NTDSUtil shows different FSMO role owner than LDIFDE!?

Hey there, another interesting posting from the Newsgroups. Let me emphasize that I do NOT intend to make jokes of the postings from the Newsgroups. I’d like to take questions that arise there and bring it to a broad audience so that the Community can learn from other’s questions together. Following and reading the Newsgroups and Forums is a great way of learning for me – I get to see lots of ideas and implementations I’ve never thought of before.

Anyways, here’s the question:

I was in the process of trying to do ‘adprep /rodcprep’, and started getting errors. I ran the following command:
ldifde -f Infra_DomainDNSZones.ldf -d “CN=Infrastructure,DC=DomainDnsZones,DC=xxx,DC=com” -l fSMORoleOwner

to export the current role owner and got server#1 as the role holder. After that, I checked in AD Users for the Infrastructure role holder it says server#2.

I also verified via the NTDS util which shows server #2 as well. Why does LDIFDE show something different? How do i make it to be server #2 rather than #1?

Okay, there’s a lot of information in there. Let’s look at it step by step. Preparing AD for RODC deployment needs “adprep” be run with the “rodcprep” switch: “adprep /rodcprep”. The command is used to update and prepare permissions on application partitions so that they can be replicated to RODCs later. In order to do that, adprep needs to contact all Infrastructure Masters in the forest. If there’s a partition where the Infrastruture Master is missing, you’re getting the following error:

“Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Contoso,DC=com

Adprep failed the operation on partition DC=DomainDnsZones,DC=Contoso,DC=com Skipping to next partition.” (Consult http://support.microsoft.com/kb/949257/en-us for that!)

That should be error the OP received. As a correct measure, he would try to export the current FSMO role owner as stated in the KB article. The FSMO role owner outputted there is – to his surprise – different to what ADUC and NTDSUtil outputs.

The reason is that there are more Infrastructure Masters than you think. Yeah, that’s right. If you read the sentences above carefully, you’ll notice that I didn’t use the words “partition” instead of “domain” when referencing potentially missing IM role owners. In fact, not only every domain has its IM, but every application partition in the forest does! Ulf has a great blog posting about this: http://msmvps.com/blogs/ulfbsimonweidner/archive/2008/07/31/how-many-infrastructure-masters-do-you-have.aspx

Given that fact, you may re-visit the OP’s LDIFDE command and what it is supposed to export. It’s targeted to the DomainDnsZones partition which is nothing else than …. exactly, an application partition (that holds DNSobjects, obviously). As an application partition, it has its own IM role owner that the setup tried to reach. Unfortunately, the former role owner wasn’t available (demoted, offline, does not exist). That can happen because taking care of application partition IM role owner was… hum… a little neglected across all management tools. To fix this, you need to update the fsmoRoleOwner attribute on the NC (again, KB http://support.microsoft.com/kb/949257/en-us tells you how).

The reason why our OP had two different outputs was that, the first time he targeted LDIFDE to look at the DomainDnsZones application partition and after that, “Active Directory Users and Computers” and NTDSUtil to look at the domain partition (both do that by default).

1 Comment so far

  1. [...] [aus einem Original von http://www.frickelsoft.net/blog/?p=236 [...]