What Happens to the FSMO Roles When the Domain Controller That Holds Them is Demoted

At Briforum 2013 Chicago, after my session on More Things in AD…, someone asked me a question.  The question was “What happens to the FSMO roles when the domain controller that holds them is demoted and is no longer a domain controller?”  The person asking the question was wondering, in an emergency, if a  domain controller (DC) must be quickly demoted and it is unknown if the DC holds any FSMO roles, what happens?  I gave the answer and this article is to show proof my answer was correct because the asker gave me a puzzled look.  Kind of looking at me asking “Are you sure?”

In my lab, I created five different WebstersLab.com domains.  Obviously, only one WebstersLab.com domain was powered on at a time.  The first four labs have three domain controllers: LabDC1, LabDC2, and LabDC3.  The fifth lab had an additional LabDC4 DC.  In all five labs, LabDC1 holds all five FSMO roles.

Note: FSMO – Flexible Single-Master Operations, see http://technet.microsoft.com/en-us/library/cc961936.aspx

The following domains were created:

  • 2012 with Forest Functional Level (FFL) and Domain Function Level (DFL) set to 2012.
  • 2008 R2 with FFL and DFL of 2008 R2.
  • 2008 with FFL and DFL of 2008.
  • 2003 R2 with FFL and DFL of  2003.
  • Mixed with a 2003 DC, 2008 DC, 2008 R2 DC, and a 2012 DC.  FFL and DFL were set to 2003.

All servers in all labs had all Windows Updates as of 05-AUG-2013.

Because I knew that LabDC1 was going to go through several demotion and promotions for this article, all DCs have the following set for their DNS IP settings:

  • Primary:               LabDC2
  • Secondary:         LabDC3
  • Tertiary:               Loopback

Windows Server 2012

How do you find which domain controller has which FSMO role?  From a PowerShell session or Windows Command Prompt, run the following command as shown in Figure 1:

netdom query fsmo
Figure 1
Figure 1

Since LabDC1 holds all five FSMO roles, what happens when it is demoted?

From a PowerShell session on LabDC1, run the following command:

Uninstall-ADDSDomainController -DemoteOperationMasterRole:$true -Force:$true

Note: The DemoteOperationMasterRole:$true indicates that forced demotion should continue even if an operations master role is discovered on the domain controller from which AD DS is being removed.

Enter and confirm the password for the Local Administrator account and the demotion process runs as shown in Figure 2.

Figure 2
Figure 2

Once the demoted domain controller restarts (or from one of the remaining DCs), from a PowerShell session or Windows Command Prompt, rerun the netdom query fsmo command as shown in Figure 3.

Figure 3
Figure 3

Windows Server 2008 R2

How do you find which domain controller has which FSMO role?  From a PowerShell session or Windows Command Prompt, run the following command as shown in Figure 4:

netdom query fsmo
Figure 4
Figure 4

Since LabDC1 holds all five FSMO roles, what happens when it is demoted?

Click Start, Run type in dcpromo, and press Enter (Figure 5).

Figure 5
Figure 5

Proceed through the Active Directory Domain Services Installation Wizard and click Next (Figure 6).

Figure 6
Figure 6

Once the demoted domain controller restarts (or from one of the remaining DCs), from a PowerShell session or Windows Command Prompt, rerun the netdom query fsmo command as shown in Figure 7.

Figure 7
Figure 7

Windows Server 2008

How do you find which domain controller has which FSMO role?  From a Windows Command Prompt, run the following command as shown in Figure 8:

netdom query fsmo
Figure 8
Figure 8

Since LabDC1 holds all five FSMO roles, what happens when it is demoted?

Click Start, Run type in dcpromo, and press Enter (Figure 9).

Figure 9
Figure 9

Proceed through the Active Directory Domain Services Installation Wizard and click Next (Figure 10).

Figure 10
Figure 10

Once the demoted domain controller restarts (or from one of the remaining DCs), from a Windows Command Prompt, rerun the netdom query fsmo command as shown in Figure 11.

Figure 11
Figure 11

Windows Server 2003 R2

How do you find which domain controller has which FSMO role?  First, the Windows Support Tools must be installed.  Then from a Windows Command Prompt, run the following command as shown in Figure 12:

netdom query fsmo
Figure 12
Figure 12

Since LabDC1 holds all five FSMO roles, what happens when it is demoted?

Click Start, Run type in dcpromo, and press Enter (Figure 13).

Figure 13
Figure 13

Proceed through the Active Directory Installation Wizard and click Next (Figure 14).

Figure 14
Figure 14

Once the demoted domain controller restarts (or from one of the remaining DCs), from a Windows Command Prompt, rerun the netdom query fsmo command as shown in Figure 15.

Figure 15
Figure 15

One More Just for the Heck of it

Just out of my own curiosity, I wanted to see what would happen in a mixed environment with four different Windows Server operating systems with each set as a domain controller.

LabDC1 running Windows Server 2003 R2 was installed first and the DFL and FFL were upgraded to Windows Server 2003.  Because LabDC1 was installed first, it is the Forest Root domain controller and holds all five FSMO roles as shown in the screen capture from LabDC4 (Figure 16).

Figure 16
Figure 16

The remaining domain controllers were installed in the following order:

  • LabDC2 (Windows Server 2008)
  • LabDC3 (Windows Server 2008 R2)
  • LabDC4 (Windows Server 2012)

Since LabDC1 holds all five FSMO roles, what happens when it is demoted?

Click Start, Run type in dcpromo, and press Enter (Figure 17).

Figure 17
Figure 17

Proceed through the Active Directory Installation Wizard and click Next (Figure 18).

Figure 18
Figure 18

Once the demoted domain controller restarts (or from one of the remaining DCs), from a Windows Command Prompt, rerun the netdom query fsmo command as shown in Figure 19.

Figure 19
Figure 19

I was hoping the FSMO roles would wind up on LabDC4 since it is the most current Windows Server version.

Conclusion

There are a few points I want to make.

  1. If all your DCs and your Active Directory (AD) are healthy, a demotion of a DC that holds any or all FSMO roles should automatically transfer the FSMO roles to another DC.
  2. You have NO control over which DC receives the FSMO role or roles held by the demoted DC.
  3. If the demoted DC was running AD-Integrated DNS and any computers were pointing to it for DNS, those computers need to be reconfigured to point to another DNS server.
  4. It is really best to transfer any FSMO roles before demoting a DC.

What happens if there are issues with one or more DCs and or there are issues with AD?  The following error message is returned during the demotion process:

“The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.”

If you receive this error message, Philip Elder SBS MVP has an article with several links to help get the underlying issue resolved.  Please see AD DS Operation Failed – directory service is missing mandatory configuration – Event ID 2091 – FSMO Role Broken.

I know my labs were very simple and it is rare to find a very simple AD environment or one that is perfectly healthy so it is possible there may be issues involved in the process.  My point in spending 25 hours building all these labs and writing this article is to prove that an automatic transfer of FSMO roles works all the way back to Windows Server 2003 and if AD is healthy, the process just works.

My answer to the person who asked the question at Briforum was that if everything works as it should when a DC is demoted any FSMO roles it held should be transferred to another DC.

Thanks

Webster

22 Comments

  1. Arden

    I saw this article very helpful and I have a situation similar to this but not exactly.
    If you could help please.

    I have cloned a DC 2008 R2 from VMWare to Hyper-V and I have to demote it first then promote as a DC.
    The only FSMO role that this DC has is the PDC and the rest of them we have them are running from our AWS DC.
    Before I proceed with the demote and then promote I would like to have some advice from a professional like you.
    What are the risks and steps that I should be more concerned ?

    Thank you.
    Arden.

    • Carl Webster

      I would never clone a DC. Build a new VM and promote it to a DC and then demote the original.

      I would transfer the PDCe FSMO role first in your scenario you described.

      If you have only one domain, the infrastructure master and domain naming master FSMO roles do nothing.

      Thanks

  2. Shafiul azam

    Dear Sir,
    when i am migration windows server 2003 to windows server 2016 its complete but problem is below .

    a) Name Resolution/Network Connectivity to the current domain controller.
    b) File Replication Service Latency (a file created on another domain controller
    has not replicated to the current domain controller).
    c) The Distributed File System (DFS) client has been disabled.
    To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
    rom the command line to access information about Group Policy results.

    In this regard i need your help /suggestion what can i do now. If possible reply as soon as possible

    • Carl Webster

      You can’t migrate from Windows Server 2003 to Server 2016.
      You can’t bring up a 2016 domain controller if there is a 2003 domain controller in AD.

      Webster

  3. wanh

    i have a beside question, if the DC which holes roles suddenly down then what happen to the roles? if they could be transferred automatically to my ADC or not? And if not, is there a method which can help ADC realizes the problem itself and becomes the PDC automatically. thanks alot.

    • Carl Webster

      When a DC crashes or is lost in any way, the FSMO roles are still tied to that server. Look up “FSMO Role seizure” to see the process for forcing the FSMO roles to be given to another DC. Once you have seized the FSMO roles, the original DC should NEVER be brought back on the network or the domain.

      Webster

  4. Aaron Brown

    hello Carl,

    I hope you get this but I have a few questions.

    I’ve been writing up a document to transfer our FSMO roles from windows 2003 to another server we’ve revived with server 2012 R2.

    Our current IP set on what we’ll call server A (has a ip of .2. THe dns has .3 (backup DC we’ll call server B) the second DNS is the loopback IP address.

    IP: 192.168.1.2
    DNS: 192.168.1.3 (from Backup DC Server)
    DNS2: 127.0.0.1

    My manager wanted to know if we can keep the same IP on the new server and if this was possible. I also wanted to know if this needs to be done after we transfer the FSMO roles over.

