What Happens to the FSMO Roles When the Domain Controller That Holds Them is Demoted

August 7, 2013

Active Directory, Server 2012

At Briforum 2013 Chicago, after my session on More Things in AD…, someone asked me a question.  The question was “What happens to the FSMO roles when the domain controller that holds them is demoted and is no longer a domain controller?”  The person asking the question was wondering, in an emergency, if a  domain controller (DC) must be quickly demoted and it is unknown if the DC holds any FSMO roles, what happens?  I gave the answer and this article is to show proof my answer was correct because the asker gave me a puzzled look.  Kind of looking at me asking “Are you sure?”

In my lab, I created five different WebstersLab.com domains.  Obviously, only one WebstersLab.com domain was powered on at a time.  The first four labs have three domain controllers: LabDC1, LabDC2 and LabDC3.  The fifth lab had an additional LabDC4 DC.  In all five labs, LabDC1 holds all five FSMO roles.

Note: FSMO – Flexible Single-Master Operations, see http://technet.microsoft.com/en-us/library/cc961936.aspx

The following domains were created:

  • 2012 with Forest Functional Level (FFL) and Domain Function Level (DFL) set to 2012.
  • 2008 R2 with FFL and DFL of 2008 R2.
  • 2008 with FFL and DFL of 2008.
  • 2003 R2 with FFL and DFL of  2003.
  • Mixed with a 2003 DC, 2008 DC, 2008 R2 DC and a 2012 DC.  FFL and DFL were set to 2003.

All servers in all labs had all Windows Updates as of 05-AUG-2013.

Because I knew that LabDC1 was going to go through several demotion and promotions for this article, all DCs have the following set for their DNS IP settings:

  • Primary:               LabDC2
  • Secondary:         LabDC3
  • Tertiary:               Loopback

Windows Server 2012

How do you find which domain controller has which FSMO role?  From a PowerShell session or Windows Command Prompt, run the following command as shown in Figure 1:

netdom query fsmo
Figure 1

Figure 1

Since LabDC1 holds all five FSMO roles, what happens when it is demoted?

From a PowerShell session on LabDC1, run the following command:

Uninstall-ADDSDomainController -DemoteOperationMasterRole:$true -Force:$true

Note: The DemoteOperationMasterRole:$true indicates that forced demotion should continue even if an operations master role is discovered on the domain controller from which AD DS is being removed.

Enter and confirm the password for the Local Administrator account and the demotion process runs as shown in Figure 2.

Figure 2

Figure 2

Once the demoted domain controller restarts (or from one of the remaining DCs), from a PowerShell session or Windows Command Prompt rerun the netdom query fsmo command as shown in Figure 3.

Figure 3

Figure 3

Windows Server 2008 R2

How do you find which domain controller has which FSMO role?  From a PowerShell session or Windows Command Prompt, run the following command as shown in Figure 4:

netdom query fsmo
Figure 4

Figure 4

Since LabDC1 holds all five FSMO roles, what happens when it is demoted?

Click Start, Run type in dcpromo and press Enter (Figure 5).

Figure 5

Figure 5

Proceed through the Active Directory Domain Services Installation Wizard and click Next (Figure 6).

Figure 6

Figure 6

Once the demoted domain controller restarts (or from one of the remaining DCs), from a PowerShell session or Windows Command Prompt rerun the netdom query fsmo command as shown in Figure 7.

Figure 7

Figure 7

Windows Server 2008

How do you find which domain controller has which FSMO role?  From a Windows Command Prompt, run the following command as shown in Figure 8:

netdom query fsmo
Figure 8

Figure 8

Since LabDC1 holds all five FSMO roles, what happens when it is demoted?

Click Start, Run type in dcpromo and press Enter (Figure 9).

Figure 9

Figure 9

Proceed through the Active Directory Domain Services Installation Wizard and click Next (Figure 10).

Figure 10

Figure 10

Once the demoted domain controller restarts (or from one of the remaining DCs), from a Windows Command Prompt rerun the netdom query fsmo command as shown in Figure 11.

Figure 11

Figure 11

Windows Server 2003 R2

How do you find which domain controller has which FSMO role?  First the Windows Support Tools must be installed.  Then from a Windows Command Prompt, run the following command as shown in Figure 12:

netdom query fsmo
Figure 12

Figure 12

Since LabDC1 holds all five FSMO roles, what happens when it is demoted?

