Discussion:
Clarification Please-FSMO roles when server is down
(too old to reply)
Edog
2005-12-21 18:12:03 UTC
Permalink
I have a AD Domain with 2 DCs. The first DC holds all 5 FSMO roles for the
domain and forest (single forest, single domain) From what I understand, if
that DC goes down, then all 5 FSMO roles are unavailable until I go in and
seize the roles from DC 2. Is this correct? There is no automatic failover of
these roles?

What is the impact of FSMO role holders being unreachable? Changes made to
AD can't be made, or just can't be replicated? Can't create new domains?
Can't change passwords, etc. Essentially the domain would be frozen in time,
or would the changes be allowed and when DC 1 came back online, or the roles
were seized and changes made would be replicated at that time?


Thanks!
Jorge de Almeida Pinto
2005-12-21 18:28:34 UTC
Permalink
Forest FSMOs

* Schema Master --> needed when updating the schema

* Domain Naming master --> needed when adding or removing domains within the
forest


Domain FSMOs

* PDC Emulator --> needed for legacy clients (NT4, W9x) when changing
passwords, used for time sync, is used for pwd checking when a user enters
an incorrect pwd at another DC, used by DFS roots to get DFS info

* RID Master --> needed to distribute RID pools to DCs that have exhausted
their current RID pool for 50% (=250 RIDs)

* Infrastructure --> needed to update references between domains in a forest
(does not do anything in a single domain forest)
--
Cheers,
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
Post by Edog
I have a AD Domain with 2 DCs. The first DC holds all 5 FSMO roles for the
domain and forest (single forest, single domain) From what I understand, if
that DC goes down, then all 5 FSMO roles are unavailable until I go in and
seize the roles from DC 2. Is this correct? There is no automatic failover of
these roles?
What is the impact of FSMO role holders being unreachable? Changes made to
AD can't be made, or just can't be replicated? Can't create new domains?
Can't change passwords, etc. Essentially the domain would be frozen in time,
or would the changes be allowed and when DC 1 came back online, or the roles
were seized and changes made would be replicated at that time?
Thanks!
Edog
2005-12-21 18:43:51 UTC
Permalink
I also found the following information which contains more detail to this
response

* If the schema master fails, you won’t usually see an immediate impact. The
schema master is needed only when the schema needs to change or when two
domain trees establish a trust between one another.
* The domain-naming master is needed only to add and remove domains from a
forest, so its failure doesn’t usually create an immediate impact.
* If the relative identifier (RID) master for a domain fails, you won’t
usually see an
immediate impact. The RID master issues RIDs in blocks, so you’ll be able to
create new objects in the domain until it runs out of RIDs and needs the RID
master to issue more. When that happens, you’ll be unable to create new
objects in the domain.
* The loss of the primary domain controller (PDC) emulator is noticeable if
you still have NT backup domain controllers (BDCs) or pre-Windows 2000
(Win2K) client computers. BDCs will stop receiving updates to users and
groups, and pre-Win2K client computers won’t be able to process password
changes for their users.
* The infrastructure master is needed only when you change group membership
or rename the members of groups. If the infrastructure master fails, you’ll
still be able to perform those tasks, but AD may seem to ignore your changes
until the infrastructure master is online again.
Post by Jorge de Almeida Pinto
Forest FSMOs
* Schema Master --> needed when updating the schema
* Domain Naming master --> needed when adding or removing domains within the
forest
Domain FSMOs
* PDC Emulator --> needed for legacy clients (NT4, W9x) when changing
passwords, used for time sync, is used for pwd checking when a user enters
an incorrect pwd at another DC, used by DFS roots to get DFS info
* RID Master --> needed to distribute RID pools to DCs that have exhausted
their current RID pool for 50% (=250 RIDs)
* Infrastructure --> needed to update references between domains in a forest
(does not do anything in a single domain forest)
--
Cheers,
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
Post by Edog
I have a AD Domain with 2 DCs. The first DC holds all 5 FSMO roles for the
domain and forest (single forest, single domain) From what I understand, if
that DC goes down, then all 5 FSMO roles are unavailable until I go in and
seize the roles from DC 2. Is this correct? There is no automatic failover of
these roles?
What is the impact of FSMO role holders being unreachable? Changes made to
AD can't be made, or just can't be replicated? Can't create new domains?
Can't change passwords, etc. Essentially the domain would be frozen in time,
or would the changes be allowed and when DC 1 came back online, or the roles
were seized and changes made would be replicated at that time?
Thanks!
Danny Sanders
2005-12-21 18:33:47 UTC
Permalink
Post by Edog
I have a AD Domain with 2 DCs. The first DC holds all 5 FSMO roles for the
domain and forest (single forest, single domain) From what I understand, if
that DC goes down, then all 5 FSMO roles are unavailable until I go in and
seize the roles from DC 2. Is this correct? There is no automatic failover of
these roles?
It's my understanding that if you demote the FSMO role holder properly by
running dcpromo to remove AD this is the only instance where the roles will
be transferred to another server.
Failure of a server because of hardware or whatever will not transfer any
roles. How can the second DC tell if the FSMO role holder has crashed or if
it is down for maintenance?
Post by Edog
What is the impact of FSMO role holders being unreachable? Changes made to
AD can't be made, or just can't be replicated? Can't create new domains?
That depends on which role you are talking about. The domain naming master
won't be missed until you try to add a new domain to the forest. The Schema
master won't be missed until you try to modify the schema.

