Alright, so I think at some point, every SysAdmin will have a domain controller fail. Every SysAdmin should also know that unless you run dcpromo.exe to demote a domain controller before removing it from AD, you can have some issues. From FSMO to DFRS, it’s just not a good situation. Here is a summary guide on how to clean up AD after one of your Domain Controllers fail. Also, this looks long, but it’s all very simple, just putting it into step-by-step sort of drags it out, so no worries, this should be about a 30 minute process.
USE CAUTION: Improperly using ntdsutil may result in partial or complete loss of Active Directory functionality… Don’t go exploring without doing your research.
STEP 1:
Finding Current FSMO Role Masters
First, We need to know whether that particular server was holding any of the FSMO roles. To check this, we have a couple options, Either via the GUI(1), or via ntdsutil(2). Personally, I prefer to do it via ntdsutil, as I always feel that there is more power in the command line. Also, I just hate using a mouse. There are other options, but these two are all that I will cover in this post. For more you can look into “netdom” or “replmon” tools from microsoft, these are not included in windows by default, so I will overlook them for now. (NOTE: For this, I definitely recommend ntdsutil, as in step 2, I will expect it to already be open and connected. the GUI Method, is more for information.)
Method 1:
Open AD Users and Computers.
Right-click the name of the domain you are wanting to look at, then select Operations Masters.
From this view, you can determine the current Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles.
Now, open AD Domains and Trusts,
Right-click the AD Domains and Trusts in the nav. pane and go to Operations Masters. This will show you the Domain Naming Master Role.
Finally, to find the Schema Master, you will have an extra step. You will need to register the Schmmgmt.dll library first.
Goto: Start>Run and type:
regsvr32 schmmgmt.dll
Hit Enter, you should see a success message.
Now, that should allow you to open a new console: AD Schema. To open it, goto: Start>Run, type:
mmc
hit enter. Now, in the management console, goto File>Add/Remove Snap-in> click Add. Double Click Active Directory Schema and close the add/remove dialog windows.
Now, right-click the AD Schema icon and goto Operations Masters.
Method 2:
To check the FSMO Roles via the command line using ntdsutil, we will need to do the following.
Alright, let’s open up a command prompt, then type
ntdsutil
and hit enter.
at the ntdsutil prompt, you will type
roles
hit enter.
Now, you should see a screen that says “fsmo maintenance”. type
connections
and hit enter again. Here you will connect to the server you want to become the FSMO master(localhost works, if thats what you want). So type:
connect to server <FQDN of server>
and hit enter again. now you will leave the server connections page and go back to fsmo maintenance. Type:
q
Now we should be back in fsmo maintenance, type
select operation target
Hit Enter. Then type:
list roles
Once you hit enter, it should show you the servers that hold each role.
Type “q” to get back to fsmo maintenance, but stay at this screen for the next step.
STEP 2:
Seizing FSMO Roles From Dead Server
OK, so this step is optional. based on the results of your last step. You only need to seize the roles if the FSMO master is no longer operational. To do this step we will use ntdsutil.
Now, we need to seize the roles that are on our dead server. You should know what roles your dead server holds from the last step, so only do this command for those. Remember, I had you connect to the server that will receive the FSMO role(s). A quick way to see the syntax for seizing is just type “?” and it will show you how to transfer/seize, it is basically:
seize <role>
as in:
seize schema master
or for transfers(only to be done if current master is still live/active)
transfer <role>
To verify the roles transferred(ignore the errors you get at first, you are guaranteed to have one since the current master is unavailable), put in
select operation target
then the same way we found the masters before:
list roles for connected server
Now, we’re almost done, we have transferred the FSMO roles(the biggest potential problem), and just need to cleanup the AD metadata and sites/services.
STEP 3:
Metadata Cleanup
For the next step, we will go back to the first ntdsutil prompt. type “q” and hit enter until your prompt says “ntdsutil:”. Type
metadata cleanup
hit enter. You should still be connected to a domain controller, but if you closed ntdsutil and reopened it, you will need to put in
connections
then
connect to server <servername>
then type quit back to the metadata cleanup prompt (“q”). Now, we will pick our target for cleanup. Type:
select operation target
At this point, if you only have 1 domain, or within the domain you pick, only 1 site, you can skip some steps. Your domain number, site number will be “0″(zero) if there is only one. For the sake of thoroughness, I will show you how to find the index anyway. To find the domain, type:
list domains
Now, find the domain you want to work with, and type:
select domain <number>
Now, we find the site within the domain where the domain controller used to reside.
list sites
put in the site you want:
select site <number>
To find the servers within that site, type:
list servers in site
then we will select the inactive server by typing:
select server <number>
Now, type enter “q” to quit back to metadata cleanup prompt. The final command to cleanup all metadata for that server is:
remove selected
You will receive a warning, but if you’re positive that server is down and will need rebuilt, you should be safe to hit Yes. You should get a message saying it was removed successfully. If you receive an error that the object could not be found, it was probably already removed from the domain controller. Open up AD Users and Computers to verify the server is gone from the Domain Controllers OU. Alright, we’re almost done, just another 5 minutes of work, at the most.
