Microsoft KB Archive/254933

From BetaArchive Wiki
Knowledge Base

Adding or Removing a Domain During Dcpromo Requires Access to the Domain Naming Master FSMO Role Holder

Article ID: 254933

Article Last Modified on 3/1/2007


  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server

This article was previously published under Q254933

IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry


The domain naming master Flexible Single Master Operations (FSMO) role holder is assigned to the domain controller that is responsible for making changes to the CN=Partitions,CN=Configuration, DC=domain configuration container in Active Directory. The configuration naming context is shared and replicated by all Windows 2000-based domain controllers in the same forest.

This article describes issues that can occur when Windows 2000-based servers that are being promoted or demoted are unable to contact the domain naming master FSMO role holder during Active Directory promotion or demotion.


The domain naming master FSMO role holder is the only computer that can add or remove a domain in a Windows 2000 Active Directory forest, and is the only FSMO role owner contacted by the Active Directory Installation Wizard (Dcpromo.exe). No FSMO role access is required to promote or demote replica domain controllers in an existing domain.

Investigate Domain Name System (DNS) name resolution, network connectivity, and consistency in Active Directory for the current domain naming master FSMO role holder when "naming master" or "FSMO" error messages occur during Dcpromo operations.

Active Directory Promotion

Windows 2000-based servers that are being promoted to domain controllers may generate the following error message when they are unable to contact the domain naming master FSMO role holder during promotion (in this case, the first domain controller of a new child domain, Y, of the root domain Z.COM):

The operation failed because:

To perform the requested operation, the directory service needs to contact the Domain Naming Master (server servername). The attempt to contact it failed. The specified server cannot perform the requested operation.

The %SystemRoot%\Debug\Dcpromo.log file shows similar information:

DD/MM HH:MM:SS [INFO] Installing the Directory Service
DD/MM HH:MM:SS [INFO] Calling NtdsInstall for
DD/MM HH:MM:SS [INFO] Starting the Directory Service installation
DD/MM HH:MM:SS [INFO] Validating user supplied options
DD/MM HH:MM:SS [INFO] Determining local site to enter
DD/MM HH:MM:SS [INFO] Examining existing Enterprise Directory Service
DD/MM HH:MM:SS [INFO] Error - To perform the requested operation, the Directory Service needs to contact the Domain Naming Master (server The attempt to contact it failed. (58)
DD/MM HH:MM:SS [INFO] NtdsInstall for returned 58
DD/MM HH:MM:SS [INFO] DsRolepInstallDs returned 58
DD/MM HH:MM:SS [ERROR] Failed to install the directory service (58)
DD/MM HH:MM:SS [INFO] The attempted domain controller operation has completed
DD/MM HH:MM:SS [INFO] DsRolepSetOperationDone returned 0

A related message can occur when information about a new domain in the forest has not yet been replicated to the computer that is the intended holder of the domain naming FSMO role for the forest:

Active Directory Installation Failed. The operation failed because: The Directory Service failed to create the object CN=servername,CN=Partitions,CN=Configuration,DC=Y,DC=Z,DC=com. Please check the event log for possible system errors. The directory cannot validate the proposed naming context name because it does not hold a replica of the naming context above the proposed naming context. Please ensure that the domain naming master role is held by a that is server configured as a global catalog server, and that that server is up to date with its replication partners.

This behavior can be caused by inconsistency in the domain naming master role owner as seen by different domain controllers in the forest because of replication latency or problems. Use the following troubleshooting steps to determine if a problem exists:

  1. Confirm that the domain naming master is replicating Active Directory. Type repadmin /showreps at a command prompt.
  2. Domain controllers in the forest are consistent about the computer name that is designated as the current domain naming master.
  3. Confirm that the domain naming master is a global catalog server. Type nltest /dsgetdc:domainname /server:servername to see if the server is advertising the "GC" flag. New global catalog servers also register event 1119 ("This Windows domain controller is a now a global catalog server"). For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

    234790 How to Find FSMO Role Holders

    223787 Flexible Single Master Operation Transfer and SeizureProcess

    223346 FSMO Placement and Optimization on Windows 2000 Domains

  4. If the domain naming master FSMO role holder is not a global catalog server, it locates another global catalog server to check for the creation. Determine whether the global catalog servers have finished promotion. Global catalog servers require a successful synchronization with a source for each domain. If there are error messages in the Event log about incomplete global catalog server promotion, try to correct the communication problem with all domains in the forest. Type nltest / /server:servername, where servername is the correct server. Determine whether the server is advertising the "GC" entry in the flags section of the Nltest output.

    WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

    Set the logging verbosity for the Global Catalog entry under the HKLM\SYSTEM\CCS\Services\NTDS\DIAGNOSTICS registry key to 5, and then examine the directory service Event log.
  5. The destination and installed parent domain are created on the domain naming master/global catalog server. Using Ldp.exe, connect to the global catalog server port (port 3268 ) on the domain naming master and search for objects in the appropriate domain(s) by navigating the tree. If they are not visible, examine the directory service Event logs to see why replication has not occurred.

Keywords: kbdcpromo kberrmsg kbinfo KB254933