WINDOWS2008R2 AD Downgrade Error solution

WINDOWS2008R2 AD Downgrade Error solution

We have introduced the migration of ADCs in the previous article, after the migration we have to ensure that the service is working properly. The original ad shutdown and retention, if there is a real CS-related issues, we are prepared to temporarily restore CS-related services through a backup, after a long period of observation confirmed that CS service is operating normally. So the original DC started to downgrade (Dcpromo downgrade), but in the process of degradation found some problems, so the summary after sharing to the needy students.

When it comes to demotion there are two ways, one is normal demotion, the other is violent demotion;

The so-called normal demotion is from the ad service downgrade between windows2003 and windows2008r2 we can perform a step-down downgrade by running Dcpromo, and windows2012 later we need to downgrade the AD domain service through the admin tool , this downgrade is recommended by Microsoft, but when the ad service to be degraded does not work or the hardware service of the AD service is not functioning properly, we cannot downgrade in the first way, and then we have to use the second way of brute force demotion. The so-called violent demotion is the removal of an invalid Ad server in the environment from the directory through the ntdsutil command. And I tend to prefer the first way in the environment, such a downgrade is more secure and more convenient. Through this way can automatically remove the relevant data in the directory, because my environment is more special, the problem is more, so in the process of demotion there are some episodes, the final solution, specifically see below:

You encounter the following error message by running the dcpromo command to downgrade through the steps.

650) this.width=650; "title=" clip_image002 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image002" src= "http://s3.51cto.com/wyfs02/M01/74/EB/wKiom1YuIgLzMJIhAAFaQnYhyVo938.jpg" height= "392"/>

Find a solution by finding Microsoft TechNet data

The reason is that because infrastucture master points to a ntdsa that has been deleted on the DNS application partition, if you still experience this failure, we can use Adsiedit.msc to fsmoroleowner the DN of the property Path points to the primary domain controller in your forest

http://adirectory.blog.com/2015/06/fault-domain-controller-downgrade/

https://support.microsoft.com/zh-cn/kb/2694933

Active Directory Domain Services could not transfer the remaining data in Directory partition
Dc=domaindnszones,dc=<dns Domjain Name>to
Active Directory Domain Controller
\\<dns name of the helper DC used to service demotion>
The directory service is missing mandatory configuration
Information, and is unable to determine the ownership of floating single-master operation roles. "

The relevant part of the DCPROMO. LOG file contains the Followign text:

<date> <time> [INFO] Transferring operations master roles owned by this Active Directory Domain Controller in directory partition dc=domaindnszones,dc=contoso,dc=com to Active Directory Domain Controller \\<dns name of the helper DC. ..
<date> <time> [INFO] EVENTLOG (Warning): NTDS replication/replication:2091

A review of the infrastructure object and attributes for the DNS application partition referenced in the on-screen DCPROMO Error and DCPROMO. LOG

Expanding base ' cn=infrastructure,dc=domaindnszones,dc=contoso,dc=com ' ...
Getting 1 Entries:
Dn:cn=infrastructure,dc=domaindnszones,dc=contoso,dc=com
Cn:infrastructure;
distinguishedname:cn=infrastructure,dc=domaindnszones,dc=contoso,dc=corp,dc=microsoft,dc=com;
dscorepropagationdata:0x0 = ();
Fsmoroleowner:cn=ntds Settings\0adel:<ntds Settings objet guid>,cn=instancetype:0x4 = (WRITE);
Iscriticalsystemobject:true;
Name:infrastructure;
objectcategory:cn=infrastructure-update,cn=schema,cn=configuration,dc=contoso,dc=com;
ObjectClass (2): top; Infrastructureupdate;
ObjectGUID: <object guid>;
Showinadvancedviewonly:true;
systemflags:0x8c000000 = (Disallow_delete | Domain_disallow_rename | Domain_disallow_move);
USNChanged: <some USN #>;
usncreated: <some USN #>;
whenchanged: <date> <time>;
whencreated: <date> <time>;

Where distinguishing elements in the LDAP output taken from the sample domain "contoso.com include::

The fSMORoleOwner attribute contains the string "0ADEL" indicating that role owning DC's NTDS Settings object has been Deleted

The fSMORoleOwner attribute contains a 32-character alpha-numeric GUID of the owning DCs NTDS Settings object in the Forma T of "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

The name of the default DNS application partition for which the fSMORoleOwner attribute are assigned to a DC with a deleted NTDS Settings object. In this case the error referenced the DomainDNSZones. This same error is also occur for the ForestDNSZones application partition.

