an
error
"The role owner attribute could not be read.".
I had to put in a change management ticket before I could make the
change,
I
will try the script 1st, if that fails I'll try to seize the role on
DC3,
if
both fail, I'll try to seize/transfer the role to DC4. If it works tonight,
I'll give you guys an update.
Thanks for the help from everyone BTW!!
Post by Jorge de Almeida Pinto [MVP - DS]
just get the DN of the NTDS Settings object of the CURRENT INFRA
FSMO
for
the AD domain and specify that as the INFRA FSMO for both
DOmainDNSZones
and
ForestDNSZones. Use either LDP or ADsiedit
OR....
use the script specified in: http://support.microsoft.com/kb/949257
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory
Services
#
BLOG (WEB-BASED)-->
http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers
no
rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
I've ran around and around, google'd until my eyes are bleeding,
I
really
hope someone here can help.
Basically this forum
"http://www.mombu.com/microsoft/mom-general-discussion/t-mom-2005-alert-and-event-562604.html"
pretty much shows my issue in detail. But like the last person who
posted
on
the forum, I too keep getting the message "The role owner attribute
could
not
be read." when i try to change the fSMORoleOwner attribute using
ADSIEDIT.
In case you don't want to read the forum, basically, the
FSMORoleOwner
is
showing "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I'm getting MOM alerts "The script 'AD Replication Monitoring'
encountered
a
runtime error. Failed to obtain the InfrastructureMaster using a
well
known
GUID.
The error returned was: 'Failed to get the 'fSMORoleOwner'
attribute
from
the object
'LDAP://DomainController1.company.com/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=DomainDnsZones,DC=Company_Name,DC=com>'.
The error returned was: 'There is no such object on the server.'
(0x80072030)' (0x80072030)"
When I look in ADUC, it shows that DomainController3 is the
Infrastructure
Master, but the DomainDNSZones & ForestDNSZones are incorrect,
and
displays
the GUID of an older server. I'm assumnig someone before me just
took
the
old Infrastructure Master offline, decommissioned it, DC3 seized
the
role,
now AD is boogered up.
Does anyone have any ideas?
dimsdale_007
2009-01-12 16:32:04 UTC
Permalink
I've went through DNS config, but see nothing set incorrectly. Is there
anything in particular you think is incorrect in DNS?
Post by Jorge de Almeida Pinto [MVP - DS]
check out DNS configuration.
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
Yes, all dc's are current & actually show up correctly with FSMO roles.
Post by Jorge de Almeida Pinto [MVP - DS]
NETDOM QUERY FSMO
do all the DCs listed still exist in your environment?
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
This didn't work either. The script comes back with "(20, 5) (null): The
specified domain either does not exist or could not be contacted."
So I ran netdom query /domain /verify and 1 of the 6 domain controllers
which currently holds the RID & PDC roles comes up with this for status
"ERROR! (the specified domain either does not exist or could not be
contacted.) The other 5 DC's pull back the domain status correctly.
I also tried to seize the role, and an error came back saying role seizure
not necessary.
Any other ideas?
Post by Jorge de Almeida Pinto [MVP - DS]
glad to help out
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
Just a reference in my original problem statement, ADSIEDIT gave me
an
error
"The role owner attribute could not be read.".
I had to put in a change management ticket before I could make the
change,
I
will try the script 1st, if that fails I'll try to seize the role on
DC3,
if
both fail, I'll try to seize/transfer the role to DC4. If it works
tonight,
I'll give you guys an update.
Thanks for the help from everyone BTW!!
Post by Jorge de Almeida Pinto [MVP - DS]
just get the DN of the NTDS Settings object of the CURRENT INFRA
FSMO
for
the AD domain and specify that as the INFRA FSMO for both
DOmainDNSZones
and
ForestDNSZones. Use either LDP or ADsiedit
OR....
use the script specified in: http://support.microsoft.com/kb/949257
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory
Services
#
BLOG (WEB-BASED)-->
http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers
no
rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
I've ran around and around, google'd until my eyes are bleeding,
I
really
hope someone here can help.
Basically this forum
"http://www.mombu.com/microsoft/mom-general-discussion/t-mom-2005-alert-and-event-562604.html"
pretty much shows my issue in detail. But like the last person who
posted
on
the forum, I too keep getting the message "The role owner attribute
could
not
be read." when i try to change the fSMORoleOwner attribute using
ADSIEDIT.
