Link to home
Start Free TrialLog in
Avatar of Pierre Ammoun
Pierre AmmounFlag for Lebanon

asked on

FSMO Roles in 2012 R2


I have a server (Physical) that has been promoted to  a Domain controller.
I have a DHCP server running on it and DNS server also.
(I have an exchange 2013 server box too).

In order to have a backup I created another server and also made it a domain controller.
it is working fine. I checked the logs and everything seems fine.
I also configured DNS on that server and it is playing nice with the other DNS server on my 'primary' domain controller.

as for the DHCP i used the option of 2012R2 that has the load balancing.
there also it is working fine.

my problem is the following :
As far as I know the FSMO roles can leave (each one) on 1 server only.
If my assumption is right then if I have a problem with my primary server (DC) then reverting to the second DC (if the first one is dead) will not make me run 100% without issues.
is that statement correct ?

what I am trying to say is what are the settings/measures I should be taking so that my 2 servers (DC1 and DC2) can be replaceable (meaning I m 100% functional if one is down forecefully).

I am sure that it is possible. It is just me that doesnt have the knowledge. That is why I come back to you gurus !!

Avatar of Cliff Galiher
Cliff Galiher
Flag of United States of America image

If a server with any of the operations master roles ever failed in an unrecoverable way, manual intervention will always be required. That is unavoidable. If is worth mentioning, however, that moving such a role go a new server, while if is a manual process, is also relatively straightforward. You don't need to preemptively take special steps.
It is fairly easy to seize the roles in case you need it.
Avatar of Pierre Ammoun


I do know that it is aomehow easy to seize a role but my problem is the following
is it possible to seize the role even if the primary DC (the owner of that role) is dead all of the sudden ?
will it be seized correctly without any hiccup !?
Yes. If the current role owner is up then it is called a transfer. A seizing is needed when the original role owner is missing permanently.
Thank you for the clarifiaction.
my last sub-question would be the following
is there anything else needed to be done other than transferinf those 4 roles to have the "promoted" DC working fully as primary ?
From top of my head...

  1. Make all DCs GCs
  2. Configure DNS forwarders on both in server configuration (external)
  3. Configure DNS client configuration to point to other DC, its own network IP and
  4. Create time sync policy that changes when PDC role is moved
  5. Ensure all clients have both DCs as DNS entries (DHCP and static entries)

The only roles you need to worry about during normal operations is PDC and RID, both can be offline and clients will still authenticate but you should get it back online as soon as you can. If you cannot, you can seize them. As soon as you seize it, the GPO for time will automatically change it's time configuration in registry

You can monitor how far any DC is from RID depletion is from events or checking DCDiag.

  • PDC Emulator (One per domain) - For immediate passwords changes, account lockouts etc.
  • RID Master (One per domain) - Handles RID pool for new objects
  • Schema Master (One per forest) - Only required when making schema changes
  • Domain Naming Master (One per forest) - Only required when doing namespace changes like removing domain
  • Infrastructure Master (One per domain) - Irrelevant in a forest with just one domain
Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi Pierre Ammoun,

Your question itself contradicts your requirement. As you are aware there can be one and only one instance of each FSMO role at a given point of time, you don't really have to do anything on secondary as far as your primary server is up and running. However, if it fails and can't be recovered due to any reason, you must perform the FSMO role seizure so that the Secondary server would start serving as FSMO.

In such catastrophic, events the downtime is expected and it completely depends on how proactively you monitor your critical applications and server roles.

Once you are aware of failure and type of failure (temporary or permanent) you can perform the Seizure by following these steps.

Aanand Singh Karki