Windows2008R2 AD降级错误解决方案
我们之前的文中有介绍关于ADCS的迁移,迁移后我们为了保证服务 运行正常。将原有的AD关机并保留,如果真出现CS相关的问题,我们准备通过备份暂时还原CS相关服务,经过长时间的观察后确认,CS服务运行正常。所以将原有的DC启动起来进行降级(dcpromo降级),但是在降级的过程中发现了一些问题,所以总结后分享给有需要的同学。
说到降级其实有两种方式,一种是正常降级,另外一种是暴力降级;
所谓的正常降级就是从windows2003、windows2008r2之间的AD服务降级我们可以通过运行dcpromo的方式进行步骤化降级,而windows2012以后版本我们需要通过管理工具卸载AD域服务的方式进行降级,该降级方式是微软推荐的,但是当待降级的AD服务无法正常运行或者所运行AD服务的硬件服务无法正常运行时,我们就无法通过第一种方式进行降级了,那就必须采用第二种方式暴力降级了,所谓的暴力降级就是通过ntdsutil命令来将环境内的无效AD服务器从目录中删除。而我环境中比较倾向第一种方式,这样的降级方式比较安全,而且比较方便。通过该方式可以自动将目录中的相关数据清除,由于我的环境比较特殊,问题比较多,所以在降级的过程中出现了一些小插曲,最终还是解决了,具体见下:
通过运行dcpromo命令,通过步骤进行降级遇到以下错误提示。
通过查找微软的technet资料最终找到解决方案
原因是由于infrastucture master指向了DNS 应用程序分区上已经被删除的NTDSA,如果仍然遇到此故障,我们可以使用ADSIEDIT.MSC将fsMORoleOwner 属性的DN Path指向您林中的主域控制器
http://adirectory.blog.com/2015/06/fault-domain-controller-downgrade/
https://support.microsoft.com/zh-cn/kb/2694933
Active Directory Domain Services could not transfer the remaining data in directory partition
DC=DomainDNSZones,DC=
Active Directory Domain Controller
\\
"The directory service is missing mandatory configuration
information, and is unable to determine the ownership of floating single-master operation roles."
The relevant part of the DCPROMO.LOG file contains the followign text:
A review of the infrastructure object and attributes for the DNS application partition referenced in the on-screen DCPROMO error and DCPROMO.LOG
Expanding base 'CN=Infrastructure,DC=DomainDnsZones,DC=contoso,DC=com'...
Getting 1 entries:
Dn: CN=Infrastructure,DC=DomainDnsZones,DC=contoso,DC=com
cn: Infrastructure;
distinguishedName: CN=Infrastructure,DC=DomainDnsZones,DC=contoso,DC=corp,DC=microsoft,DC=com;
dSCorePropagationData: 0x0 = ( );
fSMORoleOwner: CN=NTDS Settings\0ADEL:
instanceType: 0x4 = ( WRITE );
isCriticalSystemObject: TRUE;
name: Infrastructure;
objectCategory: CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=contoso,DC=com;
objectClass (2): top; infrastructureUpdate;
objectGUID:
Where distinguishing elements in the LDAP output taken from the sample domain "CONTOSO.COM include::
The fSMORoleOwner attribute contains the string "0ADEL" indicating that the role owning DC's NTDS Settings object has been deleted
The fSMORoleOwner attribute contains a 32-character alpha-numeric GUID of the owning DCs NTDS Settings object in the format of "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
The name of the default DNS application partition for which the fSMORoleOwner attribute is assigned to a DC with a deleted NTDS Settings object. In this case the error referenced the DomainDNSZones. This same error may also occur for the ForestDNSZones application partition.
解决方案:
The error above occurs when the domain cointroller being demoted cannot outbound replicate changes to the Dc that owns the infrastructure FSMO or operational role for the partition referenced in the DCPROMO [log] error.
Specifically, the demotion attempt is aborted to safeguard against data loss. In the case of DNS application partitions, the demotion is blocked to ensure that live and deleted DNS records, their ACLS and metadata such as registration and deletion dates are replicated
DN paths for partitions where the error in the symptoms section may occur include:
CN=Infrastructures,DC=DomainDNSZones....
CN=Infrastructures,DC=ForestDNSZones....
根据解决方案,我们就可以顺利解决问题了
首先我们运行netdom query fsmo 查看AD角色的当前所有者
然后登陆到infrastructure主机上,运行adsitedit.msc打开编辑器,然后右击单机链接
然后我们首先关联ForestDnsZones,进行链接
CN=Infrastructure, DC=ForestDnsZones,DC=iternalsoft,DC=COM
链接进去我们其实已经发现了错误
错误格式有乱码,而且CN的名称也不是当前的基础架构主机
Bj-dcd的主机已不存在了,而正确的应该是BJ-DC02
CN=NTDSSettings\0ADEL:061b26ae-f637-4c58-8414-301f0261fe98,CN=BJ-DCD\0ADEL:64b8c2ea-1a70-4017-bdaa-4c17f04a6bab,CN=Servers,CN=BeiJing-iternalsoft,CN=Sites,CN=Configuration,DC=iternalsoft,DC=com
所以我们修改正确内容格式保存即可
CN-NTDS Settings,CN=BJ-DC02,CN=Servers,CN=Beijing-iternalsoft,CN=Sites,
CN=Configuration,DC=iternalsoft,DC=COM
接着我们按照上面的方式再打开DomainDnszones的配置方式
CN=Infrastructure, DC=DomainDnsZones,DC=domain name
将修改同样的内容fsMORoleOwner的值
所以我们修改正确内容格式保存即可
CN-NTDS Settings,CN=BJ-DC02,CN=Servers,CN=Beijing-iternalsoft,CN=Sites,
CN=Configuration,DC=iternalsoft,DC=COM
修改后,我们再次尝试使用dcpromo进行降级,降级通过及完成
待完成后即可