In case you don't want to read the forum, basically, the
FSMORoleOwner
is
showing "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I'm getting MOM alerts "The script 'AD Replication Monitoring'
encountered
a
runtime error. Failed to obtain the InfrastructureMaster using a
well
known
GUID.
The error returned was: 'Failed to get the 'fSMORoleOwner'
attribute
from
the object
'LDAP://DomainController1.company.com/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=DomainDnsZones,DC=Company_Name,DC=com>'.
The error returned was: 'There is no such object on the server.'
(0x80072030)' (0x80072030)"
When I look in ADUC, it shows that DomainController3 is the
Infrastructure
Master, but the DomainDNSZones & ForestDNSZones are incorrect,
and
displays
the GUID of an older server. I'm assumnig someone before me just
took
the
old Infrastructure Master offline, decommissioned it, DC3 seized
the
role,
now AD is boogered up.
Does anyone have any ideas?
Jorge de Almeida Pinto [MVP - DS]
2009-01-12 19:48:36 UTC
Permalink
it cannot find the DC and the domain
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
I've went through DNS config, but see nothing set incorrectly. Is there
anything in particular you think is incorrect in DNS?
Post by Jorge de Almeida Pinto [MVP - DS]
check out DNS configuration.
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
Yes, all dc's are current & actually show up correctly with FSMO roles.
Post by Jorge de Almeida Pinto [MVP - DS]
NETDOM QUERY FSMO
do all the DCs listed still exist in your environment?
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before
implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
This didn't work either. The script comes back with "(20, 5)
The
specified domain either does not exist or could not be contacted."
So I ran netdom query /domain /verify and 1 of the 6 domain controllers
which currently holds the RID & PDC roles comes up with this for status
"ERROR! (the specified domain either does not exist or could not be
contacted.) The other 5 DC's pull back the domain status correctly.
I also tried to seize the role, and an error came back saying role seizure
not necessary.
Any other ideas?
Post by Jorge de Almeida Pinto [MVP - DS]
glad to help out
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory
Services
#
BLOG (WEB-BASED)-->
http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers
no
rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
Just a reference in my original problem statement, ADSIEDIT gave me
an
error
"The role owner attribute could not be read.".
I had to put in a change management ticket before I could make the
change,
I
will try the script 1st, if that fails I'll try to seize the role on
DC3,
if
both fail, I'll try to seize/transfer the role to DC4. If it works
tonight,
I'll give you guys an update.
Thanks for the help from everyone BTW!!
Post by Jorge de Almeida Pinto [MVP - DS]
just get the DN of the NTDS Settings object of the CURRENT INFRA
FSMO
for
the AD domain and specify that as the INFRA FSMO for both
DOmainDNSZones
and
ForestDNSZones. Use either LDP or ADsiedit
OR....
http://support.microsoft.com/kb/949257
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory
Services
#
BLOG (WEB-BASED)-->
http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)-->
http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers
no
rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
I've ran around and around, google'd until my eyes are bleeding,
I
really
hope someone here can help.
Basically this forum
"http://www.mombu.com/microsoft/mom-general-discussion/t-mom-2005-alert-and-event-562604.html"
pretty much shows my issue in detail. But like the last
person
who
posted
on
the forum, I too keep getting the message "The role owner attribute
could
not
be read." when i try to change the fSMORoleOwner attribute using
ADSIEDIT.
In case you don't want to read the forum, basically, the
FSMORoleOwner
is
showing "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I'm getting MOM alerts "The script 'AD Replication Monitoring'
encountered
a
runtime error. Failed to obtain the InfrastructureMaster using a
well
known
GUID.
The error returned was: 'Failed to get the 'fSMORoleOwner'
attribute
from
the object
'LDAP://DomainController1.company.com/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=DomainDnsZones,DC=Company_Name,DC=com>'.
The error returned was: 'There is no such object on the server.'
(0x80072030)' (0x80072030)"
When I look in ADUC, it shows that DomainController3 is the
Infrastructure
Master, but the DomainDNSZones & ForestDNSZones are incorrect,
and
displays
the GUID of an older server. I'm assumnig someone before me just
took
the
old Infrastructure Master offline, decommissioned it, DC3 seized
the
role,
now AD is boogered up.
