Re: fSMORoleOwner in CN=Infrastructure DomainDNSZones & ForestDNSZ

it cannot find the DC and the domain

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"dimsdale_007" <dimsdale007@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:A3E3566F-F491-4EA7-BAF2-A40B3DEC5FE5@xxxxxxxxxxxxxxxx
I've went through DNS config, but see nothing set incorrectly. Is there
anything in particular you think is incorrect in DNS?

"Jorge de Almeida Pinto [MVP - DS]" wrote:

check out DNS configuration.

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"dimsdale_007" <dimsdale007@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E4C33CAD-F30B-4204-9B60-E5A4888604B2@xxxxxxxxxxxxxxxx
> Yes, all dc's are current & actually show up correctly with FSMO roles.
>
>
> "Jorge de Almeida Pinto [MVP - DS]" wrote:
>
>> if you do a :
>>
>> NETDOM QUERY FSMO
>>
>> do all the DCs listed still exist in your environment?
>>
>> -- >>
>> Cheers,
>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>>
>> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services >> #
>>
>> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
>> ------------------------------------------------------------------------------------------
>> * This posting is provided "AS IS" with no warranties and confers no
>> rights!
>> * Always test ANY suggestion in a test environment before >> implementing!
>> ------------------------------------------------------------------------------------------
>> #################################################
>> #################################################
>> ------------------------------------------------------------------------------------------
>>
>> "dimsdale_007" <dimsdale007@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in >> message
>> news:DF6CDD8B-A0DD-4CE6-BAE7-28DCFB3E66AD@xxxxxxxxxxxxxxxx
>> > This didn't work either. The script comes back with "(20, 5) >> > (null):
>> > The
>> > specified domain either does not exist or could not be contacted."
>> >
>> > So I ran netdom query /domain /verify and 1 of the 6 domain >> > controllers
>> > which currently holds the RID & PDC roles comes up with this for >> > status
>> > "ERROR! (the specified domain either does not exist or could not be
>> > contacted.) The other 5 DC's pull back the domain status correctly.
>> >
>> > I also tried to seize the role, and an error came back saying role
>> > seizure
>> > not necessary.
>> >
>> > Any other ideas?
>> >
>> > "Jorge de Almeida Pinto [MVP - DS]" wrote:
>> >
>> >> glad to help out
>> >>
>> >> -- >> >>
>> >> Cheers,
>> >> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>> >>
>> >> # Jorge de Almeida Pinto # MVP Identity & Access - Directory >> >> Services
>> >> #
>> >>
>> >> BLOG (WEB-BASED)--> >> >> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> >> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
>> >> ------------------------------------------------------------------------------------------
>> >> * This posting is provided "AS IS" with no warranties and confers >> >> no
>> >> rights!
>> >> * Always test ANY suggestion in a test environment before
>> >> implementing!
>> >> ------------------------------------------------------------------------------------------
>> >> #################################################
>> >> #################################################
>> >> ------------------------------------------------------------------------------------------
>> >>
>> >> "dimsdale_007" <dimsdale007@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> >> message
>> >> news:771E3D87-FDAD-47E8-BAA6-06499B696B88@xxxxxxxxxxxxxxxx
>> >> > Just a reference in my original problem statement, ADSIEDIT gave >> >> > me
>> >> > an
>> >> > error
>> >> > "The role owner attribute could not be read.".
>> >> >
>> >> > I had to put in a change management ticket before I could make >> >> > the
>> >> > change,
>> >> > I
>> >> > will try the script 1st, if that fails I'll try to seize the role >> >> > on
>> >> > DC3,
>> >> > if
>> >> > both fail, I'll try to seize/transfer the role to DC4. If it >> >> > works
>> >> > tonight,
>> >> > I'll give you guys an update.
>> >> >
>> >> > Thanks for the help from everyone BTW!!
>> >> >
>> >> > "Jorge de Almeida Pinto [MVP - DS]" wrote:
>> >> >
>> >> >> just get the DN of the NTDS Settings object of the CURRENT INFRA
>> >> >> FSMO
>> >> >> for
>> >> >> the AD domain and specify that as the INFRA FSMO for both
>> >> >> DOmainDNSZones
>> >> >> and
>> >> >> ForestDNSZones. Use either LDP or ADsiedit
>> >> >>
>> >> >> OR....
>> >> >>
>> >> >> use the script specified in: >> >> >> http://support.microsoft.com/kb/949257
>> >> >>
>> >> >>
>> >> >> -- >> >> >>
>> >> >> Cheers,
>> >> >> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>> >> >>
>> >> >> # Jorge de Almeida Pinto # MVP Identity & Access - Directory
>> >> >> Services
>> >> >> #
>> >> >>
>> >> >> BLOG (WEB-BASED)-->
>> >> >> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> >> >> BLOG (RSS-FEEDS)--> >> >> >> http://blogs.dirteam.com/blogs/jorge/rss.aspx
>> >> >> ------------------------------------------------------------------------------------------
>> >> >> * This posting is provided "AS IS" with no warranties and >> >> >> confers
>> >> >> no
>> >> >> rights!
>> >> >> * Always test ANY suggestion in a test environment before
>> >> >> implementing!
>> >> >> ------------------------------------------------------------------------------------------
>> >> >> #################################################
>> >> >> #################################################
>> >> >> ------------------------------------------------------------------------------------------
>> >> >>
>> >> >> "dimsdale_007" <dimsdale007@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> >> >> message
>> >> >> news:EB38DF7C-E32A-43BF-A553-9CB781A58CFD@xxxxxxxxxxxxxxxx
>> >> >> > I've ran around and around, google'd until my eyes are >> >> >> > bleeding,
>> >> >> > I
>> >> >> > really
>> >> >> > hope someone here can help.
>> >> >> >
>> >> >> > Basically this forum
>> >> >> > "http://www.mombu.com/microsoft/mom-general-discussion/t-mom-2005-alert-and-event-562604.html";
>> >> >> > pretty much shows my issue in detail. But like the last >> >> >> > person
>> >> >> > who
>> >> >> > posted
>> >> >> > on
>> >> >> > the forum, I too keep getting the message "The role owner
>> >> >> > attribute
>> >> >> > could
>> >> >> > not
>> >> >> > be read." when i try to change the fSMORoleOwner attribute >> >> >> > using
>> >> >> > ADSIEDIT.
>> >> >> >
>> >> >> > In case you don't want to read the forum, basically, the
>> >> >> > FSMORoleOwner
>> >> >> > is
>> >> >> > showing "CN=NTDS
>> >> >> > Settings\0ADEL:9e2f14ec-9e95-4f07-bf7c-1a862a4ed8d6,CN=OLDSERVERNAME\0ADEL:27e107a1-3085-4e72-a7bc-80f05e4769ca,CN=Servers,CN=Default,CN=Sites,CN=Configuration,DC=Company_Name,DC=com"
>> >> >> >
>> >> >> > I'm getting MOM alerts "The script 'AD Replication Monitoring'
>> >> >> > encountered
>> >> >> > a
>> >> >> > runtime error. Failed to obtain the InfrastructureMaster using >> >> >> > a
>> >> >> > well
>> >> >> > known
>> >> >> > GUID.
>> >> >> > The error returned was: 'Failed to get the 'fSMORoleOwner'
>> >> >> > attribute
>> >> >> > from
>> >> >> > the object
>> >> >> > 'LDAP://DomainController1.company.com/<WKGUID=2fbac1870ade11d297c400c04fd8d5cd,DC=DomainDnsZones,DC=Company_Name,DC=com>'.
>> >> >> > The error returned was: 'There is no such object on the >> >> >> > server.'
>> >> >> > (0x80072030)' (0x80072030)"
>> >> >> >
>> >> >> > When I look in ADUC, it shows that DomainController3 is the
>> >> >> > Infrastructure
>> >> >> > Master, but the DomainDNSZones & ForestDNSZones are incorrect,
>> >> >> > and
>> >> >> > displays
>> >> >> > the GUID of an older server. I'm assumnig someone before me >> >> >> > just
>> >> >> > took
>> >> >> > the
>> >> >> > old Infrastructure Master offline, decommissioned it, DC3 >> >> >> > seized
>> >> >> > the
>> >> >> > role,
>> >> >> > now AD is boogered up.
>> >> >> >
>> >> >> > Does anyone have any ideas?
>> >> >>
>> >> >>
>> >>
>>

