The output from netdom query fsmo uses different terminology than Microsoft's official documentation. Here's the mapping:
Domain role owner = Domain Naming Master
RID Pool Manager = RID Master
PDC role = PDC Emulator
All five FSMO roles (including the missing Schema Master and Infrastructure Master) must be accounted for in a proper recovery scenario.
Seizing FSMO roles isn't without risks:
- If the original DC comes back online, you'll face USN rollback issues
- Metadata cleanup must be performed to prevent replication conflicts
- DNS records must be manually updated if dynamic updates weren't working
Here's the complete NTDSUtil procedure:
ntdsutil
roles
connections
connect to server myself.office.local
quit
seize schema master
seize domain naming master
seize infrastructure master
seize rid master
seize pdc
quit
quit
After seizing roles, verify with:
netdom query fsmo
Execute these critical steps to prevent issues:
# Remove the failed DC from Active Directory
ntdsutil
metadata cleanup
connections
connect to server myself.office.local
quit
select operation target
list sites
select site 0
list domains
select domain 0
list servers in site
select server missing.office.local
quit
remove selected server
quit
quit
# Clean up DNS records
dnscmd /enumrecords office.local _msdcs /additional
dnscmd /recorddelete office.local missing.office.local. A /f
For your 10-20 user environment:
- Consolidating all roles on one DC is acceptable
- Users may experience brief authentication delays during role transfer
- No noticeable impact if PDC role is properly seized
- Time synchronization may need manual adjustment
When upgrading to Windows 2003 AD functional level:
- FSMO roles remain unchanged
- Schema Master must be available for the upgrade
- New features like linked-value replication require all DCs to be Windows 2003
To prevent future issues:
# Verify proper DNS configuration
dcdiag /test:dns /v /e
# Recommended forward lookup zone settings
dnscmd /zoneadd office.local /dsprimary
dnscmd /config /enableglobalnamessupport 0
The output from netdom query fsmo shows the following role distribution:
Schema owner: missing.office.local
Domain role owner: myself.office.local
PDC role: missing.office.local
RID pool manager: missing.office.local
Infrastructure owner: missing.office.localTo clarify the terminology:
Domain role owner refers to the Domain Naming Master, while RID Pool Manager is indeed the RID Master role. The five FSMO roles are:
- Schema Master
- Domain Naming Master
- PDC Emulator
- RID Master
- Infrastructure Master
Before proceeding with role seizure, consider these critical points:
- Schema and Domain Naming roles: These forest-wide roles should only be seized if the original DC is permanently offline
- PDC Emulator: Seizing this may cause temporary authentication issues but is generally safe
- RID Master: Seizing improperly could lead to duplicate SIDs if the original DC comes back online
- Infrastructure Master: Least critical, but needed for cross-domain object references
To properly seize all roles to myself.office.local:
ntdsutil
roles
connections
connect to server myself.office.local
quit
seize schema master
seize domain naming master
seize PDC
seize RID master
seize infrastructure master
quit
quitAfter seizing roles, manually remove the failed DC from Active Directory:
ntdsutil
metadata cleanup
connections
connect to server myself.office.local
quit
select operation target
list sites
select site 0
list domains
select domain 0
list servers in site
select server missing.office.local
quit
remove selected server
quit
quitYour dcdiag output shows DNS resolution issues. Ensure these records exist in DNS:
_msdcs.office.local
_gc._tcp.office.local
_kerberos._tcp.office.local
_ldap._tcp.office.localIf upgrading to Windows 2003 AD later:
- The FSMO role seizure process remains identical
- Windows 2003 introduces improved role transfer reliability
- Consider adding at least one additional DC before upgrading
For your small environment (10-20 users):
- Having all roles on one DC is acceptable
- Users may experience brief authentication delays during role transfer
- No significant performance impact expected
After completing all operations, run these verification commands:
netdom query fsmo
repadmin /replsummary
dcdiag /v /c /e