joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

Application Partitions have FSMOs too…

by @ 11:51 am on 7/11/2013. Filed under tech

Just a quick reminder now that we seem to have a flood of folks moving from 2003 to 2008R2 and 2012 Active Directory… 

Your application partitions like the Domain and Forest DNS Zones also have an Infrastructure Master (IM) FSMO role attached to them that may cause certain things to break if you don’t keep them up to date.

So for example, if you try to run the ADPREP /RODCPREP and you start seeing errors like:

Adprep encountered an LDAP error. Error code: 0x0. Server extended error code: 0x0, Server error message: (null).

Then check the infrastructure object of the NC with AdFind or some other tool and look at the fSMORoleHolder attribute to make sure that the value is a correct and valid value.

For example something like this:

G:\adprep>adfind -domaindns -f name=infrastructure fSMORoleOwner

AdFind V01.47.00cpp Joe Richards (joe@joeware.net) October 2012

Using server: DC1.dev.wtf.corp.com:389
Directory: Windows Server 2008 R2
Base DN: DC=DomainDnsZones,DC=dev,DC=wtf,DC=corp,DC=com

dn:CN=Infrastructure,DC=DomainDnsZones,DC=dev,DC=wtf,DC=corp,DC=com
>fSMORoleOwner: CN=NTDS Settings\0ADEL:036c1840-901a-405e-a9c9-57b2991bee0a,CN=DELETED_DC\0ADEL:a0f01247-672
4-4c06-ab64-68fcd071a339,CN=Servers\0ADEL:33779907-a4cd-44e3-9831-2eed4ea43430,CN=Default-First-Site-Name\0ADEL:2
b50ea91-cb6c-492d-9f3e-43b62954dad4,CN=Sites,CN=Configuration,DC=dev,DC=wtf,DC=corp,DC=com

1 Objects returned

is bad…

You can read more at

http://support.microsoft.com/kb/949257

and

http://blogs.technet.com/b/the_9z_by_chris_davis/archive/2011/12/20/forestdnszones-or-domaindnszones-fsmo-says-the-role-owner-attribute-could-not-be-read.aspx

Of course if you have AdMod, you don’t need to use the script to modify the value. You can simply do something like

admod -b <DN_of_IM_Object> fSMORoleOwner::<DN_of_NTDS_Settings_Object_of_Desired_DC>

    joe

P.S. Yes I agree that error from AdPrep sucks ass. :)  When someone says they received LDAP Error Code 0x00 I am happy for them since the command completed successfully as LDAP Error 0x00 is LDAP_SUCCESS aka Sucessful request (sic). See more LDAP error codes (and perhaps some typos) at http://support.microsoft.com/kb/218185. 🙂

Rating 4.33 out of 5

One Response to “Application Partitions have FSMOs too…”

  1. Christoffer Andersson says:
    7/30/2013 at 10:19 pm

    Well the fsmoRoleOwner on the infrastructureUpdate in NDNCs dosen’t attach the PhantomCleanUp task to them, they are instead as stated used only by other means such as pointing out/targeting a DSA for a partiuclar operation such as adprep :(.

    Cross Naming Context (NC) references aren’t possible in a way that a IM is needed for NDNCs.

    Did a blog post about it here: http://blogs.chrisse.se/2012/11/28/how-the-active-directory-data-store-really-works-inside-ntds.dit-part-4/ search for “Cross Naming Context (NC) references”

«
»

[joeware – never stop exploring… :) is proudly powered by WordPress.]