The role owner attribute could not be read, FSMO roles in place

Posted on 2008-06-20
Medium Priority
Last Modified: 2012-06-22

I've been all over looking for a solution to this very strange problem. I am running a VM of our two DC's running windows 2000 on a host-only network to simulate the addition of two more DC's that will be running 2003. Ultimately we want to remove the 2000 DC's from our environment. But I digress. When applying the inetorgpersonprevent script, I'm getting the error "the role owner attribute cannot be read", which in all of my reading points me to investigate my FSMO roles. I ran the FSMO query command and it came back as it should. dcdiag and netdiag are clean. I even tried to seize the roles to the other DC, but I get an error that "The current FSMO holder could not be contacted", which leads me back to thinking that something is wrong with the FSMO roles. I'm getting other errors about assigning group policies and one other that I can't recall exactly here that also lead me to believe there to be something wrong with the FSMO roles, but like I said, the tests come up clean. I am not getting this on the actual DC's by the way. I'm lead to believe it might have had something to do with putting these images in a virtual network, but the only thing I changed is the IP of the servers and their corresponding DNS entries.
Question by:numb3rs1x
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 22

Expert Comment

ID: 21883015
Your error "The current FSMO holder could not be contacted" indicates to me that this is a networking issue ... can you connect (ping) from one VM to all of the others (on each one)?  I would expect that you can chance the IPs without incident but it is possible that something has an old IP hard coded somewhere.  If you are in an isolated VM LAN then why not change the IPs back to the originals that were on the machines?  This would rule out this error ... if the problem still exists or confirm that something is storing the actual IP of when it was installed/configured.

Author Comment

ID: 21887222
Still no dice. I reloaded the DC's into the VM server configured as host-only but with the same subnet as the actual subnet they are on. These were fresh installs of the VM, I did not use the same files II originally got the errors on. I did not have to change any ip settings. Shame, I really thought that was going to work. Any other suggestions?

Author Comment

ID: 21887303
I don't know if this will help, but I am getting errors on these two things from dcdiag:

Starting test: kccevent
    An Information Event occured.  EventID: 0x4000051C
       Time Generated: 06/27/2008   15:12:22
       (Event String could not be retrieved)
    ......................... DC03 failed test kccevent
 Starting test: systemlog
    An Error Event occured.  EventID: 0x80001778
       Time Generated: 06/27/2008   14:18:56
       Event String: The previous system shutdown at 6:29:15 AM on
    An Error Event occured.  EventID: 0xC0001B72
       Time Generated: 06/27/2008   14:19:21
       (Event String could not be retrieved)
    An Error Event occured.  EventID: 0xC0001B72
       Time Generated: 06/27/2008   14:36:04
       (Event String could not be retrieved)
    An Error Event occured.  EventID: 0xC0001B72
       Time Generated: 06/27/2008   14:41:24
       (Event String could not be retrieved)
    An Error Event occured.  EventID: 0xC0001B72
       Time Generated: 06/27/2008   15:08:35
       (Event String could not be retrieved)
    ......................... DC03 failed test systemlog

Expert Comment

ID: 21892845
I'm having the same issue but with W2K Server VMs.  I've created a parent domain and successfully added two child domains. I got the error when attempted to add the third child domain all in a virtual network environment. I did use the same vms but changed the SID when it complained about being identical to the previous vms. This worked up until trying to add the third vm. The interesting part was that I was successful in joining the third server to the parent domain before running dcpromo to create child domain. That is when I received the same error message "the role owner attribute could not be read" I'm still checking so if I figure out something I'll write back.

Accepted Solution

citot earned 1500 total points
ID: 21902431
OK, So I've brought up my virtual network environment (vm files) on a different computer (home vs work- 2gb ram vs. 3gb ram) I have one Parent and three Child Domains. The DC1 (parent) DC2 child1, DC3 child2 and DC4 child3. I had the issue when attempting to bring up DC4 as Child3 domain and received the error message "the role owner attribute could not be read"  What I did differently was to use a new copy of the existing VM and change the SID. I also verified I had the correct IP addresses (I may have incorrectly refered to the IP add of DNS server)  Joined the DC4 to the Parent Domain before runing dcpromo and wala. It worked. Not sure if using a new VM or the different computer hosting the Virtual Environments was the solution or a combination of DNS / IP issues. Sometimes just starting over instead of tyring to pin point the issue is easier.  Anyway hope this helps.
Cito T

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses
Course of the Month12 days, 15 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question