FSMO Roles

How to Seize FSMO Roles From Dead Domain Controller?


In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic hardware failure etc.), then you need to transfer FSMO roles from a failed to an another (additional) domain controller (for proper Active Directory domain functioning). Consider this tutorial on how to do it.

How to Seize FSMO Roles From a Failed Domain Controller?

Suppose, in our Active Directory domain there are 2 domain controllers, that is running Windows Server 2012 R2:

  • PDC – dc1.root.contoso.com
  • Secondary DC – dc2.root.contoso.com

After the failure of the DC1, we need to seize the FSMO roles from DC1 to a secondary domain controller. Then, on DC2, we need to delete all references to the old controller dc1.root.contoso.com.

Important! Before you begin, make sure your account is a member of a following AD groups: Domain Admins and Schema Admins.

Connect to a DC2 and run elevated command prompt (it is recommended to perform all actions on the domain controller, to which you want to transfer FSMO roles). Make sure that this domain has two domain controllers:

dsquery server -forest

seize fsmo roles from dead domain controller 2012 r2

Then check which domain controller is the owner of FSMO roles:

netdom query fsmo

You can see that the owner of all FSMO roles is dc1.root.contoso.com

seize fsmo roles from dead domain controller

Transferring roles is performed by using the console utility NTDSUTIL (ADDS service and management tool).

Before you transfer the FSMO roles on the additional domain controller, you must register the Active Directory schema management library. In case you dont, then you wont be able to transfer role Schema master. In the Command prompt, run:

regsvr32 schmmgmt.dll

seize fsmo roles from dead domain controller 2008 r2

You are now ready to seize the roles from a failed DC1. Run the command prompt as an Administrator and run the following command:

ntdsutil

Enter the role management and connect to the server (DC2), which will seize the roles:

roles

connections

connect to server DC2

q

seize fsmo roles

After connecting to the server DC2, seize all 5 FSMO roles:

seize naming master

seize infrastructure master

seize rid master

seize schema master

seize pdc

q

In the process of the transfer of each role, you will be prompted for confirmation.

how to seize fsmo roles from a dead dc

Role Seizure Confirmation Dialog

Are you want server dc2 to seize the domain naming role with the value below?

Enter the clearing of meta-data mode and connect to the server (DC2):

metadata cleanup

connections

connect to server DC2

q

List the existing Active Directory sites:

select operation target

list sites

force fsmo role transfer

In this domain, only one site with the name Boulder. Choose a site, which is located on the failed domain controller DC1, and display a list of domain controllers in the site:

select site 0

list servers in site

transfer fsmo roles when dc is down

Select the failed controller (DC1) and display the list of domains:

select server 0

list domains

Select the domain and return to the metadata cleanup menu:

select domain 0 q

Perform delete of the selected server (DC1):

remove selected server

In the dialog box «Are you sure you want to remove the server object … » confirm the removal of a domain controller.

seize fsmo roles 2012 r2

Now we need to clean up the AD from the remaining entries on deleted DC1.

Open the snap-in Administrative Tools -> Active Directory Sites and Services. Expand the site, where the deleted DC1 located, select it and choose Delete. Confirm the removal of a DC1 twice.

seize fsmo roles 2012

Then, open the DNS snap-in and remove the PTR and A records remaining from DC1 server.

Now, open the Active Directory Users and Computers snap-in and expand Domain Controllers OU. If there is only displayed DC2, then everything is fine. And if DC1 present in this catalog, then it must be removed from the directory (it is unlikely, but check it).

primary domain controller failed

So, we took the force FSMO roles from DC1 and faulty completely removed the traces of its existence from the DNS and Active Directory. DC2 became the primary domain controller (the owner of all FSMO roles).

Once you have completed the seize of the FSMO roles, you need to close the Command prompt, and wait for the changes to replicate throughout the forest. Now transfer FSMO Roles From a Failed Domain Controller is completed.

Comments
  1. Posted by Karunakaran
  2. Posted by CJS
  3. Posted by KPD
  4. Posted by Devon Maya
  5. Posted by Kris

Add Your Comment