.

Relevant Pages

  • Re: 2008 AD restore
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... * This posting is provided "AS IS" with no warranties and confers no rights! ... Always test ANY suggestion in a test environment before implementing! ... if you at any point in time are able to DISABLE inbound AD replication on a DC BEFORE the tombstone reaches that DC, then you can do an auth restore without the non-auth restore ...
    (microsoft.public.windows.server.active_directory)
  • Re: Adprep /rodcprep error message
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... * This posting is provided "AS IS" with no warranties and confers no rights! ... Always test ANY suggestion in a test environment before implementing! ...
    (microsoft.public.windows.server.active_directory)
  • Re: Permissions to create computer objects and join domain.
    ... BLOG -->http://blogs.dirteam.com/blogs/jorge/default.aspx ... * This posting is provided "AS IS" with no warranties and confers no rights! ... Always test ANY suggestion in a test environment before implementing! ... I've reviewed the permissions and read the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Default containers in AD
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before implementing! ... We want to put nested OUs under the Computers and Users containers and ...
    (microsoft.public.windows.server.active_directory)
  • Re: fSMORoleOwner in CN=Infrastructure DomainDNSZones & ForestDNSZ
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... * This posting is provided "AS IS" with no warranties and confers no rights! ... Always test ANY suggestion in a test environment before implementing! ...
    (microsoft.public.windows.server.active_directory)
Loading