FSMO Roles

How to transfer FSMO Roles From a Failed Domain Controller


In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic hardware failure etc.), then you need to transfer FSMO roles from a failed to an another (additional) domain controller (for proper Active Directory domain functioning). Consider this tutorial on how to do it.

Transferring FSMO Roles From a Failed Domain Controller

Suppose, in our Active Directory domain there are 2 domain controllers, that is running Windows Server 2012 R2:

  • PDC – dc1.root.contoso.com
  • Secondary DC – dc2.root.contoso.com

After the failure of the DC1, we need to seize the FSMO roles from DC1 to a secondary domain controller. Then, on DC2, we need to delete all references to the old controller dc1.root.contoso.com.

Important! Before you begin, make sure your account is a member of a following AD groups: Domain Admins and Schema Admins.

Connect to a DC2 and run elevated command prompt (it is recommended to perform all actions on the domain controller, to which you want to transfer FSMO roles). Make sure that this domain has two domain controllers:

dsquery server -forest

dsquery server forest

Then check which domain controller is the owner of FSMO roles:

netdom query fsmo

You can see that the owner of all FSMO roles is dc1.root.contoso.com

netdom query fsmo

Transferring roles is performed by using the console utility NTDSUTIL (ADDS service and management tool).

READ ALSO  Grant Full Access to All Mailboxes in Exchange 2007 and 2010

Before you transfer the FSMO roles on the additional domain controller, you must register the Active Directory schema management library. In case you dont, then you wont be able to transfer role Schema master. In the Command prompt, run:

regsvr32 schmmgmt.dll

DllRegisterServer

You are now ready to seize the roles from a failed DC1. Run the command prompt as an Administrator and run the following command:

ntdsutil

Enter the role management and connect to the server (DC2), which will seize the roles:

roles
connections
connect to server DC2
q

ntdsutil

After connecting to the server DC2, seize all 5 FSMO roles:

seize naming master
seize infrastructure master
seize rid master
seize schema master
seize pdc
q

In the process of the transfer of each role, you will be prompted for confirmation.

CN_NTDS

Role Seizure Confirmation Dialog
Are you want server dc2 to seize the domain naming role with the value below?
Enter the clearing of meta-data mode and connect to the server (DC2):
metadata cleanup
connections
connect to server DC2
q

List the existing Active Directory sites:

select operation target
list sites

metadata cleanup

In this domain, only one site with the name Boulder. Choose a site, which is located on the failed domain controller DC1, and display a list of domain controllers in the site:

select site 0
list servers in site

list sites

Select the failed controller (DC1) and display the list of domains:

select server 0
list domains

Select the domain and return to the metadata cleanup menu:

READ ALSO  FSMO Role: Infrastructure Master

select domain 0 q

Perform delete of the selected server (DC1):

remove selected server

In the dialog box «Are you sure you want to remove the server object … » confirm the removal of a domain controller.

remove CN NTDS

Now we need to clean up the AD from the remaining entries on deleted DC1.

Open the snap-in Administrative Tools -> Active Directory Sites and Services. Expand the site, where the deleted DC1 located, select it and choose Delete. Confirm the removal of a DC1 twice.

DNS settings active directory

Then, open the DNS snap-in and remove the PTR and A records remaining from DC1 server.

Now, open the Active Directory Users and Computers snap-in and expand Domain Controllers OU. If there is only displayed DC2, then everything is fine. And if DC1 present in this catalog, then it must be removed from the directory (it is unlikely, but check it).

domain controllers active directory

So, we took the force FSMO roles from DC1 and faulty completely removed the traces of its existence from the DNS and Active Directory. DC2 became the primary domain controller (the owner of all FSMO roles).

Once you have completed the seize of the FSMO roles, you need to close the Command prompt, and wait for the changes to replicate throughout the forest. Now transfer FSMO Roles From a Failed Domain Controller is completed.

READ ALSO  Understanding Global Catalog (Active Directory)

You may also like:

Active Directory auditing: No simple road to succe... Auditing Active Directory almost always finds place at the top of the administrator’s to-do list. There are a number of pressing needs that make audit...
Installing Active Directory Snap-in on Windows 10 One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). To work with ADUC snap-in in ...
Join Domain and Login over a VPN Connection This is a short tutorial on how to join a computer to a domain over a VPN connection. This was very useful for us this weekend. We had to reformat a c...
How to hide specific OU in Active Directory The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user acco...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...