Planned Domain Controller Shutdown

Created by Manfred Grisebach, October 2002


When a Domain Controller (DC) that carried the Flexible Single Master operation (FSMO) roles is scheduled to go down remaining DC’s can be defined to take over the FSMO roles if the outage is long. This document covers how one does that.


Transfering Flexible Single Master operation (FSMO) roles

When a DC is built we distribute the FSMO roles across DC’s. The 5 FSMO roles are:


These roles do not automatically revert to the remaining DC’s. This must be manually accomplished *if* deemed necessary. This should not be done lightly unless it is known in advance that a DC will be down for a long. In the case of the Schema master Microsoft documentation advises that it never happen unless a DC is not coming back, but it can be done. For information about what services will not be offered please refer to http://win2k/Disaster_Recovery/MS_docs/disaster.htm . If it is determined that FSMO roles need to be moved the tool is run on the DC the roles are to be moved to.


FSMO Role Identification and Transfer

All FSMO roles running on a DC can be identified ahead of time, and moved, using NTDSUTIL (defined below). This section, however, defines the GUI tools available from Microsoft.


Once any FSMO role has been transferred it is imperative that DNS records be updated! To do this for IST W2K domains send a copy of %windir%/systems32/config/netlogon.dns to hostmaster@cnoc and ask them to update the DNS records ASAP. (This is best negotiated ahead of time.) Be sure to apply these changes to both servers affected.


Command-Line Tool Equivalent

The above-defined method is GUI based and moves most roles just fine. The following defines the tool one needs to use if a server crashes and the roles need to be seized. It is included as an alternative method of moving FSMO roles.


The command line tool to identify and change FSMO roles is run as follows:

  1. Log onto DC as an Enterprise Administrator account
  2. Open a command prompt.
  3. Type NTDSUTIL.
  4. At the ntdsutil prompt, type: roles
  5. At the FSMO maintenance prompt, type: connections
  6. At the server connections prompt, type: connect to server (where you enter the current server name of where you are logged on).
  7. At the server connections prompt, type: quit
  8. At the FSMO maintenance prompt, type: seize <operations master>. For example: seize domain naming master
  9. At the popup window, click Yes to verify the seizure.
  10. At the FSMO maintenance prompt, type: quit
  11. At the ntdsutil prompt, type: quit


NOTE: All roles can be seized at one time and each time ntdsutil comes back listing all 5 roles and who owns them.

NOTE: To seize the schema master role being Enterprise Administrator is *not* enough. You must also become schema administrator.

DO NOT FORGET to update DNS records as outlined above.