问题描述:Windows Server 2008R2 DC卸载失败 Error messagewhen you run the "Adprep /rodcprep" command in Windows Server 2008:"Adprep could not contact a replica for partitionDC=DomainDnsZones,DC=Contoso,DC=com"
错误信息 Event ID: 2022 Event ID: 2091
原因分析:
查看日志报错信息如下
Event ID:2022
Theoperations master roles held by this directory server could not transfer to thefollowing remote directory server.
Remotedirectory server:
This is preventingremoval of this directory server.
UserAction
Investigatewhy the remote directory server might be unable to accept the operations masterroles, or manually transfer all the roles that are held by this directoryserver to the remote directory server. Then, try to remove this directoryserver again.
AdditionalData
Errorvalue:
5005 Thedirectory service is missing mandatory configuration information, and is unableto determine the ownership of floating single-master operation roles.
There wasalso a second Event ID: 2091
Ownershipof the following FSMO role is set to a server which is deleted or does notexist.
Operationswhich require contacting a FSMO operation master will fail until this conditionis corrected.
FSMORole: CN=Infrastructure,DC=ForestDnsZones,DC=XXXXX,DC=COM
FSMOServer DN: CN=NTDSSettings\0ADEL:bf05e3dc-9acf-4de5-9358-89bc719fb445,CN=-AD01\0ADEL:dbe9f89d-aa5c-4ad0-bee6-618aa0f1fa31,CN=Servers,CN=MainOffice,CN=Sites,CN=Configuration,DC=U,DC=local
根据日志分析,可以看到FSMO的指向是非法的DC信息,该问题是由第二个新的域控制器具有与旧的死域控制器相同的IP地址造成的,这导致剩余的DC变得混乱,认为其丢失的DC仍然活着,并且破坏了FSMORole所有者的编辑,使用ADSI查看信息可以看到错误的FSMO信息
- 右键单击ADSI编辑根并单击连接...
- 使用以下连接点:DC = DomainDNSZones,DC =domain DC =com
- 单击默认命名上下文输入DC.domain.Com。
- 单击DC = DomainDNSZones
- 双击CN =Infrastructure。
- 找到fSMORoleOwner属性
如下图:
在上面,fSMORoleOwner中看到0ADEL,它指的是一个被删除的DC。
正确的FSMORoleOwner值应该为
解决方法
使用VBS脚本同步所有的DC服务器的FSMO信息(在拥有操作主机的DC上运行)
cscript fixfsmo.vbsdc=forestdnszones,dc=XXXXXX,dc=com
cscript fixfsmo.vbs dc=domaindnszones,dc=XXXXX,dc=com
如下命令保存成VBS脚本,然后执行
参考文档https://support.microsoft.com/zh-cn/kb/949257
const ADS_NAME_INITTYPE_GC = 3
const ADS_NAME_TYPE_1779 = 1
const ADS_NAME_TYPE_CANONICAL = 2
set inArgs = WScript.Arguments
if (inArgs.Count = 1) then
‘Assume the command line argument is the NDNC (in DN form) to use.
NdncDN = inArgs(0)
Else
Wscript.StdOut.Write "usage: cscript fixfsmo.vbs NdncDN"
End if
if (NdncDN <> "") then
‘Convert the DN form of the NDNC into DNS dotted form.
Set objTranslator = CreateObject("NameTranslate")
objTranslator.Init ADS_NAME_INITTYPE_GC, ""
objTranslator.Set ADS_NAME_TYPE_1779, NdncDN
strDomainDNS = objTranslator.Get(ADS_NAME_TYPE_CANONICAL)
strDomainDNS = Left(strDomainDNS, len(strDomainDNS)-1)
Wscript.Echo "DNS name: " & strDomainDNS
‘Find a domain controller that hosts this NDNC and that is online.
set objRootDSE = GetObject("LDAP://" & strDomainDNS &"/RootDSE")
strDnsHostName = objRootDSE.Get("dnsHostName")
strDsServiceName = objRootDSE.Get("dsServiceName")
Wscript.Echo "Using DC " & strDnsHostName
‘Get the current infrastructure fsmo.
strInfraDN = "CN=Infrastructure," & NdncDN
set objInfra = GetObject("LDAP://" & strInfraDN)
Wscript.Echo "infra fsmo is " & objInfra.fsmoroleowner
‘If the current fsmo holder is deleted, set the fsmo holder to this domaincontroller.
if (InStr(objInfra.fsmoroleowner, "\0ADEL:") > 0) then
‘ Set the fsmo holder to this domain controller.
objInfra.Put "fSMORoleOwner", strDsServiceName
objInfra.SetInfo
‘ Read the fsmo holder back.
set objInfra = GetObject("LDAP://" & strInfraDN)
Wscript.Echo "infra fsmochanged to:" & objInfra.fsmoroleowner
End if
End if