    The IP of the server running server 2012 would be a .6. All workstation in the office has their DNS set to 192.168.1.2 and 192.168.1.3. Rather than having to reconfigure their DNS IP, can we set the new server up with the same .2 ip address as the old server and change the iP of the old to a different IP?

    This would save us a lot of time if this was possible.

    Thanks.

    • Carl Webster

      Sure. Change the IP, and either restart the netlogon service or restart the server. Personally, I prefer to restart the server for a “just to make sure of all things” good feeling.

      Webster

  5. Julio

    Hi,
    Very well explained article.
    I have a doubt.
    If a DC that holds all the FSMO roles crashed, the seize is the only alternative to work with.
    But How exactly the seize works, I mean, if a DC holds the FSMO roles, schema, GC, PDC, etc, and crashed, how the seize procedure obtains the info to allow another DC to hold the FSMO roles.
    Thanks.

    • Carl Webster

      https://support.microsoft.com/en-us/kb/255504

      Explains the process with the very important note:

      A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO roles include creating security principals that have overlapping RID pools, and other problems.

      How it is done:

      https://support.microsoft.com/en-us/kb/223787

      When the administrator seizes an FSMO role from an existing computer, the “fsmoRoleOwner” attribute is modified on the object that represents the root of the data directly bypassing synchronization of the data and graceful transfer of the role. The “fsmoRoleOwner” attribute of each of the following objects is written with the Distinguished Name (DN) of the NTDS Settings object (the data in the Active Directory that defines a computer as a domain controller) of the domain controller that is taking ownership of that role. As replication of this change starts to spread, other domain controllers learn of the FSMO role change.

      Hope this helps.

      Webster

  6. Pete

    Explains exactly what I’ve been looking for without luck until now: What happens to DNS if you demote a DC with the DNS server & does a demotion on 2012 automatically recreate the FSMO roles to another server.

    Is FSMO a term no longer used in 2012? Is it now Operations Masters?
    Why “It is really best to transfer any FSMO roles before demoting a DC.”?

    Thanks,

    • Carl Webster

      FSMO is the term used since the beginning of AD.
      It is best to manually transfer roles that way you decide what domain controller has the role and not a randomly picked DC.

      Webster

  7. Olivier

    Hi,

    Thank you for this article. I’m asking FSMO role comportement in another situation : I have 4 DCs and they are working properly. If 1 DCs hosting FSMO role crashed for few days, does FMSO role will be automaticaly transfered to another DC or does the FSMO role will be unavailable until I transfert the role ?
    I’m working on Windows 2012R2.

    Thank you,

    Regards,

    Olivier

    • Carl Webster

      If a DC crashes, FSMO roles are not automatically transferred. If the crashed DC holds the PDCe role, you will be in for some headaches if that DC is down for a few days.

      Webster

      • Olivier

        Thank you very much for your response !
        Olivier

  8. Zach

    Hi Carl,

    I’ve started work at a company where it looks like the FSMO roles are on a server that crashed several months ago. Running “netdom query fsmo” shows all roles on as living on the crashed server…but authentication is continuing to work as well as new account creation, etc…

    Something doesn’t seem right, but I believe 4 months is long enough for lack of any active FSMO roles to have bitten them…but it hasn’t yet…I’m sure it is a matter of time, but after this long, is there any fear in seizing these roles from an active server? If the FSMO server is not online, where are these accounts and permissions being stored? Will seizing the roles unravel this unnatural (but functioning) environment?

    • Carl Webster

      I would have no fear in seizing the roles. A FSMO role holder is not the only domain controller that stores accounts and permissions. FSMO role are just roles that perform specific domain and or forest level functions. Read this article:

      https://technet.microsoft.com/en-us/library/cc780487(WS.10).aspx

      There have obviously been no schema changes or domains added to the forest during this time.

      I would be digging into the event logs on all your DCs.

      If you need help, I am available for hire to help you out. 🙂

      Thanks

      Webster

  9. bjarnebo

    Very fine test Webster, thank you.
    In the case that you do not demote LABDC1 (Win2008 R2 env.) but it crashes and do not get up again, do you know if any FSMO roles are automatically transferred or it is needed to manually seize all the FSMO roles?
    Am I so lucky that you have tested such a situation… Appreciate your input, thanks.

    • Carl Webster

      FSMO roles are never automatically transferred in a crash. For a crash scenario where the crashed DC will not or cannot be brought back online, then you will have to seize the FSMO roles the crashed DC held.

      Thanks

      Webster

  10. Scott

    Nice article, thanks for making the effort, makes it very clear

  11. Alukay

    Thank you this article is helpful.

  12. Venkat

    Carl, this article is awesome. I would like to add one line here. When we run DCPromo without transferring FSMO roles, an API called “GiveAwayAllFsmoRoles” is written and is triggered to near by DC. That is how available DC gets FSMO roles automatically.

Comments are closed