The role owner attribute could not be read

  • Thread starter Thread starter Michael & Gilda Goldner
  • Start date Start date
M

Michael & Gilda Goldner

I am trying to remove an orphaned sub domain from my forest, but to no
avail.

When I try to demote the DC using DCPromo, I get the error "the role owner
attribute could not be read.".

I have attempted to do a metadata cleanup using NTDSUtil, but this fails
with the same error message. "DsRemoveDsDomainW error 0x20ae (The role owner
attribute could not be read)

Can anyone help?

Thanks in advance.
 
The problem is that the last DC in the child domain no longer exists. So I
don't think I can run the /forceremoval. I only have the DC in the parent
domain, and I can't eliminate the domain. It has no site, DC or naming
context, but I still get the same message in ntdsutil when I try to do a
metadata cleanup on the parent dc.

When I run a semantic database analysis, I do get some missing subref
objects, but I have cleaned out all references to the child domain, and it's
DCs in DNS, and AD, as far as I know and can find.

Any other thoughts?
 
Michael

I am taking it that the child domain does not having any functioning DC's in
the domain now, correct? How many DC's do you have in the root domain? Is
replication occurring between the root DC's successfully? Is the Domain
Naming Master FSMO available?

If there are no DC's left in the child and they were not dcpromo'ed down
gracefully, then you need to run ntdsutil to remove all DC's out of the
domain before attempting to remove the domain. If this fails on a DC in the
root, attempt to run it on the Domain Naming Master.
 
There are no functioning DC's in the child domain. There is only one DC in
the Root, so only one FSMO Domain naming master for all five roles. I used
ntdsutil to remove the last DC from the child domain on the AD database of
the ROOT domain, when I was unable to demote the last DC on the child
domain. I have since reformatted that non functioning DS, so there are no
computers in the child Domain. There are no sites in the child domain and
no listed naming context, yet, when I try to remove the child domain from
the AD database of the ROOT, I still get the ":
"DsRemoveDsDomainW error0x20ae (The role owner attribute could not be read)

I have done a semantic database analysis using ntdsutil -files, and do find
some anomalies with some missing sub references, but now have no idea what
more to do to remove the child domain form the ROOT AD.

Any additional thoughts?

Michael

Mark Ramey said:
Michael

I am taking it that the child domain does not having any functioning DC's in
the domain now, correct? How many DC's do you have in the root domain? Is
replication occurring between the root DC's successfully? Is the Domain
Naming Master FSMO available?

If there are no DC's left in the child and they were not dcpromo'ed down
gracefully, then you need to run ntdsutil to remove all DC's out of the
domain before attempting to remove the domain. If this fails on a DC in the
root, attempt to run it on the Domain Naming Master.


--
Mark Ramey [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.

Michael & Gilda Goldner said:
The problem is that the last DC in the child domain no longer exists. So I
don't think I can run the /forceremoval. I only have the DC in the parent
domain, and I can't eliminate the domain. It has no site, DC or naming
context, but I still get the same message in ntdsutil when I try to do a
metadata cleanup on the parent dc.

When I run a semantic database analysis, I do get some missing subref
objects, but I have cleaned out all references to the child domain, and it's
DCs in DNS, and AD, as far as I know and can find.

Any other thoughts?
Click to expand...
Click to expand...
 
Michael

Thanks for the additional information. I am assuming that your using
ntdsutil to remove the failed domain out of AD per Q230306. If you could
please install the Windows 2000 support tools on the remaining DC. You can
download the latest versions of the support tools from the following link.

http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.asp
then scroll down toward the bottom of the page and you will find a link to
the support tools. Download and install the latest tools.

Next from a command line run the following commands. If you had not had the
support tools installed before, then at the command prompt make sure our
directory is focused on "program files\support tools".

dcdiag /v > dc.txt
netdiag /v > net.txt
netdom query fsmo > fsmo.txt

Zip up the test files and post them for us for review. Thanks!


--
Mark Ramey [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.

Michael & Gilda Goldner said:
There are no functioning DC's in the child domain. There is only one DC in
the Root, so only one FSMO Domain naming master for all five roles. I used
ntdsutil to remove the last DC from the child domain on the AD database of
the ROOT domain, when I was unable to demote the last DC on the child
domain. I have since reformatted that non functioning DS, so there are no
computers in the child Domain. There are no sites in the child domain and
no listed naming context, yet, when I try to remove the child domain from
the AD database of the ROOT, I still get the ":
"DsRemoveDsDomainW error0x20ae (The role owner attribute could not be read)

I have done a semantic database analysis using ntdsutil -files, and do find
some anomalies with some missing sub references, but now have no idea what
more to do to remove the child domain form the ROOT AD.

Any additional thoughts?

Michael

Mark Ramey said:
Michael

I am taking it that the child domain does not having any functioning
Click to expand...
DC's
in
the domain now, correct? How many DC's do you have in the root domain? Is
replication occurring between the root DC's successfully? Is the Domain
Naming Master FSMO available?

If there are no DC's left in the child and they were not dcpromo'ed down
gracefully, then you need to run ntdsutil to remove all DC's out of the
domain before attempting to remove the domain. If this fails on a DC in the
root, attempt to run it on the Domain Naming Master.


--
Mark Ramey [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.

Michael & Gilda Goldner said:
The problem is that the last DC in the child domain no longer exists.
Click to expand...
Click to expand...
So
I
Click to expand...
do
a and
it's
Click to expand...
Click to expand...
 
Back
Top