How to Seize FSMO Roles From Dead Domain Controller?

In case domain controller, which holds FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic hardware failure, etc.), you need to transfer FSMO roles from a failed to an another (additional) domain controller (for proper operation of the Active Directory domain). Consider this tutorial on how to do it.

How to Seize FSMO Roles From a Dead Domain Controller?

Suppose, we have two Windows Server 2012 R2 domain controllers in our Active Directory domain.

  • PDC — dc1.root.contoso.com;
  • Secondary DC — dc2.root.contoso.com.

After the failure of the DC1, we need to seize the FSMO roles from DC1 to a secondary domain controller. Then, on DC2, we need to delete all references to the old controller dc1.root.contoso.com.

There are two ways to reassign FSMO roles in Active Directory:

  • Transferring FSMO roles — is used for planned demotion of a domain controller (for example, when you decommission a server), or when a DC is temporarily disconnected while performing maintenance tasks on a physical server;
  • Seizing FSMO roles — used when the physical server has failed (and you do not have an up-to-date Active Directory backup of this DC to perform non-authoritative restore of Active Directory Domain Services) or Windows Server is faulty; or after you have forcibly demoted a domain controller to a member server using the dcpromo /forceremoval command.

Important! Before you begin, make sure your account is a member of the following AD groups: Domain Admins and Schema Admins.

Connect to a DC2 and run an elevated command prompt (it is recommended to perform all steps on the domain controller, to which you want to transfer FSMO roles). Make sure there are two domain controllers in this domain:

dsquery server -forest

seize fsmo roles from dead domain controller

Then check which domain controller is the owner of FSMO roles:

netdom query fsmo

You can see that the owner of all FSMO roles is dc1.root.contoso.com.

Note. When you create a new Active Directory domain, all FSMO roles are assigned to the first domain controller in the forest.

READ ALSO  Performing Active Directory Metadata Cleanup

how to seize fsmo roles from a dead dc

Transferring roles are performed by using the console tool NTDSUTIL (ADDS service and management tool).

Note. Administrators should take extra care when seizing FSMO roles. You should seize the FSMO role only as a last resort, when you cannot back your old DC with FSMO role online. If the domain controller hosting the FSMO role is temporarily unavailable, don’t worry about it. Your Active Directory network will survive without it for a day or two.

Before you transfer the FSMO roles on the additional domain controller, you must register the Active Directory schema management library. In case you don‘t, then you won‘t be able to transfer the Schema master role. In the Command prompt, run:

regsvr32 schmmgmt.dll

seize fsmo roles

You are now ready to seize the roles from a failed DC1. Run the command prompt as an Administrator and run the following command:

ntdsutil

Switch to the role management namespace and connect to the server (DC2), which will seize the roles:

roles

connections

connect to server DC2

q

primary domain controller failed

After connecting to the server DC2, seize all 5 FSMO roles:

seize naming master

seize infrastructure master

seize rid master

seize schema master

seize pdc

q

During the seizing of each role, you will be prompted to confirm.

force fsmo role transfer

Role Seizure Confirmation Dialog

Are you want server dc2 to seize the domain naming role with the value below?

Enter the clearing of meta-data mode and connect to the server (DC2):

metadata cleanup

connections

connect to server DC2

q

List the existing Active Directory sites:

select operation target

list sites

transfer fsmo roles when dc is down

This domain has only one AD site called Boulder. Select a site, which is located on the failed domain controller DC1, and display a list of domain controllers in the site:

select site 0

list servers in site

seize schema master

Select the failed controller (DC1) and display the list of domains:

select server 0

list domains

Select the domain and return to the metadata cleanup menu:

READ ALSO  Using Quest Active Directory Cmdlets for PowerShell

Hint. Cleaning up metadata in Active Directory only needs to be done on older versions of Windows Server. In Windows Server 2012 R2 and newer, it is sufficient to remove the domain controller account using the graphical ADUC snap-in.

select domain 0 q

Delete the selected server (DC1):

remove selected server

In the “Are you sure you want to remove the server object …“ dialog box, confirm the removal of a domain controller.

seizing fsmo roles from dead server

Now we need to clean up the AD from the remaining entries on deleted DC1.