Step 4:
Remove The Server From Sites & Services
This will be done via the AD Sites & Services Snap-in. Just expand the site where the server was located, and delete the object for the failed server… This step is done.
Step 5:
Remove The Server From DNS
This step depends a lot on how you have your DNS set up, I am assuming the DNS is run on a Windows server, and hopefully a DC. It doesn’t have to be, that’s just how i prefer it. Unfortunately, where I work, The DNS servers are separate and I have no access to them… such a pain. Anyway, open up your DNS Management Console. I hope you know this, but it’s:
Start>run> type “mmc”, hit enter. Goto File>Add/Remove Snap-in>hit Add>double-click DNS>Close>Close.
Now, expand the zone where the server used to be(probably Forward Lookup Zones>domain.local), and delete the A record(also called a host record) for the server. Remove the CNAME record in the _msdcs.root domain of forest zone in DNS. If you have reverse lookup zones, also remove the server from these zones. If you have anywhere else the server is referenced, or are unsure, you might want to check for these now.
You’re Done! Now, you should be good to go. Let me know if any of you have issues with this guide, notice anything wrong, or just have errors/questions. I will be glad to help, and I know I have some pretty atrocious grammar/spelling at times.
« Error Logging in VB and C# Find Tables Missing Indexes and Create Clustered Indexes for Them »
Great article thanks for the help with it. One typo I found was in Step 2 it says ‘connect to server’ it should say fqdn of server after it.
It should be fixed now. Thanks for letting me know
Hi Christopher,
I have a small issue with my network. my first DC (win2003 r1)was offline due to raid problem. and i cannot bring it back online. it is basically dead now. i have a second DC in windows2003 r2 and in a few day i will received a new server as a replacement for the broken one. i believed that my first server was the FSMO holder. would it be possible to join the new server even if the First server is dead. also i was check the operation master in the AD of my second server and it says that the operation master is offline and the role cannot be transferred. how can i make my second DC as the master now and add the new server.
Hope you can help me, Thank you very much in advance!
You should be able to join and dcpromo the new server, but not until after seizing the roles from the dead server. Did you try to seize the roles like I wrote above? They cannot transfer normally since the master is offline, they need to be forced. Let me know if you were having issues following the article above or run into any additional problems, but the article was written to resolve the exact issue you are having, so hopefully should help.
Hi Christoper,
I tried the above instruction and it all works.
i was able to add the new server. thanks a lot for your help!
Hi Christopher,
I tried the above instruction and all is ok now.
I manage to join the new server in the domain.
how ever maybe you can help me. i been haning a global catalog issue in the old server that is now the FMSO Master.
Any more details on the issue? I would make verify which DCs are currently set to be global catalog servers:
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available.
Open the Servers folder, and then click the domain controller.
In the domain controller’s folder, double-click NTDS Settings.
On the Action menu, click Properties.
On the General tab, view the Global Catalog check box to see if it is selected.
For a quick fix, without really knowing the exact errors or anything, I would make both servers global catalog, wait for replication, then make the old one NOT a global catalog. If your issues seem to go away, try making the old one a GC again… kinda sloppy, but it should help without causing service interruption and without having to dig too much.
Thanks for this useful information,This is my own case, my PDC crashed and i had to promote the backup dc. when seizing the fsmo, i was able to do for naming master,pdc and rid.schema master gave an error “Win 32 error returned is 0X2098(Insufficient access right to perform the operation). Ldap-modify of SD failed with 0X32(50 (Insufficient Rights).I have to leave that. It was also advised that Infrastrusture master should not reside on the same dc that has the gc. Presently user cannot be authenticated by the dc and i am yet to know the cause. Kindly help
I would reboot the DC first. I would not worry about global catalog being on the same DC and infrastructure master, there are hundreds of thousands of organizations that only have 1 DC for everything that operate just fine. It is certainly better to break all the roles up in a larger environment, so if 1 DC does go down it doesnt have all the roles.
OK, so reboot the DC, try to seize the role again and test client authentication. If you cannot seize the role, it shouldn’t matter in the immediate future as schema master only is needed when making schema changes to AD (like during exchange or sharepoint configuration, or some other enterprise changes). If you still cannot get authentication, though, I would boot into ad restore mode and open a command prompt. Type “ntdsutil”, then “files”, then “integrity”. This will perform an integrity check on AD, including the schema. Take note of any warnings. Then, go back to the ntdsutil cmd line, enter “files”, then “Semantic database analysis”, then “Verbose on”, then “go”. You can alternatively choose to type “go fix” for the last one, and it will fix detected errors. Make sure you have a backup before trying that.
