CAUSE

The domain naming master FSMO role holder is the only computer that can add or remove a domain in a Windows 2000-based Active Directory forest, and is the only FSMO role owner contacted by the Active Directory Installation Wizard (Dcpromo.exe). No FSMO role access is required to promote or demote replica domain controllers in an existing domain.

For example, when you are demoting the last domain controller in a child domain, the Dcpromo.log, Dcpromoui.log, and Netlogon logs show the following results:

• Immediately after stopping services as part of the demotion, the %SystemRoot%\Dcpromo.log log shows the following events:

  MM/DD HH:MM [INFO] Invoking NtdsDemote
  MM/DD HH:MM [INFO] Starting to prepare the SAM and the Directory Service for demotion
  MM/DD HH:MM [INFO] Validating the demotion of this server in the context of the enterprise
  MM/DD HH:MM [INFO] Creating new local account information for the SAM and the LSA
  MM/DD HH:MM [INFO] Creating a new local account database for SAM
  MM/DD HH:MM [INFO] Setting the new local account information in the LSA
  MM/DD HH:MM [INFO] Removing Directory Service objects referring to the local server from the remote server NA-DC-01.CORP.COM
  MM/DD HH:MM [INFO] Error - An ldap read of operational attributes from server NA-DC-01.CORP.COM failed. (2)

• When the problem occurs, the same services are restarted and the computer is returned to its previous state. The %SystemRoot%\Dcpromoui.log log shows similar results:

  dcpromoui t:0x140 01226 Enter State::GetOperationResultsMessage An ldap read of operational attributes from server Computername.FQDN failed.
  
  dcpromoui t:0x140 01227 Exit State::GetOperationResultsMessage An ldap read of operational attributes from server Computername.FQDN failed.
  
  dcpromoui t:0x140 01228 Enter State::SetFailureMessage The operation failed because: An ldap read of operational attributes from server Computername.FQDN failed. "The system cannot find the file specified. "

• A network trace of the demotion with the display filter set to show only LDAP frames includes the following highlights:

  A Base Object search against CN=Partitions,CN=Configuration,DC=FQDN for an object of object class Attribute Value = fSMORoleOwner. The hex detail in the LDAP response shows the name of Domain Naming master FSMO role owner as seen by the queried Windows 2000 Domain Controller.
  
  The next LDAP search queries the CN=Servers,CN=SiteName,CN=Sites,CN=Configration,DC=FQDN container for the dnshostname of the domain naming master FSMO role owner located in the query above. The Search response returns:
  
  LDAP: ProtocolOp = SearchResponse (simple)
  LDAP: Result Code = No Such Object
  LDAP: Matched DN = CN=computername\ DEL:b8f48ee3-f18f-453a-986c-49b370327ded,CN=Servers,C
  LDAP: Error Message = 0000208D: NameErr: DSID-031001C9, problem 2001 (NO_OBJECT), da
  
  The LDAP error 208D converts to 8333 decimal.
  which maps to "Directory object not found" (type "NET HELPMSG 8333" at the NT CMD prompt).

This behavior occurs if the domain controller that held the domain naming FSMO role was deleted from the directory service without a proper demotion. This can occur if you delete the NTDS Settings object for the current domain naming master FSMO in DSSITES.MSC, or you delete the computer by using the Ntdsutil tool as described in the following article in the Microsoft Knowledge Base: