Carl Webster Accessibility Statement

Carl Webster is committed to facilitating the accessibility and usability of its website, carlwebster.com, for everyone. Carl Webster aims to comply with all applicable standards, including the World Wide Web Consortium’s Web Content Accessibility Guidelines 2.0 up to Level AA (WCAG 2.0 AA). Carl Webster is proud of the efforts that we have completed and that are in-progress to ensure that our website is accessible to everyone.

If you experience any difficulty in accessing any part of this website, please feel free to email us at info@carlwebster.com and we will work with you to provide the information or service you seek through an alternate communication method that is accessible for you consistent with applicable law (for example, through telephone support).

  • What Happens to the FSMO Roles When the Domain Controller That Holds Them is Demoted

    August 7, 2013

    Active Directory, Server 2012

    At Briforum 2013 Chicago, after my session on More Things in AD…, someone asked me a question.  The question was “What happens to the FSMO roles when the domain controller that holds them is demoted and is no longer a domain controller?”  The person asking the question was wondering, in an emergency, if a  domain controller (DC) must be quickly demoted and it is unknown if the DC holds any FSMO roles, what happens?  I gave the answer and this article is to show proof my answer was correct because the asker gave me a puzzled look.  Kind of looking at me asking “Are you sure?”

    In my lab, I created five different WebstersLab.com domains.  Obviously, only one WebstersLab.com domain was powered on at a time.  The first four labs have three domain controllers: LabDC1, LabDC2, and LabDC3.  The fifth lab had an additional LabDC4 DC.  In all five labs, LabDC1 holds all five FSMO roles.

    Note: FSMO – Flexible Single-Master Operations, see http://technet.microsoft.com/en-us/library/cc961936.aspx

    The following domains were created:

    • 2012 with Forest Functional Level (FFL) and Domain Function Level (DFL) set to 2012.
    • 2008 R2 with FFL and DFL of 2008 R2.
    • 2008 with FFL and DFL of 2008.
    • 2003 R2 with FFL and DFL of  2003.
    • Mixed with a 2003 DC, 2008 DC, 2008 R2 DC, and a 2012 DC.  FFL and DFL were set to 2003.

    All servers in all labs had all Windows Updates as of 05-AUG-2013.

    Because I knew that LabDC1 was going to go through several demotion and promotions for this article, all DCs have the following set for their DNS IP settings:

    • Primary:               LabDC2
    • Secondary:         LabDC3
    • Tertiary:               Loopback

    Windows Server 2012

    How do you find which domain controller has which FSMO role?  From a PowerShell session or Windows Command Prompt, run the following command as shown in Figure 1:

    netdom query fsmo
    
    Figure 1
    Figure 1

    Since LabDC1 holds all five FSMO roles, what happens when it is demoted?

    From a PowerShell session on LabDC1, run the following command:

    Uninstall-ADDSDomainController -DemoteOperationMasterRole:$true -Force:$true
    

    Note: The DemoteOperationMasterRole:$true indicates that forced demotion should continue even if an operations master role is discovered on the domain controller from which AD DS is being removed.

    Enter and confirm the password for the Local Administrator account and the demotion process runs as shown in Figure 2.

    Figure 2
    Figure 2

    Once the demoted domain controller restarts (or from one of the remaining DCs), from a PowerShell session or Windows Command Prompt, rerun the netdom query fsmo command as shown in Figure 3.

    Figure 3
    Figure 3

    Windows Server 2008 R2

    How do you find which domain controller has which FSMO role?  From a PowerShell session or Windows Command Prompt, run the following command as shown in Figure 4:

    netdom query fsmo
    
    Figure 4
    Figure 4

    Since LabDC1 holds all five FSMO roles, what happens when it is demoted?

    Click Start, Run type in dcpromo, and press Enter (Figure 5).

    Figure 5
    Figure 5

    Proceed through the Active Directory Domain Services Installation Wizard and click Next (Figure 6).

    Figure 6
    Figure 6

    Once the demoted domain controller restarts (or from one of the remaining DCs), from a PowerShell session or Windows Command Prompt, rerun the netdom query fsmo command as shown in Figure 7.

    Figure 7
    Figure 7

    Windows Server 2008

    How do you find which domain controller has which FSMO role?  From a Windows Command Prompt, run the following command as shown in Figure 8:

    netdom query fsmo
    
    Figure 8
    Figure 8

    Since LabDC1 holds all five FSMO roles, what happens when it is demoted?

    Click Start, Run type in dcpromo, and press Enter (Figure 9).

    Figure 9
    Figure 9

    Proceed through the Active Directory Domain Services Installation Wizard and click Next (Figure 10).

    Figure 10
    Figure 10

    Once the demoted domain controller restarts (or from one of the remaining DCs), from a Windows Command Prompt, rerun the netdom query fsmo command as shown in Figure 11.

    Figure 11
    Figure 11

    Windows Server 2003 R2

    How do you find which domain controller has which FSMO role?  First, the Windows Support Tools must be installed.  Then from a Windows Command Prompt, run the following command as shown in Figure 12:

    netdom query fsmo
    
    Figure 12
    Figure 12

    Since LabDC1 holds all five FSMO roles, what happens when it is demoted?

    Click Start, Run type in dcpromo, and press Enter (Figure 13).

    Figure 13
    Figure 13

    Proceed through the Active Directory Installation Wizard and click Next (Figure 14).

    Figure 14
    Figure 14

    Once the demoted domain controller restarts (or from one of the remaining DCs), from a Windows Command Prompt, rerun the netdom query fsmo command as shown in Figure 15.

    Figure 15
    Figure 15

    One More Just for the Heck of it

    Just out of my own curiosity, I wanted to see what would happen in a mixed environment with four different Windows Server operating systems with each set as a domain controller.

    LabDC1 running Windows Server 2003 R2 was installed first and the DFL and FFL were upgraded to Windows Server 2003.  Because LabDC1 was installed first, it is the Forest Root domain controller and holds all five FSMO roles as shown in the screen capture from LabDC4 (Figure 16).

    Figure 16
    Figure 16

    The remaining domain controllers were installed in the following order:

    • LabDC2 (Windows Server 2008)
    • LabDC3 (Windows Server 2008 R2)
    • LabDC4 (Windows Server 2012)

    Since LabDC1 holds all five FSMO roles, what happens when it is demoted?

    Click Start, Run type in dcpromo, and press Enter (Figure 17).

    Figure 17
    Figure 17

    Proceed through the Active Directory Installation Wizard and click Next (Figure 18).

    Figure 18
    Figure 18

    Once the demoted domain controller restarts (or from one of the remaining DCs), from a Windows Command Prompt, rerun the netdom query fsmo command as shown in Figure 19.

    Figure 19
    Figure 19

    I was hoping the FSMO roles would wind up on LabDC4 since it is the most current Windows Server version.

    Conclusion

    There are a few points I want to make.

    1. If all your DCs and your Active Directory (AD) are healthy, a demotion of a DC that holds any or all FSMO roles should automatically transfer the FSMO roles to another DC.
    2. You have NO control over which DC receives the FSMO role or roles held by the demoted DC.
    3. If the demoted DC was running AD-Integrated DNS and any computers were pointing to it for DNS, those computers need to be reconfigured to point to another DNS server.
    4. It is really best to transfer any FSMO roles before demoting a DC.

    What happens if there are issues with one or more DCs and or there are issues with AD?  The following error message is returned during the demotion process:

    “The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.”

    If you receive this error message, Philip Elder SBS MVP has an article with several links to help get the underlying issue resolved.  Please see AD DS Operation Failed – directory service is missing mandatory configuration – Event ID 2091 – FSMO Role Broken.

    I know my labs were very simple and it is rare to find a very simple AD environment or one that is perfectly healthy so it is possible there may be issues involved in the process.  My point in spending 25 hours building all these labs and writing this article is to prove that an automatic transfer of FSMO roles works all the way back to Windows Server 2003 and if AD is healthy, the process just works.