Open the Administrative Tools > Active Directory Sites and Services snap-in (dssite.msc). Expand the site that contains the removed DC1, select it, and choose Delete. Confirm the removal of a DC1 twice.

how to seize fsmo roles

Then, open the DNS mmc snap-in (dnsmgmt.msc) and remove the PTR and A records remaining from DC1 server.

Now, open the Active Directory Users and Computers mmc snap-in (dsa.msc) and the expand “Domain Controllers” Organizational Unit (OU). If only DC2 is displayed there, then everything is fine. And if DC1 present in that container, you need to remove removed it from the Active Directory (unlikely, but check it out).

seize fsmo

So, we took the force FSMO roles from DC1 and completely removed its entries from the DNS and Active Directory. DC2 became the primary domain controller (the owner of all FSMO roles).

Seizing FSMO Roles Using PowerShell

The Active Directory PowerShell module has a special cmdlet that makes it much easier to seize FSMO roles without using the ntdsutil tool. The Move-ADDirectoryServerOperationMasterRole cmdlet can be used to transfer or seize FSMO roles from any domain controller.

Hint. The Move-ADDirectoryServerOperationMasterRole cmdlet is available in the Active Directory module 2.0 or newer on domain controllers with Windows Server 2008 R2 or higher.

Import the ActiveDirectory module into your PowerShell session:

Import-Module ActiveDirectory

Use the following commands to find out which DC holds the FSMO role in your AD forest:

Get-ADDomain | Select PDCEmulator, RIDMaster, InfrastructureMaster | Format-List

Get-ADForest | Select SchemaMaster, DomainNamingMaster | Format-List

The following PowerShell command is used to seize FSMO roles from the original non-operational DC to a different operational DC:

Move-ADDirectoryServerOperationMasterRole -Identity dc02 –OperationMasterRole 0,1,2,3,4  -Force
  • -Identity — specifies the target DC to which the FSMO role should be seized
  • -OperationMasterRole — here it is indicated which FSMO roles to transfer (you can use role numbers or their names from the table below)
  • -Force — parameter is used to seize the FSMO roles when the source DC is offline
READ ALSO  Using DCPromo to Promote AD Domain Controllers

In order to accept roles transfer type A > Enter.

force transfer fsmo roles

Operation Master Role Name Number
PDCEmulator
RIDMaster 1
InfrastructureMaster 2
SchemaMaster 3
DomainNamingMaster 4

If FSMO roles are taken over, the domain controller that previously owned those roles should never come back online and communicate with the existing domain controller in the AD forest. Otherwise, a conflict will arise that can cause serious problems in the domain.

After capturing the FSMO roles, check for errors in the Directory Services and DNS logs in the Event Viewer. If you have problems, first use the following commands to help you fix the most common errors automatically:

dcdiag /v /fix

netdiag /v /fix

Once you have completed the seize of the FSMO roles, you need to close the Command prompt, and wait for the changes to replicate throughout the AD forest. The transfer of FSMO roles from the failed domain controller is now complete.

Cyril Kardashevsky

6 comments

  1. Hi ,
    I have a doubt.
    DC1 is failed due to hardware failure so all the FSMO roles are moved to DC1 by seize the FSMO role on DC1.
    My doubt is after rebuild the DC1 server (same name )can I transfer the roles to DC1 from DC2.
    Thanks.

  2. Thanks for a nice and clear article. Best i’ve seen on the net given these steps can never be recalled from memory on such a rare (hopefully) task.

    Best
    CJ

  3. Hello
    Nice Video and pls how to I perform this task {open the DNS snap-in and remove the PTR and A records remaining from DC1 serve)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.