You need to research each role individually to be able to get an idea of
when they are used. This will tell you if/when it can or can not be off
line.

hth
DDS W 2k MVP MCSE
Post by Edog
I have a AD Domain with 2 DCs. The first DC holds all 5 FSMO roles for the
domain and forest (single forest, single domain) From what I understand, if
that DC goes down, then all 5 FSMO roles are unavailable until I go in and
seize the roles from DC 2. Is this correct? There is no automatic failover of
these roles?
What is the impact of FSMO role holders being unreachable? Changes made to
AD can't be made, or just can't be replicated? Can't create new domains?
Can't change passwords, etc. Essentially the domain would be frozen in time,
or would the changes be allowed and when DC 1 came back online, or the roles
were seized and changes made would be replicated at that time?
Thanks!
Jay Armstrong
2005-12-21 19:47:02 UTC
Permalink
Danny et al,

Just a clarification...
Post by Danny Sanders
That depends on which role you are talking about. The domain naming master
won't be missed until you try to add a new domain to the forest.
In our environment we add anywhere between 10K-15k user accounts a month
(new students) and delete roughly the same number (graduations). We had the
domain naming master go down and due to work load the role was not seized by
another server because it was not considered crucial for the reason you
listed above. Something you get to when you can.

All ran fine till our automated process one day had an abnormal number of
failures on creations. After looking through the logs I discovered we had run
out of names. Seizing the domain naming master role to a new DC fixed the
problem. I think we were at >30,000 accounts created since the failure of the
DC.

Not many environments go through this much turnover so I doubt many people
would run into this but it is something to keep in mind.

Jay
Post by Danny Sanders
Post by Edog
I have a AD Domain with 2 DCs. The first DC holds all 5 FSMO roles for the
domain and forest (single forest, single domain) From what I understand, if
that DC goes down, then all 5 FSMO roles are unavailable until I go in and
seize the roles from DC 2. Is this correct? There is no automatic failover of
these roles?
It's my understanding that if you demote the FSMO role holder properly by
running dcpromo to remove AD this is the only instance where the roles will
be transferred to another server.
Failure of a server because of hardware or whatever will not transfer any
roles. How can the second DC tell if the FSMO role holder has crashed or if
it is down for maintenance?
Post by Edog
What is the impact of FSMO role holders being unreachable? Changes made to
AD can't be made, or just can't be replicated? Can't create new domains?
That depends on which role you are talking about. The domain naming master
won't be missed until you try to add a new domain to the forest. The Schema
master won't be missed until you try to modify the schema.
You need to research each role individually to be able to get an idea of
when they are used. This will tell you if/when it can or can not be off
line.
hth
DDS W 2k MVP MCSE
Post by Edog
I have a AD Domain with 2 DCs. The first DC holds all 5 FSMO roles for the
domain and forest (single forest, single domain) From what I understand, if
that DC goes down, then all 5 FSMO roles are unavailable until I go in and
seize the roles from DC 2. Is this correct? There is no automatic failover of
these roles?
What is the impact of FSMO role holders being unreachable? Changes made to
AD can't be made, or just can't be replicated? Can't create new domains?
Can't change passwords, etc. Essentially the domain would be frozen in time,
or would the changes be allowed and when DC 1 came back online, or the roles
were seized and changes made would be replicated at that time?
Thanks!
Danny Sanders
2005-12-21 19:55:34 UTC
Permalink
Post by Jay Armstrong
In our environment we add anywhere between 10K-15k user accounts a month
(new students) and delete roughly the same number (graduations). We had the
domain naming master go down and due to work load the role was not seized by
I was not aware that the domain naming master affected the addition of user
accounts also.

