FSMO Roles

How to transfer FSMO Roles From a Failed Domain Controller

In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic hardware failure etc.), then you need to transfer FSMO roles from a failed to an another (additional) domain controller (for proper Active Directory domain functioning). Consider this tutorial on how to do it.

Transferring FSMO Roles From a Failed Domain Controller

Suppose, in our Active Directory domain there are 2 domain controllers, that is running Windows Server 2012 R2:

  • PDC – dc1.root.contoso.com
  • Secondary DC – dc2.root.contoso.com

After the failure of the DC1, we need to seize the FSMO roles from DC1 to a secondary domain controller. Then, on DC2, we need to delete all references to the old controller dc1.root.contoso.com.

Important! Before you begin, make sure your account is a member of a following AD groups: Domain Admins and Schema Admins.

Connect to a DC2 and run elevated command prompt (it is recommended to perform all actions on the domain controller, to which you want to transfer FSMO roles). Make sure that this domain has two domain controllers:

dsquery server -forest

dsquery server forest

Then check which domain controller is the owner of FSMO roles:

netdom query fsmo

You can see that the owner of all FSMO roles is dc1.root.contoso.com

netdom query fsmo

Transferring roles is performed by using the console utility NTDSUTIL (ADDS service and management tool).

Before you transfer the FSMO roles on the additional domain controller, you must register the Active Directory schema management library. In case you dont, then you wont be able to transfer role Schema master. In the Command prompt, run:

regsvr32 schmmgmt.dll


You are now ready to seize the roles from a failed DC1. Run the command prompt as an Administrator and run the following command:


Enter the role management and connect to the server (DC2), which will seize the roles:



connect to server DC2



After connecting to the server DC2, seize all 5 FSMO roles:

seize naming master

seize infrastructure master

seize rid master

seize schema master

seize pdc


In the process of the transfer of each role, you will be prompted for confirmation.


Role Seizure Confirmation Dialog

Are you want server dc2 to seize the domain naming role with the value below?

Enter the clearing of meta-data mode and connect to the server (DC2):

metadata cleanup


connect to server DC2


List the existing Active Directory sites:

select operation target

list sites

metadata cleanup

In this domain, only one site with the name Boulder. Choose a site, which is located on the failed domain controller DC1, and display a list of domain controllers in the site:

select site 0

list servers in site

list sites

Select the failed controller (DC1) and display the list of domains:

select server 0

list domains

Select the domain and return to the metadata cleanup menu:

select domain 0 q

Perform delete of the selected server (DC1):

remove selected server

In the dialog box «Are you sure you want to remove the server object … » confirm the removal of a domain controller.

remove CN NTDS

Now we need to clean up the AD from the remaining entries on deleted DC1.

Open the snap-in Administrative Tools -> Active Directory Sites and Services. Expand the site, where the deleted DC1 located, select it and choose Delete. Confirm the removal of a DC1 twice.

DNS settings active directory

Then, open the DNS snap-in and remove the PTR and A records remaining from DC1 server.

Now, open the Active Directory Users and Computers snap-in and expand Domain Controllers OU. If there is only displayed DC2, then everything is fine. And if DC1 present in this catalog, then it must be removed from the directory (it is unlikely, but check it).

domain controllers active directory

So, we took the force FSMO roles from DC1 and faulty completely removed the traces of its existence from the DNS and Active Directory. DC2 became the primary domain controller (the owner of all FSMO roles).

Once you have completed the seize of the FSMO roles, you need to close the Command prompt, and wait for the changes to replicate throughout the forest. Now transfer FSMO Roles From a Failed Domain Controller is completed.

You may also like:

Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
AD Account Keeps Locking Out Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the ...
Time Configuration for a Virtualized Domain Contro... Today we will talk about some of the features of time configuration on a virtualized domain controllers. Typically, the time synchronization scheme in...
Removing Old and Unused Drivers from Driver Store ... Each time you install or update your device driver, Windows OS (since Vista) continues to store the old version of the driver in the system Driver Sto...
Store BitLocker Recovery Keys using Active Directo... In a domain network, you can store the BitLocker recovery keys for encrypted drives in the Active Directory Domain Services (AD DS). This is one of th...
  1. Posted by Karunakaran
  2. Posted by CJS
  3. Posted by KPD

Add Your Comment