DsRemoveDsDomainW error0x20ae (The role owner attribute could not be read)

  • Thread starter Thread starter Michael & Gilda Goldner
  • Start date Start date
M

Michael & Gilda Goldner

There are no functioning DC's in the child domain. There is only one DC in
the Root, so only one FSMO Domain naming master for all five roles. I used
ntdsutil to remove the last DC from the child domain on the AD database of
the ROOT domain, when I was unable to demote the last DC on the child
domain. I have since reformatted that non functioning DS, so there are no
computers in the child Domain. There are no sites in the child domain and
no listed naming context, yet, when I try to remove the child domain from
the AD database of the ROOT, I still get the ":
"DsRemoveDsDomainW error0x20ae (The role owner attribute could not be read)

I have done a semantic database analysis using ntdsutil -files, and do find
some anomalies with some missing sub references, but now have no idea what
more to do to remove the child domain form the ROOT AD.

Any additional thoughts?

Michael

Mark Ramey said:
Michael

I am taking it that the child domain does not having any functioning DC's in
the domain now, correct? How many DC's do you have in the root domain? Is
replication occurring between the root DC's successfully? Is the Domain
Naming Master FSMO available?

If there are no DC's left in the child and they were not dcpromo'ed down
gracefully, then you need to run ntdsutil to remove all DC's out of the
domain before attempting to remove the domain. If this fails on a DC in the
root, attempt to run it on the Domain Naming Master.


--
Mark Ramey [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.

Michael & Gilda Goldner said:
The problem is that the last DC in the child domain no longer exists. So I
don't think I can run the /forceremoval. I only have the DC in the parent
domain, and I can't eliminate the domain. It has no site, DC or naming
context, but I still get the same message in ntdsutil when I try to do a
metadata cleanup on the parent dc.

When I run a semantic database analysis, I do get some missing subref
objects, but I have cleaned out all references to the child domain, and it's
DCs in DNS, and AD, as far as I know and can find.

Any other thoughts?
 
If you open Active Directory Domains and Trusts, right-click and choose
Operations Master, does it show you the current FSMO role holder or do you
get an error? If you get an error, seize the Domain Naming Master FSMO
role onto itself (the same machine that currently holds the Domain Naming
Master FSMO role) and try to delete the child domain again.

If that doesn't work, there is probably information about the child domain
somewhere in the configuration container. You can do an ldifde dump of the
configuration container per kb 237677. Search for any references to
domain controllers from the deleted child domain.

I had an issue (and found another case that had the same resolution) where
there was information in the LostAndFoundConfig container
(CN=LostAndFoundConfig,CN=Configuration,DC=<Domain>,DC=<Com>). You may see
a reference to a dc in the child domain listed here - if so, delete that
server object and then try again.

David Pharr, (e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top