The 7 FSMO Roles

5 FSMO roles? Oh, no. There are Hidden FSMO roles that they don’t tell you about!  They don’t want you to know about these until you run into a problem! There are really 7 FSMO Roles to know about.

Have you even been unable to demote a domain controller?  It tells you that it can’t determine the fSMORoleOwner – even though a netdom query FSMO returns all 5 roles?

You may also get: “The Directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles”

Well, there are two hidden roles: CN=Infrastructure,DC=ForestDnsZones  and CN=Infrastructure,DC=DomainDnsZones

So, the next time you are transferring FSMO roles, you need to move these two as well – before you Decom the old Role Holder!

Run adsi edit as admin.

This image has an empty alt attribute; its file name is fmso_0.png
Connect to

Right click on ADSI Edit, select Connect to the naming context 

This image has an empty alt attribute; its file name is fmso_1.png
DC=DomainDNSZones,DC=Kearan,DC=local

Click and expand the new “Default naming context” – click on the connection point, move to the right column and click Infrastructure:

This image has an empty alt attribute; its file name is fsmo_2.png
CN=Infrastructure

Right click and select properties or double click to edit.

Scroll to fSMORoleOwner

This image has an empty alt attribute; its file name is fsmo_3.png
fSMORoleOwner line

You may see something like : CN=NTDS Settings\0ADEL:aae73bb2-d552-4b61-a6e0-7ce4e09dcc47,CN=oldservername\0ADEL:234e4831-f988-4c2a-a1ca-db0f8b2643d8

This is an already decommed DC that never got the fSMO role moved.

Double click to edit.  Change the CN to match your normal FSMO role holder.  You can copy the fSMORoleOwner from the original “Default naming context” section – which is DC=yourdomain,DC=tld”

Repeat for naming context “DC=ForestDnsZones,DC=yourdomain,DC=tld”

This image has an empty alt attribute; its file name is fsmo_4.png
DC=ForestDnsZones,DC=Kearan,DC=local

The fSMORoleOwner in each of the three “Infrastructure” sections should match.

3 Comments

    New Domain Controller Best Practices and Troubleshooting – IT Automation Professional

    September 22, 2021 at 6:50 am

    […] forget to Move the Last Two FSMO Roles using […]

    Reply

    James

    November 8, 2022 at 9:31 am

    Are we sure these hidden one’s are needed? I ce5rtainly have never heard of them. Every Microsoft document refers to 5 FSMO roles only. Surely it must be legacy and not needed if there was indeed 7? In my last organisation we had 60 DCs and had to move FDSMO roles. We always moved 5.

    Reply

      bkadmin

      December 8, 2022 at 8:35 pm

      Well, “needed” may be an overstatement, but they can be problematic if not kept up to date. I found them by encountering a problem – I forget if it was demoting or promoting a DC – that I traced back to the two hidden FSMO roles – an old DC that had been demoted ages ago, maybe not gracefully, was in there as the role holder for both and I couldn’t move forward until I fixed these.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*