Take a look at anything that stands out to you, if you want, try the “go fix” command from above. Reboot the DC normally and try authenticating some clients, then see about resolving warnings/errors found in the ad checks. Let me know what you find. I am curious to see what is causing the issue.
Also, just to verify, your DC that is still active is checked to be a global catalog, correct? Or did you disable that when seizing roles, per the advise you received? If this server is not a global catalog, you will not be able to authenticate.
Hi guys, this is the same problem what i have been facing. we have a Domain Controller WIN2K3 Dead, and i made another Server to be the Primary DC, and now its been working fine. but now i wana add 2008 Server as PDC and Need to keep 2003 as BDC ( Additional ). But when i try to dcpromo the new 2008 Server, it gets the error seems to be DNS error. but I am Damn sure that, my DNS Server works fine, i did nslookup from both Servers and it gave me the resuls. Although, i cannot delete the old server from Activedirectory Sites and Services. i have done all these Methods you have mentioned, it worked any how but with some errors, and at last , ntds settings and Seizing the roles everything is been done. but still when i try to delete the Server from Active directory Sites and Services, it says the error like. ( You do not have privilage to delete this (domain name )). I hope some one can help me out in this, i look forward to hearing from you ASAP.. Thank You.!
Try this (you may be able to skip some steps, if it is already showing as removed from AD users & Computers)
Open Active Directory Users and Computers: On the Start menu, point to Administrative Tools, and then click Active Directory Users and Computers.
Expand the domain of the domain controller that was forcibly removed, and then click Domain Controllers.
In the details pane, right-click the computer object of the domain controller who has been removed, and then click Delete.
In the Active Directory Domain Services dialog box, click Yes to confirm the computer object deletion.
In the Deleting Domain Controller dialog box, select This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then click Delete.
If the domain controller is a global catalog server, in the Delete Domain Controller dialog box, click Yes to continue with the deletion.
If the domain controller currently holds one or more operations master roles, click OK to move the role or roles to the domain controller that is shown.
Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services.
Expand the site of the domain controller that was forcibly removed, expand Servers, expand the name of the domain controller, right-click the NTDS Settings object, and then click Delete.
In the Active Directory Domain Services dialog box, click Yes to confirm the NTDS Settings deletion.
In the Deleting Domain Controller dialog box, select This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then click Delete.
If the domain controller is a global catalog server, in the Delete Domain Controller dialog box, click Yes to continue with the deletion.
If the domain controller currently holds one or more operations master roles, click OK to move the role or roles to the domain controller that is shown.
Right-click the domain controller that was forcibly removed, and then click Delete.
In the Active Directory Domain Services dialog box, click Yes to confirm the domain controller deletion.
Once you have tried these, go back to Step 3 (cleaning up metadata) and run through those real quck. Let me know how it works out.
Have a Win2003 SBS that was the original and primary FSMO holder that crashed and looked like it wasnt going to be repaired. During that time I seized the FSMO on a second DC that is running Win2008. Now the Win2003 server is up and running, but not connected to the network. I need to place it back online but understand that i might need to first remove as a DC and add it back and perform meta cleanup. Can someone provide step by step details on this process?
Well, first off, if your roles are already transfered, you will need to delete the server from ad users & computers. Then, delete the server from AD sites & services (if it’s there). Then follow step 3 above to clearup metadata issues. Once this is done, your AD should be clean and ready to go for adding new DCs or whatever you need just as you normally would via dcpromo. Oh, also, make sure the forest & domain functional levels are still server 2003 or lower. Once it is raised to 2008 or 2008 R2, you cannot bring them back down(and cannot have DCs that are Server 2003).
Thank you very much for this, the instructions worked great.
Hi Christpopher,
Thank you for a great blog and a great article,I have a question :
for e.g. if I have 2 x DCs (with one holding all FSMO roles), and the dc with fsmo roles goes offline due to a raid card or failed drives or anyother problem, I assume :
1) We go into AD MMC and then Move FSMO roles to the 2nd DC ?
2) As our 1st (failed) DC gets repaired in a couple of days, can we just plug it back in to the network and let it sync with AD, as it had all drives and data intact with the operating system ?
Upon reading through articles, it seems that one cannot just plug it back in –
When you move roles from the MMC, does that means FSMO roles are seized ?