Click Start, Run type in dcpromo and press Enter (Figure 13).

Figure 13

Figure 13

Proceed through the Active Directory Installation Wizard and click Next (Figure 14).

Figure 14

Figure 14

Once the demoted domain controller restarts (or from one of the remaining DCs), from a Windows Command Prompt rerun the netdom query fsmo command as shown in Figure 15.

Figure 15

Figure 15

One More Just for the Heck of it

Just out of my own curiosity, I wanted to see what would happen in a mixed environment with four different Windows Server operating systems with each set as a domain controller.

LabDC1 running Windows Server 2003 R2 was installed first and the DFL and FFL were upgraded to Windows Server 2003.  Because LabDC1 was installed first, it is the Forest Root domain controller and holds all five FSMO roles as shown in the screen capture from LabDC4 (Figure 16).

Figure 16

Figure 16

The remaining domain controllers were installed in the following order:

  • LabDC2 (Windows Server 2008)
  • LabDC3 (Windows Server 2008 R2)
  • LabDC4 (Windows Server 2012)

Since LabDC1 holds all five FSMO roles, what happens when it is demoted?

Click Start, Run type in dcpromo and press Enter (Figure 17).

Figure 17

Figure 17

Proceed through the Active Directory Installation Wizard and click Next (Figure 18).

Figure 18

Figure 18

Once the demoted domain controller restarts (or from one of the remaining DCs), from a Windows Command Prompt rerun the netdom query fsmo command as shown in Figure 19.

Figure 19

Figure 19

I was hoping the FSMO roles would wind up on LabDC4 since it is the most current Windows Server version.

Conclusion

There are a few points I want to make.

  1. If all your DCs and your Active Directory (AD) are healthy, a demotion of a DC that holds any or all FSMO roles should automatically transfer the FSMO roles to another DC.
  2. You have NO control over which DC receives the FSMO role or roles held by the demoted DC.
  3. If the demoted DC was running AD-Integrated DNS and any computers were pointing to it for DNS, those computers will need to be reconfigured to point to another DNS server.
  4. It is really best to transfer any FSMO roles before demoting a DC.

What happens if there are issues with one or more DCs and or there are issues with AD?  The following error message is returned during the demotion process:

“The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.”

If you receive this error message, Philip Elder SBS MVP has an article with several links to help get the underlying issue resolved.  Please see AD DS Operation Failed – directory service is missing mandatory configuration – Event ID 2091 – FSMO Role Broken.

I know my labs were very simple and it is rare to find a very simple AD environment or one that is perfectly healthy so it is possible there may be issues involved in the process.  My point in spending 25 hours building all these labs and writing this article is to prove that an automatic transfer of FSMO roles works all the way back to Windows Server 2003 and if AD is healthy, the process just works.

My answer to the person who asked the question at Briforum was that if everything works as it should, when a DC is demoted any FSMO roles it held should be transferred to another DC.

Thanks

Webster

About Carl Webster

Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

View all posts by Carl Webster

16 Responses to “What Happens to the FSMO Roles When the Domain Controller That Holds Them is Demoted”

  1. Aaron Brown Says:

    hello Carl,

    I hope you get this but I have a few questions.

    I’ve been writing up a document to transfer our FSMO roles from windows 2003 to another server we’ve revived with server 2012 R2.

    Our current IP set on what we’ll call server A (has a ip of .2. THe dns has .3 (backup DC we’ll call server B) the second DNS is the loopback IP address.

    IP: 192.168.1.2
    DNS: 192.168.1.3 (from Backup DC Server)
    DNS2: 127.0.0.1

    My manager wanted to know if we can keep the same IP on the new server and if this was possible. I also wanted to know if this needs to be done after we transfer the FSMO roles over.

    The IP of the server running server 2012 would be a .6. All workstation in the office has their DNS set to 192.168.1.2 and 192.168.1.3. Rather than having to reconfigure their DNS IP, can we set the new server up with the same .2 ip address as the old server and change the iP of the old to a different IP?

    This would save us a lot of time if this was possible.

    Thanks.

    Reply

    • Carl Webster Says:

      Sure. Change the IP, and either restart the netlogon service or restart the server. Personally, I prefer to restart the server for a “just to make sure of all things” good feeling.

