In case domain controller, which holds FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic hardware failure, etc.), you need to transfer FSMO roles from a failed to an another (additional) domain controller (for proper operation of the Active Directory domain). Consider this tutorial on how to do it.
How to Seize FSMO Roles From a Dead Domain Controller?
Suppose, we have two Windows Server 2012 R2 domain controllers in our Active Directory domain.
- PDC — dc1.root.contoso.com;
- Secondary DC — dc2.root.contoso.com.
After the failure of the DC1, we need to seize the FSMO roles from DC1 to a secondary domain controller. Then, on DC2, we need to delete all references to the old controller dc1.root.contoso.com.
There are two ways to reassign FSMO roles in Active Directory:
- Transferring FSMO roles — is used for planned demotion of a domain controller (for example, when you decommission a server), or when a DC is temporarily disconnected while performing maintenance tasks on a physical server;
- Seizing FSMO roles — used when the physical server has failed (and you do not have an up-to-date Active Directory backup of this DC to perform non-authoritative restore of Active Directory Domain Services) or Windows Server is faulty; or after you have forcibly demoted a domain controller to a member server using the dcpromo /forceremoval command.
Important! Before you begin, make sure your account is a member of the following AD groups: Domain Admins and Schema Admins.
Connect to a DC2 and run an elevated command prompt (it is recommended to perform all steps on the domain controller, to which you want to transfer FSMO roles). Make sure there are two domain controllers in this domain:
dsquery server -forest
Then check which domain controller is the owner of FSMO roles:
netdom query fsmo
You can see that the owner of all FSMO roles is dc1.root.contoso.com.
Note. When you create a new Active Directory domain, all FSMO roles are assigned to the first domain controller in the forest.
Transferring roles are performed by using the console tool NTDSUTIL (ADDS service and management tool).
Note. Administrators should take extra care when seizing FSMO roles. You should seize the FSMO role only as a last resort, when you cannot back your old DC with FSMO role online. If the domain controller hosting the FSMO role is temporarily unavailable, don’t worry about it. Your Active Directory network will survive without it for a day or two.
Before you transfer the FSMO roles on the additional domain controller, you must register the Active Directory schema management library. In case you don‘t, then you won‘t be able to transfer the Schema master role. In the Command prompt, run:
You are now ready to seize the roles from a failed DC1. Run the command prompt as an Administrator and run the following command:
Switch to the role management namespace and connect to the server (DC2), which will seize the roles:
roles connections connect to server DC2 q
After connecting to the server DC2, seize all 5 FSMO roles:
seize naming master seize infrastructure master seize rid master seize schema master seize pdc q
During the seizing of each role, you will be prompted to confirm.
Role Seizure Confirmation Dialog
Are you want server dc2 to seize the domain naming role with the value below?
Enter the clearing of meta-data mode and connect to the server (DC2):
metadata cleanup connections connect to server DC2 q
List the existing Active Directory sites:
select operation target list sites
This domain has only one AD site called Boulder. Select a site, which is located on the failed domain controller DC1, and display a list of domain controllers in the site:
select site 0 list servers in site
Select the failed controller (DC1) and display the list of domains:
select server 0 list domains
Select the domain and return to the metadata cleanup menu:
Hint. Cleaning up metadata in Active Directory only needs to be done on older versions of Windows Server. In Windows Server 2012 R2 and newer, it is sufficient to remove the domain controller account using the graphical ADUC snap-in.
select domain 0 q
Delete the selected server (DC1):
remove selected server
In the “Are you sure you want to remove the server object …“ dialog box, confirm the removal of a domain controller.
Now we need to clean up the AD from the remaining entries on deleted DC1.
Open the Administrative Tools > Active Directory Sites and Services snap-in (dssite.msc). Expand the site that contains the removed DC1, select it, and choose Delete. Confirm the removal of a DC1 twice.
Then, open the DNS mmc snap-in (dnsmgmt.msc) and remove the PTR and A records remaining from DC1 server.
Now, open the Active Directory Users and Computers mmc snap-in (dsa.msc) and the expand “Domain Controllers” Organizational Unit (OU). If only DC2 is displayed there, then everything is fine. And if DC1 present in that container, you need to remove removed it from the Active Directory (unlikely, but check it out).
So, we took the force FSMO roles from DC1 and completely removed its entries from the DNS and Active Directory. DC2 became the primary domain controller (the owner of all FSMO roles).
Seizing FSMO Roles Using PowerShell
The Active Directory PowerShell module has a special cmdlet that makes it much easier to seize FSMO roles without using the ntdsutil tool. The Move-ADDirectoryServerOperationMasterRole cmdlet can be used to transfer or seize FSMO roles from any domain controller.
Hint. The Move-ADDirectoryServerOperationMasterRole cmdlet is available in the Active Directory module 2.0 or newer on domain controllers with Windows Server 2008 R2 or higher.
Import the ActiveDirectory module into your PowerShell session:
Use the following commands to find out which DC holds the FSMO role in your AD forest:
Get-ADDomain | Select PDCEmulator, RIDMaster, InfrastructureMaster | Format-List Get-ADForest | Select SchemaMaster, DomainNamingMaster | Format-List
The following PowerShell command is used to seize FSMO roles from the original non-operational DC to a different operational DC:
Move-ADDirectoryServerOperationMasterRole -Identity dc02 –OperationMasterRole 0,1,2,3,4 -Force
- -Identity — specifies the target DC to which the FSMO role should be seized
- -OperationMasterRole — here it is indicated which FSMO roles to transfer (you can use role numbers or their names from the table below)
- -Force — parameter is used to seize the FSMO roles when the source DC is offline
In order to accept roles transfer type A > Enter.
|Operation Master Role Name||Number|
If FSMO roles are taken over, the domain controller that previously owned those roles should never come back online and communicate with the existing domain controller in the AD forest. Otherwise, a conflict will arise that can cause serious problems in the domain.
After capturing the FSMO roles, check for errors in the Directory Services and DNS logs in the Event Viewer. If you have problems, first use the following commands to help you fix the most common errors automatically:
dcdiag /v /fix netdiag /v /fix
Once you have completed the seize of the FSMO roles, you need to close the Command prompt, and wait for the changes to replicate throughout the AD forest. The transfer of FSMO roles from the failed domain controller is now complete.