In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic hardware failure etc.), then you need to transfer all FSMO roles from a failed to an another (additional) domain controller (for proper Active Directory domain functioning). Consider this tutorial on how to do it.
Transferring FSMO Roles From a Failed Domain Controller
Suppose, in our Active Directory domain there are 2 domain controllers, that is running Windows Server 2012 R2:
- PDC – dc1.root.contoso.com
- Secondary DC – dc2.root.contoso.com
After the failure of the DC1, we need to seize the FSMO roles from DC1 to a secondary domain controller. Then, on DC2, we need to delete all references to the old controller dc1.root.contoso.com.
Important! Before you begin, make sure your account is a member of a following AD groups: Domain Admins and Schema Admins.
Connect to a DC2 and run elevated command prompt (it is recommended to perform all actions on the domain controller, to which you want to transfer FSMO roles). Make sure that this domain has two domain controllers:
dsquery server -forest
Then check which domain controller is the owner of FSMO roles:
netdom query fsmo
You can see that the owner of all FSMO roles is dc1.root.contoso.com
Transferring roles is performed by using the console utility NTDSUTIL (ADDS service and management tool).
Before you transfer the FSMO roles on the additional domain controller, you must register the Active Directory schema management library. In case you don‘t, then you won‘t be able to transfer role Schema master. In the Command prompt, run:
You are now ready to seize the roles from a failed DC1. Run the command prompt as an Administrator and run the following command:
Enter the role management and connect to the server (DC2), which will seize the roles:
roles connections connect to server DC2 q
After connecting to the server DC2, seize all 5 FSMO roles:
seize naming master seize infrastructure master seize rid master seize schema master seize pdc q
In the process of the transfer of each role, you will be prompted for confirmation.
Role Seizure Confirmation Dialog Are you want server dc2 to seize the domain naming role with the value below? Enter the clearing of meta-data mode and connect to the server (DC2): metadata cleanup connections connect to server DC2 q
List the existing Active Directory sites:
select operation target list sites
In this domain, only one site with the name Boulder. Choose a site, which is located on the failed domain controller DC1, and display a list of domain controllers in the site:
select site 0 list servers in site
Select the failed controller (DC1) and display the list of domains:
select server 0 list domains
Select the domain and return to the metadata cleanup menu:
select domain 0 q
Perform delete of the selected server (DC1):
remove selected server
In the dialog box «Are you sure you want to remove the server object … » confirm the removal of a domain controller.
Now we need to clean up the AD from the remaining entries on deleted DC1.
Open the snap-in Administrative Tools -> Active Directory Sites and Services. Expand the site, where the deleted DC1 located, select it and choose Delete. Confirm the removal of a DC1 twice.
Then, open the DNS snap-in and remove the PTR and A records remaining from DC1 server.
Now, open the Active Directory Users and Computers snap-in and expand Domain Controllers OU. If there is only displayed DC2, then everything is fine. And if DC1 present in this catalog, then it must be removed from the directory (it is unlikely, but check it).
So, we took the force FSMO roles from DC1 and faulty completely removed the traces of its existence from the DNS and Active Directory. DC2 became the primary domain controller (the owner of all FSMO roles).
Once you have completed the seize of the FSMO roles, you need to close the Command prompt, and wait for the changes to replicate throughout the forest.