DDS
Post by Jay Armstrong
Danny et al,
Just a clarification...
Post by Danny Sanders
That depends on which role you are talking about. The domain naming master
won't be missed until you try to add a new domain to the forest.
In our environment we add anywhere between 10K-15k user accounts a month
(new students) and delete roughly the same number (graduations). We had the
domain naming master go down and due to work load the role was not seized by
another server because it was not considered crucial for the reason you
listed above. Something you get to when you can.
All ran fine till our automated process one day had an abnormal number of
failures on creations. After looking through the logs I discovered we had run
out of names. Seizing the domain naming master role to a new DC fixed the
problem. I think we were at >30,000 accounts created since the failure of the
DC.
Not many environments go through this much turnover so I doubt many people
would run into this but it is something to keep in mind.
Jay
Post by Danny Sanders
Post by Edog
I have a AD Domain with 2 DCs. The first DC holds all 5 FSMO roles for the
domain and forest (single forest, single domain) From what I
understand,
if
that DC goes down, then all 5 FSMO roles are unavailable until I go in and
seize the roles from DC 2. Is this correct? There is no automatic
failover
of
these roles?
It's my understanding that if you demote the FSMO role holder properly by
running dcpromo to remove AD this is the only instance where the roles will
be transferred to another server.
Failure of a server because of hardware or whatever will not transfer any
roles. How can the second DC tell if the FSMO role holder has crashed or if
it is down for maintenance?
Post by Edog
What is the impact of FSMO role holders being unreachable? Changes made to
AD can't be made, or just can't be replicated? Can't create new domains?
That depends on which role you are talking about. The domain naming master
won't be missed until you try to add a new domain to the forest. The Schema
master won't be missed until you try to modify the schema.
You need to research each role individually to be able to get an idea of
when they are used. This will tell you if/when it can or can not be off
line.
hth
DDS W 2k MVP MCSE
Post by Edog
I have a AD Domain with 2 DCs. The first DC holds all 5 FSMO roles for the
domain and forest (single forest, single domain) From what I
understand,
if
that DC goes down, then all 5 FSMO roles are unavailable until I go in and
seize the roles from DC 2. Is this correct? There is no automatic
failover
of
these roles?
What is the impact of FSMO role holders being unreachable? Changes made to
AD can't be made, or just can't be replicated? Can't create new domains?
Can't change passwords, etc. Essentially the domain would be frozen in time,
or would the changes be allowed and when DC 1 came back online, or the roles
were seized and changes made would be replicated at that time?
Thanks!
Jorge de Almeida Pinto
2005-12-21 20:35:03 UTC
Permalink
It doesn't

User accounts needs SIDs and the FSMO providing that is the RID master
--
Cheers,
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
Post by Danny Sanders
Post by Jay Armstrong
In our environment we add anywhere between 10K-15k user accounts a month
(new students) and delete roughly the same number (graduations). We had the
domain naming master go down and due to work load the role was not seized by
I was not aware that the domain naming master affected the addition of
user accounts also.
DDS
Post by Jay Armstrong
Danny et al,
Just a clarification...
Post by Danny Sanders
That depends on which role you are talking about. The domain naming master
won't be missed until you try to add a new domain to the forest.
In our environment we add anywhere between 10K-15k user accounts a month
(new students) and delete roughly the same number (graduations). We had the
domain naming master go down and due to work load the role was not seized by
another server because it was not considered crucial for the reason you
listed above. Something you get to when you can.
All ran fine till our automated process one day had an abnormal number of
failures on creations. After looking through the logs I discovered we had run
out of names. Seizing the domain naming master role to a new DC fixed the
problem. I think we were at >30,000 accounts created since the failure of the
DC.
Not many environments go through this much turnover so I doubt many people
would run into this but it is something to keep in mind.
Jay
Post by Danny Sanders
Post by Edog
I have a AD Domain with 2 DCs. The first DC holds all 5 FSMO roles for the
domain and forest (single forest, single domain) From what I
understand,
if
that DC goes down, then all 5 FSMO roles are unavailable until I go in and
seize the roles from DC 2. Is this correct? There is no automatic
failover
of
these roles?
It's my understanding that if you demote the FSMO role holder properly by
running dcpromo to remove AD this is the only instance where the roles will
be transferred to another server.
Failure of a server because of hardware or whatever will not transfer any
roles. How can the second DC tell if the FSMO role holder has crashed or if
it is down for maintenance?
Post by Edog
What is the impact of FSMO role holders being unreachable? Changes made to
AD can't be made, or just can't be replicated? Can't create new domains?
That depends on which role you are talking about. The domain naming master
won't be missed until you try to add a new domain to the forest. The Schema
master won't be missed until you try to modify the schema.
You need to research each role individually to be able to get an idea of
when they are used. This will tell you if/when it can or can not be off
line.
hth
DDS W 2k MVP MCSE
Post by Edog
I have a AD Domain with 2 DCs. The first DC holds all 5 FSMO roles for the
domain and forest (single forest, single domain) From what I
understand,
if
that DC goes down, then all 5 FSMO roles are unavailable until I go in and
seize the roles from DC 2. Is this correct? There is no automatic
failover
of
these roles?
What is the impact of FSMO role holders being unreachable? Changes made to
AD can't be made, or just can't be replicated? Can't create new domains?
Can't change passwords, etc. Essentially the domain would be frozen in time,
or would the changes be allowed and when DC 1 came back online, or the roles
were seized and changes made would be replicated at that time?
Thanks!
Jay Armstrong
2005-12-21 21:10:06 UTC
Permalink
My bad,

