stange dcdiag results

A

adfreak

Below is a cut/paste from running the dcdiag.exe utility on one of my
clients DC's. What gets me nervous is how it repeatly states things like
"is the RID owner, but is DELETED" ??? I've only been able to gather
limited info from them, but they said a while back, the original server ran
into hardware issues so they placed the drives into another box, or
something like that. Anyways, there is one other DC in the domain but when
I try to transfer all 5 FSMO roles, it bombs on me saying the "original role
holder cannot be contacted". How do I recover from this. I simply want to
retire this server from being a DC all together. Here is the output:

Starting test: KnowsOfRoleHolders

Role Schema Owner = CN="NTDS Settings
DEL:32cb3bad-5020-4eab-8b70-06f67e5b549f",CN=dc1,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=SADOMAIN,DC=testdomain,DC=com
Warning: CN="NTDS Settings
DEL:32cb3bad-5020-4eab-8b70-06f67e5b549f",CN=dc1,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=SADOMAIN,DC=testdomain,DC=com is the
Schema Owner, but is deleted.

Role Domain Owner = CN="NTDS Settings
DEL:32cb3bad-5020-4eab-8b70-06f67e5b549f",CN=dc1,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=SADOMAIN,DC=testdomain,DC=com
Warning: CN="NTDS Settings
DEL:32cb3bad-5020-4eab-8b70-06f67e5b549f",CN=dc1,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=SADOMAIN,DC=testdomain,DC=com is the
Domain Owner, but is deleted.
Role PDC Owner = CN="NTDS Settings
DEL:32cb3bad-5020-4eab-8b70-06f67e5b549f",CN=dc1,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=SADOMAIN,DC=testdomain,DC=com
Warning: CN="NTDS Settings
DEL:32cb3bad-5020-4eab-8b70-06f67e5b549f",CN=dc1,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=SADOMAIN,DC=testdomain,DC=com is the
PDC Owner, but is deleted.
Role Rid Owner = CN="NTDS Settings
DEL:32cb3bad-5020-4eab-8b70-06f67e5b549f",CN=dc1,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=SADOMAIN,DC=testdomain,DC=com
Warning: CN="NTDS Settings
DEL:32cb3bad-5020-4eab-8b70-06f67e5b549f",CN=dc1,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=SADOMAIN,DC=testdomain,DC=com is the
Rid Owner, but is deleted.
Role Infrastructure Update Owner = CN="NTDS Settings
DEL:32cb3bad-5020-4eab-8b70-06f67e5b549f",CN=dc1,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=SADOMAIN,DC=testdomain,DC=com
Warning: CN="NTDS Settings
DEL:32cb3bad-5020-4eab-8b70-06f67e5b549f",CN=dc1,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=SADOMAIN,DC=testdomain,DC=com is the
Infrastructure Update Owner, but is deleted.
......................... dc1 failed test KnowsOfRoleHolders
 
D

Diana Smith [MSFT]

Hello,

You will have to access the DC that is still up and use ntdsutil to seize
the roles to this machine. Here is an article that should help you:

255504 Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain
Controller
http://support.microsoft.com/?id=255504

Thank You.

Diana.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
A

adfreak

What are the ramifications of "seizing" the roles versus "transferring"? I
have a feeling I won't be able to transfer them, but what I'm worried about
is this client decided to make the server in question an application server
as well. It's running a mission critical app (don't ask me why). It sounds
as if the machine is going to be removed from the directory and placed back
in after seizing the roles? That might not bode well for the app team.

Thoughts?
 
A

adfreak

Update:

I attempted to "transfer" the roles first with NTDSUTIL but it failed with
the same error message "unable to contact original role holder".

I then successfully "seized" all 5 roles to the other DC. Here is what I'm
going through now. When I go into ADUC and within the DC container, it
still shows the server as a DC. When I log onto the server itself, and try
and take it out of the domain it is greyed out because it says it is a DC.
But, when I look under administrative tools, there is no ADUC, AD Sites, AD
Trusts, etc....?????????

So I tried running DCPROMO and towards the end when it is attempting to
remove DC object references from the other DC, it comes up with an error
message basically saying the account is getting "access denied" and to use
an enterprise admin user account. Problem is, I am using one. I think the
$100,000 question is "Is this machine really in the domain"????

ADUC say's it is

I simply want to remove it from the domain, add it back in as a member
server with a new computer object and SID

But how do I do that if the option to remove from the domain is "greyed" out
and dcpromo keeps failing?

Thanks
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Slow Logons and Can't open files 0
Unable to local DC ......... URGENT 1
Active Directory Replication Problem... 0
FailedKnowsofRoleHolders 2
Problem with the schema master server 1
2k server to 2k3 AD upgrade 0
DCDiag Errors 1
remove sub-domain on root domain 2

Top