Infrastructure FSMO role owner attibute not correct in root domain
Beamer
I recieve the following error in my OpsMgr2007 which indicates that my root
domain has a problem
AD Replication Monitoring : encountered a runtime error.
Failed to obtain the InfrastructureMaster using a well known GUID.
The error returned was: 'Failed to get the 'fSMORoleOwner' attribute from
the object
'LDAP://cservername.domain.subdomain.net/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=ForestDnsZones,DC=eccocorp,DC=net>'.
The error returned was: 'The directory property cannot be found in the cache.
' (0x8000500D)' (0x8000500D)
And by following what suggested in this article:
http://www.mombu.com/microsoft/mom-management-pack-active-directory/t-ad-topology-discovery-error-me-too-199177.html
The i correctly find that i have a error on the infrastucture object in AD
which point to a probably a deleted DC
But then the problem is that i can't change the property
When try changing it in ADSI Edit i get the following error:
Operation Failed. Error code: 0x20ae
The role owner attribute could not be read
000020AE: SvcErr: DSID-03152BF7, Problem 5003
(WILL_NOT_PERFORM) Data 0
I have also tried to seize the role with NTDSUTIL onto the same server which
seems to hold the role right now, but with no luck
What can i do now?
Thank you for you time
/Alex
Florian Frommherz [MVP]
Beamer wrote:
> When try changing it in ADSI Edit i get the following error:
>
> Operation Failed. Error code: 0x20ae
> The role owner attribute could not be read
>
> 000020AE: SvcErr: DSID-03152BF7, Problem 5003
> (WILL_NOT_PERFORM) Data 0
>
> I have also tried to seize the role with NTDSUTIL onto the same server which
> seems to hold the role right now, but with no luck
>
> What can i do now?
So what is the current IM role holder? Check with "netdom query fsmo".
Is it still online and accessible? What does "have tried with NTDSUTIL
with no luck" mean?
Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Paul Bergson [MVP-DS]
netdom query fsmo
This will detail the fsmo role holders, you should then be able to go to
that dc and verify that things are ok. I will post a diagnostics set of
commands at the end of this thread as well. You can consider to run them if
you want to.
I have a SCOM server as well and just tuning it and I get a lot of noise and
I see a fsmo error from time to time, so if you are seeing this every few
days I don't think I would be overly concerned.
Run diagnostics against your Active Directory domain.
If you don't have the support tools installed, install them from your server
install disk.
d:\support\tools\setup.exe
Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
-> dnslint /ad /s "ip address of your dc"
**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take into
account slow links to dc's will also add to the testing time.
If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests without
having to learn all the switch options. The details will be output in
notepad text files that pop up automagically.
The script is located on my website at
http://www.pbbergs.com/windows/downloads.htm
Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)
When complete search for fail, error and warning messages.
Description and download for dnslint
http://support.microsoft.com/kb/321045
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Beamer" <Bea...@discussions.microsoft.com> wrote in message
news:25FD8489-3A3C-4667...@microsoft.com...
Meinolf Weber [MVP-DS]
Please post an output from "netdom query fsmo" and also run diagnosti tools
dcdiag /v and netdiag /v, repadmin /showrepl if more DC's exist.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Jorge de Almeida Pinto [MVP - DS]
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Paul Bergson [MVP-DS]" <pbbergs@nopspam_msn.com> wrote in message
news:O$NvFzIqJ...@TK2MSFTNGP02.phx.gbl...
Jorge de Almeida Pinto [MVP - DS]
value into it. It should be the DN of the NTDS Settings object of an
existing DC
also checkout:
http://support.microsoft.com/kb/949257
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Beamer" <Bea...@discussions.microsoft.com> wrote in message
news:25FD8489-3A3C-4667...@microsoft.com...
Beamer
Thank you for you answer.
I would love to write the apropriate value into the field but it won't let
me..
it still gives me the error below when i try to:
> Operation Failed. Error code: 0x20ae
> The role owner attribute could not be read
>
> 000020AE: SvcErr: DSID-03152BF7, Problem 5003
> (WILL_NOT_PERFORM) Data 0
Jorge de Almeida Pinto [MVP - DS]
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Beamer" <Bea...@discussions.microsoft.com> wrote in message
news:3BB7835C-58C5-4AE0...@microsoft.com...
Lehman@discussions.microsoft.com Michael Lehman
got the "could not be read" error.
I got this error when trying to set it on several domain controllers.
However, I was able to updat the value by connecting to the partition on the
server that actually was the infrastructure master.
I don't know i that was the real "fix" or just a coincidence or not though.
Michael Lehman
Make the edit on the actual FSMO role holder.
I just tried to fix the CN=Infrastructure object under the ForestDNSZones (i
had previously just done the DomainDNSZones), and it gave the same error from
a random DC. I connected to the infrastructure FSMO role holder for the root
domain, and it worked just fine.
Michael
Rad
Microsoft and after 2.5 days we got our fix. It turns out that we had
to install DNS on the Infrastructure master and then we could edit the
FSMOROLEOWNER attribute.
I think what is the most aggravating about this is that everywhere
else, it shows the correct server. It's just under DomainDNSZones and
ForestDNSZones that it's incorrect. You still have to edit the
attribute on the Infrastructure master and you have to make sure that
when you edit it, you put in the server that is currently the
infrastructure master (it won't let you put in a server that is not,
we wanted to move our Infrastructure master back to the original
server afterwards).
Anyways, I hope this helps for anybody that had tried everything
above with no success.