(2014-06-24) RODC Promotion (Direct Or Staged) Fails Because Of NC With No Replicas
Posted by Jorge on 2014-06-24
My TEST environment, corporate forest with 2 AD domains and DMZ forest with 1 AD domain with 2 RWDCs and 2 RODCs, was running W2K12 and I still needed to update it to W2K12R2. Part of the test environment was already updated weeks ago. The only part left to upgrade were the RODCs. All RWDCs were already upgraded. So I demoted the RODCs, while keeping their metadata in place in the directory to use it later on during a new staged RODC promotion.
I started both RODC staged promotions at the same time and I did not expect any errors. Well, think again!
During the promotions I got the error: "While promoting Read-only Domain Controller, the expected state objects could not be found".
I saw the error in the PowerShell window as you can see below, and also in the debug log files.
Figure 1: RODC Staged Promotion With PowerShell – "While promoting Read-only Domain Controller, the expected state objects could not be found"
Going through the default stuff, Event Viewer and DCDIAG, did not show/provide any interesting information. Bummer!
Figure 2: DCPROMOUI.LOG – "While promoting Read-only Domain Controller, the expected state objects could not be found"
You will not find ANY clue from anywhere what the problem is. So, after a long time searching and googling, I found some information about a TAPI3 partition. The problem is related to a directory partition, but not related to the partition being named TAPI3. Based upon that I decided to check the cross-references in my directory as you can see below.
Figure 3: ADSIEDIT – Cross-References For All Partitions In The Directory
And that’s when I noticed the partition "DC=RegionDnsZones,DC=ADDMZ,DC=LAN". I had totally forgotten about it! It was a partition I had created in the past to test replication of DNS zones.
Below you will find how a healthy cross-reference looks like:
Figure 4: LDP – Healthy Cross-Reference For The Partition "DC=DomainDnsZones,DC=ADDMZ,DC=LAN"
Below you will find how a UNhealthy cross-reference looks like:
Figure 5: LDP – UNHealthy Cross-Reference For The Partition "DC=RegionDnsZones,DC=ADDMZ,DC=LAN"
See the difference? The cross-reference for the partition "DC=RegionDnsZones,DC=ADDMZ,DC=LAN", DOES NOT list any replica hosting the partition, and THAT is what is wrong here.
During my upgrade from W2K12 to W2K12R2 DCs (no in place upgrade, but rather replace) I had forgotten about this partition and unintentionally removed all hosting replicas without assigning new replicas. OOPS!
So, WHY does this go wrong with the RODC promotion? I reviewed the scripted PowerShell command I used, and I noticed the option "-ApplicationPartitionsToReplicate *". "*" basically means "go and look for all configured cross-references, enlist to host the partition and find a replica to inbound replicate the directory partition data". Everything goes right, up to the moment the RODC promotion is checking the cross-reference of the partition "DC=RegionDnsZones,DC=ADDMZ,DC=LAN" to find a replica. And as you can see, there are NO replicas specified. Although the definition of the partition is there, the so called cross-reference, the actual partition hosted on some replica is nowhere to be found! And that’s why the RODC promotion fails. It would be interesting and more helpful if the error was more intuitive/informative.
So, now the question: "how to solve this problem?". As always, that’s easy!
The solution is to delete the cross-reference, and for that I’m going to use NTDSUTIL. See below! You can either use the commands in the sub-menu "METADATA CLEANUP" or the commands in the sub-menu "PARTTION MANAGEMENT"
NTDSUTIL – METADATA CLEANUP
Figure 6: NTDSUTIL – METADATA CLEANUP – Help (1)
Figure 7: NTDSUTIL – METADATA CLEANUP – Help (2) And Removal Of The Naming Context
After submitting the NTDSUTIL command "REMOVE SELECTED NAMING CONTEXT" you will see the warning below
Figure 8: NTDSUTIL – REMOVE SELECTED NAMING CONTEXT – Confirmation
NTDSUTIL – PARTTION MANAGEMENT
Figure 9: NTDSUTIL – PARTITION MANAGEMENT – Help (1)
Figure 10: NTDSUTIL – PARTITION MANAGEMENT – Help (2)
Figure 11: NTDSUTIL – PARTITION MANAGEMENT – Listing NC Information And Deleting NC
The NC is now removed!
Figure 12: ADSIEDIT – Cross-References For All Partitions In The Directory
Allow AD replication to complete the removal of the cross-reference on all DCs, then restart the staged/direct RODC promotion and you should be good to go!
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
This entry was posted on 2014-06-24 at 20:00 and is filed under Active Directory Domain Services (ADDS), Metadata Cleanup, Promotion/Demotion, Read-Only Domain Controller. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.