Does anyone have any ideas?
dimsdale_007
2009-01-12 22:59:03 UTC
Permalink
That's a no brainer, DC1 which is the one throwing the error and is also the
primary DNS server. The server's local config is correct, and I don't see
any issues with the way DNS is configured either. There's no stale DNS
Servers in the configs, etc. DC2 is also a DNS server, it's doesn't throw
the error but when I have the servers settings side by side, there's really
no differences.

The company I work for right now doesn't have MS Premier support which
blows. I've also been working with our MS rep, he's told me to call in a
support incident and work with the ms techs at this point. If you have
anymore ideas shoot them my way. I'll probably call ms tomorrow and
hopefully will get some new ideas thrown into the mix.

Thanks!
Post by Jorge de Almeida Pinto [MVP - DS]
it cannot find the DC and the domain
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
I've went through DNS config, but see nothing set incorrectly. Is there
anything in particular you think is incorrect in DNS?
Post by Jorge de Almeida Pinto [MVP - DS]
check out DNS configuration.
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
Yes, all dc's are current & actually show up correctly with FSMO roles.
Post by Jorge de Almeida Pinto [MVP - DS]
NETDOM QUERY FSMO
do all the DCs listed still exist in your environment?
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
This didn't work either. The script comes back with "(20, 5)
The
specified domain either does not exist or could not be contacted."
So I ran netdom query /domain /verify and 1 of the 6 domain controllers
which currently holds the RID & PDC roles comes up with this for status
"ERROR! (the specified domain either does not exist or could not be
contacted.) The other 5 DC's pull back the domain status correctly.
I also tried to seize the role, and an error came back saying role seizure
not necessary.
Any other ideas?
Post by Jorge de Almeida Pinto [MVP - DS]
glad to help out
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory
Services
#
BLOG (WEB-BASED)-->
http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers
no
rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
Just a reference in my original problem statement, ADSIEDIT gave me
an
error
"The role owner attribute could not be read.".
I had to put in a change management ticket before I could make the
change,
I
will try the script 1st, if that fails I'll try to seize the role on
DC3,
if
both fail, I'll try to seize/transfer the role to DC4. If it works
tonight,
I'll give you guys an update.
Thanks for the help from everyone BTW!!
Post by Jorge de Almeida Pinto [MVP - DS]
just get the DN of the NTDS Settings object of the CURRENT INFRA
FSMO
for
the AD domain and specify that as the INFRA FSMO for both
DOmainDNSZones
and
ForestDNSZones. Use either LDP or ADsiedit
OR....
http://support.microsoft.com/kb/949257
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory
Services
#
BLOG (WEB-BASED)-->
http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)-->
http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers
no
rights!
* Always test ANY suggestion in a test environment before
implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by dimsdale_007
I've ran around and around, google'd until my eyes are
bleeding,
I
really
hope someone here can help.
Basically this forum
"http://www.mombu.com/microsoft/mom-general-discussion/t-mom-2005-alert-and-event-562604.html"
pretty much shows my issue in detail. But like the last
person
who
posted
on
the forum, I too keep getting the message "The role owner
attribute
could
not
be read." when i try to change the fSMORoleOwner attribute
using
ADSIEDIT.
In case you don't want to read the forum, basically, the
FSMORoleOwner
is
showing "CN=NTDS
Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
I'm getting MOM alerts "The script 'AD Replication Monitoring'
encountered
a
runtime error. Failed to obtain the InfrastructureMaster using
a
well
known
GUID.
The error returned was: 'Failed to get the 'fSMORoleOwner'
attribute
from
the object
'LDAP://DomainController1.company.com/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=DomainDnsZones,DC=Company_Name,DC=com>'.
The error returned was: 'There is no such object on the
server.'
(0x80072030)' (0x80072030)"
When I look in ADUC, it shows that DomainController3 is the
Infrastructure
Master, but the DomainDNSZones & ForestDNSZones are incorrect,
and
displays
the GUID of an older server. I'm assumnig someone before me
just
took
the
old Infrastructure Master offline, decommissioned it, DC3
seized
the
role,
now AD is boogered up.
Does anyone have any ideas?
Loading...