Sorry it was back in March and I had forgotten the details.

After digging through my notes it was, as Jorge states, the RID master that
was down.

That's what happens when you type while drinking eggnog.

Jay
Post by Jorge de Almeida Pinto
It doesn't
User accounts needs SIDs and the FSMO providing that is the RID master
--
Cheers,
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
Post by Danny Sanders
Post by Jay Armstrong
In our environment we add anywhere between 10K-15k user accounts a month
(new students) and delete roughly the same number (graduations). We had the
domain naming master go down and due to work load the role was not seized by
I was not aware that the domain naming master affected the addition of
user accounts also.
DDS
Post by Jay Armstrong
Danny et al,
Just a clarification...
Post by Danny Sanders
That depends on which role you are talking about. The domain naming master
won't be missed until you try to add a new domain to the forest.
In our environment we add anywhere between 10K-15k user accounts a month
(new students) and delete roughly the same number (graduations). We had the
domain naming master go down and due to work load the role was not seized by
another server because it was not considered crucial for the reason you
listed above. Something you get to when you can.
All ran fine till our automated process one day had an abnormal number of
failures on creations. After looking through the logs I discovered we had run
out of names. Seizing the domain naming master role to a new DC fixed the
problem. I think we were at >30,000 accounts created since the failure of the
DC.
Not many environments go through this much turnover so I doubt many people
would run into this but it is something to keep in mind.
Jay
Post by Danny Sanders
Post by Edog
I have a AD Domain with 2 DCs. The first DC holds all 5 FSMO roles for the
domain and forest (single forest, single domain) From what I
understand,
if
that DC goes down, then all 5 FSMO roles are unavailable until I go in and
seize the roles from DC 2. Is this correct? There is no automatic
failover
of
these roles?
It's my understanding that if you demote the FSMO role holder properly by
running dcpromo to remove AD this is the only instance where the roles will
be transferred to another server.
Failure of a server because of hardware or whatever will not transfer any
roles. How can the second DC tell if the FSMO role holder has crashed or if
it is down for maintenance?
Post by Edog
What is the impact of FSMO role holders being unreachable? Changes made to
AD can't be made, or just can't be replicated? Can't create new domains?
That depends on which role you are talking about. The domain naming master
won't be missed until you try to add a new domain to the forest. The Schema
master won't be missed until you try to modify the schema.
You need to research each role individually to be able to get an idea of
when they are used. This will tell you if/when it can or can not be off
line.
hth
DDS W 2k MVP MCSE
Post by Edog
I have a AD Domain with 2 DCs. The first DC holds all 5 FSMO roles for the
domain and forest (single forest, single domain) From what I
understand,
if
that DC goes down, then all 5 FSMO roles are unavailable until I go in and
seize the roles from DC 2. Is this correct? There is no automatic
failover
of
these roles?
What is the impact of FSMO role holders being unreachable? Changes made to
AD can't be made, or just can't be replicated? Can't create new domains?
Can't change passwords, etc. Essentially the domain would be frozen in time,
or would the changes be allowed and when DC 1 came back online, or the roles
were seized and changes made would be replicated at that time?
Thanks!
Loading...