Solution:

The error above occurs when the domain Cointroller being demoted cannot outbound replicate changes to the Dc that owns the Infrastructure FSMO or operational role for the partition referenced in the DCPROMO [log] error.
Specifically, the demotion attempt is aborted to safeguard against data loss. In the case of DNS application partitions, the demotion are blocked to ensure that live and deleted DNS Records, their ACLS and metadata such as registration and deletion dates are replicated

DN paths for partitions where the error is in the Symptoms section may occur include:

Cn=infrastructures,dc=domaindnszones ....

Cn=infrastructures,dc=forestdnszones ....

According to the solution, we can solve the problem smoothly.

First we run NETDOM query FSMO to view the current owner of the ad role

650) this.width=650; "title=" clip_image004 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image004" src= "http://s3.51cto.com/wyfs02/M02/74/EB/wKiom1YuIgOjyeMkAADfzFBvjxE619.jpg" height= "302"/>

Then log on to the infrastructure host, run adsitedit.msc to open the editor, then right-click the standalone link

650) this.width=650; "title=" clip_image006 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image006" src= "http://s3.51cto.com/wyfs02/M02/74/E8/wKioL1YuIjXh3AYlAADdMSqrnPk807.jpg" height= "" "/>

Then we first associate the forestdnszoneswith the link

Cn=infrastructure, dc=forestdnszones,dc=iternalsoft,dc=com

650) this.width=650; "title=" clip_image008 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image008" src= "http://s3.51cto.com/wyfs02/M00/74/E8/wKioL1YuIjWDyinQAADqI2LnQ-s638.jpg" height= "329"/>

We've actually found a mistake in the link.

650) this.width=650; "title=" clip_image010 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image010" src= "http://s3.51cto.com/wyfs02/M01/74/E8/wKioL1YuIjaRwAfhAACkucJOG-E017.jpg" height= "/>"

650) this.width=650; "title=" clip_image012 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image012" src= "http://s3.51cto.com/wyfs02/M02/74/EB/wKiom1YuIgTh1M8hAAElJLSryOk855.jpg" height= "353"/>

The error format is garbled and the CN name is not the current infrastructure master

BJ-DCD's host no longer exists, and the correct one should be BJ-DC02

Cn=ntdssettings\0adel:061b26ae-f637-4c58-8414-301f0261fe98,cn=bj-dcd\0adel : 64b8c2ea-1a70-4017-bdaa-4c17f04a6bab,cn=servers,cn=beijing-iternalsoft,cn=sites,cn=configuration,dc= Iternalsoft,dc=com

So we can modify the correct content format to save

Cn-ntds Settings,cn=bj-dc02,cn=servers,cn=beijing-iternalsoft,cn=sites,

Cn=configuration,dc=iternalsoft,dc=com

650) this.width=650; "title=" clip_image014 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image014" src= "http://s3.51cto.com/wyfs02/M02/74/EB/wKiom1YuIgSzh34sAAEcseEIhQY689.jpg" height= "317"/>

And then we'll open the DomainDNSZones configuration in the way above.

Cn=infrastructure, Dc=domaindnszones,dc=domain name

650) this.width=650; "title=" clip_image016 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image016" src= "http://s3.51cto.com/wyfs02/M00/74/EB/wKiom1YuIgWD-RbOAAEIjWz7gPc870.jpg" height= "323"/>

Will modify the value of the same content fSMORoleOwner

So we can modify the correct content format to save

Cn-ntds Settings,cn=bj-dc02,cn=servers,cn=beijing-iternalsoft,cn=sites,

Cn=configuration,dc=iternalsoft,dc=com

After modification, we try again to downgrade with Dcpromo, downgrade Pass and finish

650) this.width=650; "title=" clip_image018 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ image018 "src=" http://s3.51cto.com/wyfs02/M01/74/EB/wKiom1YuIgiDe_c5AAEfPLq8Gxk537.jpg "height=" 389 "/>

You are ready to complete

This article is from the "Gao Wenrong" blog, make sure to keep this source http://gaowenlong.blog.51cto.com/451336/1706526

WINDOWS2008R2 AD Downgrade Error solution