    My answer to the person who asked the question at Briforum was that if everything works as it should when a DC is demoted any FSMO roles it held should be transferred to another DC.

    Thanks

    Webster







    About Carl Webster

    Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

    View all posts by Carl Webster

    22 Responses to “What Happens to the FSMO Roles When the Domain Controller That Holds Them is Demoted”

    1. Arden Says:

      I saw this article very helpful and I have a situation similar to this but not exactly.
      If you could help please.

      I have cloned a DC 2008 R2 from VMWare to Hyper-V and I have to demote it first then promote as a DC.
      The only FSMO role that this DC has is the PDC and the rest of them we have them are running from our AWS DC.
      Before I proceed with the demote and then promote I would like to have some advice from a professional like you.
      What are the risks and steps that I should be more concerned ?

      Thank you.
      Arden.

      Reply

      • Carl Webster Says:

        I would never clone a DC. Build a new VM and promote it to a DC and then demote the original.

        I would transfer the PDCe FSMO role first in your scenario you described.

        If you have only one domain, the infrastructure master and domain naming master FSMO roles do nothing.

        Thanks

        Reply

    2. Shafiul azam Says:

      Dear Sir,
      when i am migration windows server 2003 to windows server 2016 its complete but problem is below .

      a) Name Resolution/Network Connectivity to the current domain controller.
      b) File Replication Service Latency (a file created on another domain controller
      has not replicated to the current domain controller).
      c) The Distributed File System (DFS) client has been disabled.
      To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
      rom the command line to access information about Group Policy results.

      In this regard i need your help /suggestion what can i do now. If possible reply as soon as possible

      Reply

      • Carl Webster Says:

        You can’t migrate from Windows Server 2003 to Server 2016.
        You can’t bring up a 2016 domain controller if there is a 2003 domain controller in AD.

        Webster

        Reply

    3. wanh Says:

      i have a beside question, if the DC which holes roles suddenly down then what happen to the roles? if they could be transferred automatically to my ADC or not? And if not, is there a method which can help ADC realizes the problem itself and becomes the PDC automatically. thanks alot.

      Reply

      • Carl Webster Says:

        When a DC crashes or is lost in any way, the FSMO roles are still tied to that server. Look up “FSMO Role seizure” to see the process for forcing the FSMO roles to be given to another DC. Once you have seized the FSMO roles, the original DC should NEVER be brought back on the network or the domain.

        Webster

        Reply

    4. Aaron Brown Says:

      hello Carl,

      I hope you get this but I have a few questions.

      I’ve been writing up a document to transfer our FSMO roles from windows 2003 to another server we’ve revived with server 2012 R2.

      Our current IP set on what we’ll call server A (has a ip of .2. THe dns has .3 (backup DC we’ll call server B) the second DNS is the loopback IP address.

      IP: 192.168.1.2
      DNS: 192.168.1.3 (from Backup DC Server)
      DNS2: 127.0.0.1

      My manager wanted to know if we can keep the same IP on the new server and if this was possible. I also wanted to know if this needs to be done after we transfer the FSMO roles over.

      The IP of the server running server 2012 would be a .6. All workstation in the office has their DNS set to 192.168.1.2 and 192.168.1.3. Rather than having to reconfigure their DNS IP, can we set the new server up with the same .2 ip address as the old server and change the iP of the old to a different IP?

      This would save us a lot of time if this was possible.

      Thanks.

      Reply

      • Carl Webster Says:

        Sure. Change the IP, and either restart the netlogon service or restart the server. Personally, I prefer to restart the server for a “just to make sure of all things” good feeling.

        Webster

        Reply

    5. Julio Says:

      Hi,
      Very well explained article.
      I have a doubt.
      If a DC that holds all the FSMO roles crashed, the seize is the only alternative to work with.
      But How exactly the seize works, I mean, if a DC holds the FSMO roles, schema, GC, PDC, etc, and crashed, how the seize procedure obtains the info to allow another DC to hold the FSMO roles.
      Thanks.

      Reply

      • Carl Webster Says:

        https://support.microsoft.com/en-us/kb/255504

        Explains the process with the very important note:

        A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO roles include creating security principals that have overlapping RID pools, and other problems.