Will be grateful for your suggestion
Thanks again for a great blog
A FSMO role TRANSFER is the graceful movement of the roles from a live, working DC to another live DC. This could be performed in any situation – such as if you build a new DC and wish to migrate Active Directory over, or for any other reason. During the process, the current DC holding the role(s) is updated, so it becomes aware it is no longer the role holder. I would recommend always evaluating which DC’s have FSMO roles whenever you add new DCs to the network as having them all on the same server (which is by default since the first server in teh domain has all the roles for that domain).
A FSMO role SEIZE is when a DC holding one (or more) roles has failed and will never return to the network. The roles need to be re-located to a live, working DC. A transfer operation will not succeed because the old DC is not contactable; the roles must therefore be forcefully seized. In other words, it’s a transfer operation, but the old DC is never notified the role holders have changed.
If you perform a seizure of the FSMO roles from a DC, you need to ensure two things: the current holder is actually dead and offline, and that the old DC will NEVER return to the network. If you do an FSMO role Seize and then bring the previous holder back online, you’ll have a problem.
Now, if you have already seized the roles from the server, you can try the following process (or just rebuild the DC). I have seen it work, but not sure if there are any long term coimplications that may arise:
First, go through the steps in the article to remove the domain conttroller from AD completely and clear up metadata. Once you have the server repaired, do not connect it to the network but dcpromo it out while it is still disjoined. Change the server to be a member of a workgroup, then use the NewSID tool to rename the server and change it’s SID to avoid AD complications.
Then, connect it to the network and dcpromo it back as a domain controller, portion out the FSMO roles how you prefer and you should be good
Hi
I did not understand if my DC fails and goes ofline then where and how i have to seize the fsmo roles. Does i have to run ntdsutil command in ADC server and seize the roles. Please guide
You would have to seize the roles and run the ntdsutil from any other domain controller in your domain. (the one you are going to transfer the roles to)
I have 2 points….
1-But how does it communicates with the DC since DC is offilne. how does the process happens. And sir i will be so thankful to you if you clear my doubt in below scenario.
2- I have a DC running 2008 server and ADC also running 2008 server. Is it true if i transfer all the FSMO Roles From DC to the ADC. Then the ADC acts as a DC but how about if want to revert back the changes and want my first computer as a DC can i transfer all the role back again
1 – It does not communicate with the failed domain controller (That is the difference from “seizing” from a hard down server vs. “transferring” gracefully. Both DCs will have the same data on them, its just a matter of what kind of requests they can process. So seizing roles from a DC that is offline doesn’t mean anything is lost, basically just tells the new DC that has seized the roles that it needs to process additional requests.
2 – Yes, if you transfer/seize, the other becomes the “DC” or primary in a sense. As far as reverting the roles back, there are a couple things to note for that:
First, it is always advised not to have 1 DC as the FSMO holder for all roles, you should spread the roles to as many different DCs as you have available, so if one goes down, not all roles are offline.
Second, you need to realize that once roles are seized from a DC, it should not be brought back online (at least not while attached to the network). You can rebuild it from scratch and dcpromo it back as if it were a new domain controller, or you can bring it online (off the network), dcpromo it out of the domain, then change the machines SID and try connecting to the domain and dcpromo it back as a DC (this has worked for me, but isn’t generally recommended).
For more thorough answers to these, see my reply to shehryar’s comment just above.
Thanks so much
Hi Cristtopher,
Thanks for all these information, but seems that I might need some help.
I do have an SBS 2003 and 2003 server.
We have lost the replication between each other for long time (they change the ISP without informing me), so now we just run without replications between each other, not having possibilities to add new users, computers, etc on 2003 Server. It was ok, but not anymore.
Could you please explain what do you mean by ”forcefully seized”, and what steps to follow.
I would like to mentioned that I cannot connect to the actual 2003 server to seize any roll.
ntdsutil: roles
fsmo maintenance: connections
server connections: TTDADC01.TTD.local
Error 80070057 parsing input – illegal syntax?
I have tried to transfer the rolls on 2003, but all are offline.
Thank you very much in advance,
Regards
Claudiu
Well, if you are having probelms replicating data, then you will probably have problems connecting other AD utils such as ntdsutil.
Now, remember, you will only want to “seize” the roles if you do not plan on ever bringing that first server back online in the domain. If it is still online, it will need ot be immediately removed from the network (you can try rebuilt and workaround steps mentioned in comments above, at your own risk).
That being said, you will not connect to the remote server to seize roles, you would connect to the local server, because you only seize roles if the other server is offline.
You could try using localhost as the servername, but no guarantee that will work, as I’ve always only used the actual FQDN of the local box (since that’s what the tool says it requires).
Hi, Interesting article; thank you very much. We are in a child domain and the only DC we have in that child domain failed. Is it still possible to recover the fsmo roles?