Transferring roles to another server often does not work as intended.
When checking, using dcdiag, information can be displayed that everything is fine. And the GUI will also indicate that all is well. However, the error can come out later when you want to downgrade one of the domain controllers to a private one.
This error will look like this: Mandatory information has been lost in the directory service and the owner of the transferred exclusive operations cannot be determined.
At a low level, you can see in the ADSI editor, you can see that there is no FSMO master.
ADSI Editor is started by the Adsiedit.msc command on the command line or via Run.
In the mountains of the Russian-language copy-paste of the Internet, nothing worthwhile can be found. Learn English 😁
However, there is a solution.
It is necessary:
- open low level ADSI editor via Adsiedit.msc;
- connect to the server that holds the Infrastructure role, that is, perform actions on the server to which you transferred the roles;
- connect to CN=Configuration,DC=your domain,DC=your suffix.
- expand branch CN=Sites -> CN=Your site -> CN=Servers -> CN=Your server to which you transferred the roles;
- open properties CN=NTDS Settings;
- to find DistinguishedName (it's at the very bottom) and copy the value;
- reconnect to DC=ForestDnsZones,DC=Your domain,DC=Your suffix;
- open properties Infrastructure object;
- change the value of the object to what you copied to the clipboard.
It should be in this format: CN=NTDS Settings,CN=Your server to which you transferred the roles,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Your domain,DC=Your suffix.
No spaces with commas.
If you perform operations on the domain controller that you are downgrading, an error will be generated. And this is logical: the server being downgraded cannot transfer a role to the server that actually owns the role.
Further:
- reconnect to DC=DomainDnsZones,DC=Your domain,DC=Your suffix;
- open properties Infrastructure object;
- change the value of the object to what you copied to the clipboard.
It should be in the following format: CN=NTDS Settings,CN=Your server to which you transferred the roles,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Your domain,DC=Your suffix.
No spaces with commas.
The domain controller is then demoted via dcpromo as usual. After a reboot, roles and features are removed through Server Manager.
One Russian-speaking dumbass writes on a site with copy-paste that it is the admin's fault, but I believe that the incorrect transfer of roles is the consequences of Microsoft's crooked programmers.