        How it is done:

        https://support.microsoft.com/en-us/kb/223787

        When the administrator seizes an FSMO role from an existing computer, the “fsmoRoleOwner” attribute is modified on the object that represents the root of the data directly bypassing synchronization of the data and graceful transfer of the role. The “fsmoRoleOwner” attribute of each of the following objects is written with the Distinguished Name (DN) of the NTDS Settings object (the data in the Active Directory that defines a computer as a domain controller) of the domain controller that is taking ownership of that role. As replication of this change starts to spread, other domain controllers learn of the FSMO role change.

        Hope this helps.

        Webster

        Reply

    6. Pete Says:

      Explains exactly what I’ve been looking for without luck until now: What happens to DNS if you demote a DC with the DNS server & does a demotion on 2012 automatically recreate the FSMO roles to another server.

      Is FSMO a term no longer used in 2012? Is it now Operations Masters?
      Why “It is really best to transfer any FSMO roles before demoting a DC.”?

      Thanks,

      Reply

      • Carl Webster Says:

        FSMO is the term used since the beginning of AD.
        It is best to manually transfer roles that way you decide what domain controller has the role and not a randomly picked DC.

        Webster

        Reply

    7. Olivier Says:

      Hi,

      Thank you for this article. I’m asking FSMO role comportement in another situation : I have 4 DCs and they are working properly. If 1 DCs hosting FSMO role crashed for few days, does FMSO role will be automaticaly transfered to another DC or does the FSMO role will be unavailable until I transfert the role ?
      I’m working on Windows 2012R2.

      Thank you,

      Regards,

      Olivier

      Reply

      • Carl Webster Says:

        If a DC crashes, FSMO roles are not automatically transferred. If the crashed DC holds the PDCe role, you will be in for some headaches if that DC is down for a few days.

        Webster

        Reply

    8. Zach Says:

      Hi Carl,

      I’ve started work at a company where it looks like the FSMO roles are on a server that crashed several months ago. Running “netdom query fsmo” shows all roles on as living on the crashed server…but authentication is continuing to work as well as new account creation, etc…

      Something doesn’t seem right, but I believe 4 months is long enough for lack of any active FSMO roles to have bitten them…but it hasn’t yet…I’m sure it is a matter of time, but after this long, is there any fear in seizing these roles from an active server? If the FSMO server is not online, where are these accounts and permissions being stored? Will seizing the roles unravel this unnatural (but functioning) environment?

      Reply

      • Carl Webster Says:

        I would have no fear in seizing the roles. A FSMO role holder is not the only domain controller that stores accounts and permissions. FSMO role are just roles that perform specific domain and or forest level functions. Read this article:

        https://technet.microsoft.com/en-us/library/cc780487(WS.10).aspx

        There have obviously been no schema changes or domains added to the forest during this time.

        I would be digging into the event logs on all your DCs.

        If you need help, I am available for hire to help you out. 🙂

        Thanks

        Webster

        Reply

    9. bjarnebo Says:

      Very fine test Webster, thank you.
      In the case that you do not demote LABDC1 (Win2008 R2 env.) but it crashes and do not get up again, do you know if any FSMO roles are automatically transferred or it is needed to manually seize all the FSMO roles?
      Am I so lucky that you have tested such a situation… Appreciate your input, thanks.

      Reply

      • Carl Webster Says:

        FSMO roles are never automatically transferred in a crash. For a crash scenario where the crashed DC will not or cannot be brought back online, then you will have to seize the FSMO roles the crashed DC held.

        Thanks

        Webster

        Reply

    10. Scott Says:

      Nice article, thanks for making the effort, makes it very clear

      Reply

    11. Alukay Says:

      Thank you this article is helpful.

      Reply

    12. Venkat Says:

      Carl, this article is awesome. I would like to add one line here. When we run DCPromo without transferring FSMO roles, an API called “GiveAwayAllFsmoRoles” is written and is triggered to near by DC. That is how available DC gets FSMO roles automatically.

      Reply

    Leave a Reply