Problem Active Directory
Problem Active Directory
Migrating Active Directory at one of my clients, it seems interesting to share a solution to a problem. When you update the schema to add the RODC objetcts (adprep /rodcprep), an error 0x3 appears. At the time of depromote domain controller, the error messages appear informing me of a problem.
A surviving domain controller must seize any operations master roles, also known as flexible single master operations or FSMO, that were previously held by the forcibly demoted domain controller. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
How you can resolve the problem
After some research, the problem has been identified. This stems from the Infrastructure role. In effect by looking at the properties of attributes fsmoowner
To correct this, it is necessary to connect to the DomainDNSZones partition from the ADSI Edit (ADSI Edit) console. Right click ADSI Edit, and then click on Connect to.
Specify the partition on which it is necessary to connect. Here, we want to access the partition DomainDNSZones of the domain Formation.local (replace your domain).
A new node is present in the console, expand it, and then go to the properties of the record CN=Infrastructure.
Check the fsmoowner record, he must not normally specify the owner of the Infrastructure master role. The example below is in the proper format, it is possible to see the production server which has the role.
In the case where an error is present in the value of the attribute, it is necessary to use this script in the KB949257.
https://support.microsoft.com/fr-fr/kb/949257
Copy the entire script into a notepad file and name it this last fixfsmo.vbs.
Little trick that will prevent you from wasting time, think to comment out the first line (——-fixfsmo.vbs——————) by adding a ‘ upstream line. Without this operation, the script will tell you that it is missing the argument.
Run the following command on the server with the FSMO Infrastructure master role. It is necessary to replace the AD domain by your domain.
cscript fixfsmo.vbs DC=DomainDNSZones,DC=Formation,DC=Priv. Check registration CN=Infrastructure in ForestDNSZones and do the same if necessary.