Problem Active Directory

Problem Active Directory

Problem Active Directory

Problem Active Directory

Migrating Active Directory at one of my clients, it seems interesting to share a solution to a problem. When you update the schema to add the RODC objetcts (adprep /rodcprep), an error 0x3 appears. At the time of depromote domain controller, the error messages appear informing me of a problem.

A surviving domain controller must seize any operations master roles, also known as flexible single master operations or FSMO, that were previously held by the forcibly demoted domain controller. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

How you can resolve the problem

After some research, the problem has been identified. This stems from the Infrastructure role. In effect by looking at the properties of attributes fsmoowner

To correct this, it is necessary to connect to the DomainDNSZones partition from the ADSI Edit (ADSI Edit) console. Right click ADSI Edit, and then click on Connect to.

Specify the partition on which it is necessary to connect. Here, we want to access the partition DomainDNSZones of the domain Formation.local (replace your domain).

Connect to Active Directory

A new node is present in the console, expand it, and then go to the properties of the record CN=Infrastructure.

Problem Active Directory Records on AD

Check the fsmoowner record, he must not normally specify the owner of the Infrastructure master role. The example below is in the proper format, it is possible to see the production server which has the role.

Problem Active Directory verify attributes

In the case where an error is present in the value of the attribute, it is necessary to use this script in the KB949257.

https://support.microsoft.com/fr-fr/kb/949257

Copy the entire script into a notepad file and name it this last fixfsmo.vbs.

Little trick that will prevent you from wasting time, think to comment out the first line (——-fixfsmo.vbs——————) by adding a ‘ upstream line. Without this operation, the script will tell you that it is missing the argument.

Run the following command on the server with the FSMO Infrastructure master role. It is necessary to replace the AD domain by your domain.

cscript fixfsmo.vbs DC=DomainDNSZones,DC=Formation,DC=Priv. Check registration CN=Infrastructure in ForestDNSZones and do the same if necessary.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.