CPES Active Directory Guide
What to do when your FSMO holding DC fails
by Ben Pfountz (netprince@vt.edu)

Background

I will refer to the primary domain controller as the controller holding all the domains FSMO roles, and the secondary domain controller refers to the controller not holding any of the domains FSMO roles.

The CPES active directory utilizes two domain controllers. The controllers syncronize periodically in case one of them fails. If the secondary domain controller fails, simply follow the steps necessary to re-install the secondary domain controller (outlined in another document). If the primary controller fails, then follow these steps below to convert your secondary domain controller into the primary domain controller by seizing its FSMO roles. Then, follow the steps necessary to re-install the secondary domain controller (outlined in another document).

One should note that having one server maintain all FSMO roles is not very efficent. If care is taken, FSMO roles can be divided amongst multiple servers to allow for load balancing. In our case, our environment needs to be simple and reliable, so we decided to keep all FSMO roles on one server.

Also note, I have found that for this to work correctly, each secondary domain controller must be set up as a global catalog. This increases synchronization traffic between servers, but the extra information is important because we may need the secondary server take over as the primary in case of an emergency.

FSMO Role Seizure

There are five FSMO roles that will need to be seized by the secondary controller when the primary has failed. From my tests, it is important to seize the roles in the correct order, so be careful.

First, seize the 2 forest FSMO roles: schema master and domain naming master...
Then, seize the 3 domain FSMO roles: PDC emulator, RID master, and Infrastructure Master

• from the command prompt, enter 'ntdsutil'
• enter 'roles'
• enter 'connections'
• enter 'connect to server <servername>' (servername is name of secondary dc, ex: ad2)
• enter 'q'
• enter 'seize schema master'
• enter 'seize domain naming master'
• enter 'seize PDC'
• enter 'seize RID master'
• enter 'seize infrastructure master'
• enter 'q'
• enter 'q'

Also note, you can use 'transfer' instead of 'seize' if the PDC is still online, and you want to transfer the FSMO roles.

NOTE: You should not seize another server's role if that server will be returning to the domain. If the server is returning, then it is best to wait. After seizing another server's role, it is best to re-install that server, and then add it to the domain as a secondary.