      Webster

      Reply

  2. Julio Says:

    Hi,
    Very well explained article.
    I have a doubt.
    If a DC that holds all the FSMO roles crashed, the seize is the only alternative to work with.
    But How exactly the seize works, I mean, if a DC holds the FSMO roles, schema, GC, PDC, etc, and crashed, how the seize procedure obtains the info to allow another DC to hold the FSMO roles.
    Thanks.

    Reply

    • Carl Webster Says:

      https://support.microsoft.com/en-us/kb/255504

      Explains the process with the very important note:

      A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO roles include creating security principals that have overlapping RID pools, and other problems.

      How it is done:

      https://support.microsoft.com/en-us/kb/223787

      When the administrator seizes an FSMO role from an existing computer, the “fsmoRoleOwner” attribute is modified on the object that represents the root of the data directly bypassing synchronization of the data and graceful transfer of the role. The “fsmoRoleOwner” attribute of each of the following objects is written with the Distinguished Name (DN) of the NTDS Settings object (the data in the Active Directory that defines a computer as a domain controller) of the domain controller that is taking ownership of that role. As replication of this change starts to spread, other domain controllers learn of the FSMO role change.

      Hope this helps.

      Webster

      Reply

  3. Pete Says:

    Explains exactly what I’ve been looking for without luck until now: What happens to DNS if you demote a DC with the DNS server & does a demotion on 2012 automatically recreate the FSMO roles to another server.

    Is FSMO a term no longer used in 2012? Is it now Operations Masters?
    Why “It is really best to transfer any FSMO roles before demoting a DC.”?

    Thanks,

    Reply

    • Carl Webster Says:

      FSMO is the term used since the beginning of AD.
      It is best to manually transfer roles that way you decide what domain controller has the role and not a randomly picked DC.

      Webster

      Reply

  4. Olivier Says:

    Hi,

    Thank you for this article. I’m asking FSMO role comportement in another situation : I have 4 DCs and they are working properly. If 1 DCs hosting FSMO role crashed for few days, does FMSO role will be automaticaly transfered to another DC or does the FSMO role will be unavailable until I transfert the role ?
    I’m working on Windows 2012R2.

    Thank you,

    Regards,

    Olivier

    Reply

    • Carl Webster Says:

      If a DC crashes, FSMO roles are not automatically transferred. If the crashed DC holds the PDCe role, you will be in for some headaches if that DC is down for a few days.

      Webster

      Reply

  5. Zach Says:

    Hi Carl,

    I’ve started work at a company where it looks like the FSMO roles are on a server that crashed several months ago. Running “netdom query fsmo” shows all roles on as living on the crashed server…but authentication is continuing to work as well as new account creation, etc…

    Something doesn’t seem right, but I believe 4 months is long enough for lack of any active FSMO roles to have bitten them…but it hasn’t yet…I’m sure it is a matter of time, but after this long, is there any fear in seizing these roles from an active server? If the FSMO server is not online, where are these accounts and permissions being stored? Will seizing the roles unravel this unnatural (but functioning) environment?

    Reply

    • Carl Webster Says:

      I would have no fear in seizing the roles. A FSMO role holder is not the only domain controller that stores accounts and permissions. FSMO role are just roles that perform specific domain and or forest level functions. Read this article:

      https://technet.microsoft.com/en-us/library/cc780487(WS.10).aspx

      There have obviously been no schema changes or domains added to the forest during this time.

      I would be digging into the event logs on all your DCs.

      If you need help, I am available for hire to help you out. 🙂

      Thanks

      Webster

      Reply

  6. bjarnebo Says:

    Very fine test Webster, thank you.
    In the case that you do not demote LABDC1 (Win2008 R2 env.) but it crashes and do not get up again, do you know if any FSMO roles are automatically transferred or it is needed to manually seize all the FSMO roles?
    Am I so lucky that you have tested such a situation… Appreciate your input, thanks.

    Reply

    • Carl Webster Says:

      FSMO roles are never automatically transferred in a crash. For a crash scenario where the crashed DC will not or cannot be brought back online, then you will have to seize the FSMO roles the crashed DC held.

      Thanks

      Webster

      Reply

  7. Scott Says:

    Nice article, thanks for making the effort, makes it very clear

    Reply

  8. Alukay Says:

    Thank you this article is helpful.

    Reply

  9. Venkat Says:

    Carl, this article is awesome. I would like to add one line here. When we run DCPromo without transferring FSMO roles, an API called “GiveAwayAllFsmoRoles” is written and is triggered to near by DC. That is how available DC gets FSMO roles automatically.

    Reply

Leave a Reply