Home

Tutorials

Active Directory

Possible Impacts when Putting Online an Old FSMO Role Holder (EN)

When losing an FSMO roles holder, FSMO roles hosted on the lost Domain Controller should be seized if it will take a long time to repair its failure or if the server can no longer be recovered. After a seizing operation, the old FSMO roles holder should not be back online before forcibly demoting it or re-installing its operating system. That is very important in order to avoid major impacts on your Active Directory Domain Services infrastructure.

This article explains the possible impacts that may occur when putting online an old FSMO holder after seizing its FSMO roles. This is summarized in the following table:

FSMO role	Possible impacts	Severity
Schema Master	Conflicts might occur on Active Directory Schema if two Schema Masters are trying to make updates in the same time. That might lead to a corruption in the Active Directory forest.	Critical (*1)
Domain Naming Master	Inconsistencies may be identified when displaying domains managed in an Active Directory forest. Metadata cleanup, adding and removing new Domains / Domain Controllers will not be possible.	Critical (*1)
PDC Emulator	Password validation will randomly succeed or fail, replication of password modifications will become slower and time synchronization issues may occur.	Medium (*2)
Infrastructure Master	Wrong display of group membership after updates will occur.	Medium (*2)
RID Master	Duplicated RID pools will be assigned to Domain Controllers which will result in data corruption and security issues because of re-use of SIDs.	Critical (*1

(*1) A forest / Domain recovery is required to solve the issues.

(*2) No permanent damages are caused and the issues can be solved without doing a forest / Domain recovery.

The impacts vary from an FSMO role to another but it is always not recommended to put online an old FSMO holder after seizing its FSMO roles as this is a high risk operation that might cause permanent or temporary disruption on your Active Directory environment.

The latest tutorials

23/03/2019 How to identify active hosts in your networks and perform horizontal TCP port scans

06/03/2019 Stop perfecting your Active Directory Domain Services Password / Lockout Policies – It is time to invest on Multi-Factor Authentication and Compensating Controls

09/02/2019 An Effective Approach to Protect Administrative Accesses to Your Datacenters and Cloud Resources

17/01/2019 How to create a Lag Site for your Active Directory Domain Services setup

About Tunit

Tunit helps you plan your Microsoft systems integration and administration.

Certainly, having a good Management of your IT systems improve your Business performance while it can, when it is poorly managed, obstruct the responsiveness and efficiency of your organization. We are here to help you so do not hesitate to follow us.

View more