Posts Tagged ‘FSMO’

Failed to gracefully demote domain controller

December 5, 2013 Leave a comment

I was getting ready to upgrade the hardware and server version on an old Windows Server 2008R2 domain controller when I ran into a interesting problem. After launching DCPROMO and going through the steps, I received an error that said “The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles”.

After doing some research, it turns out that the domain controller has incorrect information as to the FSMO operation master owner. It is set to a domain controller that has been deleted or does not exist. In my case, the person before me must have improperly decommissioned a domain controller, leaving cruft behind in the AD. I launched ADSIEdit on the domain controller I was trying to remove and went to the infrastructure container and sure enough under “fSMORoleOwner” is had garbage.

When I tried to edit the value, I received an error stating “Operation Failed. Error code: 0x20ae The role owner attribute could not be read 000020AE: SvcErr: DSID-03152BF7, Problem 5003 (WILL_NOT_PERFORM) Data 0”. If you receive this error message when trying to change the value of “fSMORoleOwner”, you must change the value from the domain controller that holds the FSMO role. Once you change it there, depending on your replication scheme, the change should be updated on the domain controller you are trying to demote and it should now allow you to complete the process.


Using Network Time Protocol with Windows Server

April 2, 2013 1 comment

We all know that time synchronization is a crucial aspect for all the computers on the network, especially servers. In Windows, client computers obtain the time from domain controllers and the domain controllers obtain their time from the domain’s primary domain controller operation master. The primary domain controller obtains its  time from an external source, usually Microsoft ( If you would like to have your primary domain controller synchronize with a NTP server, the process is fairly simple. My department maintains our own SNTP servers but you could use one from the NTP Pool Project.

For my fellow administrators in the North American continent, you would use:


I recommend you use the DNS name instead of an IP address because the IP addresses may change in the future for what ever reason. Now lets configure our primary domain controller to synchronize with our NTP server.

      1. Sign into your primary domain controller with Administrator credentials. If you do not know which of your domain controllers is the primary domain controller, you can query a domain controller using netdom. Use the command ‘netdom /query fsmo’.
      2. Open a command prompt window.
      3. Stop the W32Time service by using the command ‘net stop w32time’.
      4. Now it is time to configure the external NTP source. Use the command: w32tm /config /syncfromflags:manual /manualpeerlist:<NTP Servers here> /reliable:yes
      5. Start the W32Time service again by using the command ‘net start w32time’.

NOTE: If you are going to use more than one NTP server, you must enclose them in quotes and delimit each entry with a space. Ex: “”.

The Windows Time Service should begin to synchronize the time with external NTP server you chose. You can view your current configuration by using the command ‘w32tm /query /configuration’ and check your Event Viewer for any error messages.

Transfer or Seize Flexible Single Master Operations (FSMO) Roles

May 10, 2012 1 comment

There are five Flexible Single Master Operations (FSMO) roles for domain controllers. They are:

  1. infrastructure master
  2. naming master
  3. pdc (primary domain controller)
  4. rid master
  5. schema master

To transfer the five Flexible Single Master Operations (FSMO) roles we will use a tool called ntdsutil. NtdsUtil is a Directory Services Management Tool. NtdsUtil performs database maintenance of the Active Directory store, management and control of the Floating Single Master Operations (FSMO), and cleaning up of metadata left behind by abandoned domain controllers. Abandoned domain controllers are those which are removed from the network without being uninstalled properly. For more on NtdsUtil, visit: NtsdUtil

To transfer these roles to a different domain controller:
Logged in as Domain Administrator on the domain controller in which you want to transfer the roles from:

  1. Open a Windows CMD Shell.
  2. Type ‘ntdsutil’ You should be greeted with a “ntdsutil: ” prompt.
  3. Type ‘roles’ You should be greeted with a “fsmo maintenance: ” prompt.
  4. Type ‘connections’ You should be greeted with a “server connections: ” prompt.
  5. Type ‘connect to server <server_name_here>’ where server name is the name of the domain controller you wish to transfer the roles to. You should receive a confirmation stating that it is binding to the domain controller using the credentials of the locally logged on user.
  6. Type ‘q’ to exit server connections. You should be back to the fsmo maintenance prompt.
  7. Type ‘transfer infrastructure master’
  8. Type ‘transfer naming master’
  9. Type ‘transfer pdc’
  10. Type ‘transfer rid master’
  11. Type ‘transfer schema master’
  12. Type ‘q’ to exit fsmo maintenance
  13. Type ‘q’ to exit ntdsutil.
  14. Type ‘exit’ to close the CMD shell.

If the domain controller is dead you will need to use the command ‘seize’ to take the role back. Example: ‘seize infrastructure master’ and so on for the other four.

Useful Links: (Microsoft Support Article on Transferring or Seizing FSMO Roles)