Why after I seize a FSMO role I can't transfer it back to its original DC?

windows-server-2008 active-directory domain-controller
5,697

With the PDC Emulator and Infrastructure roles, this doesn't apply; they're able to recover just fine from a seizure, and can be transferred and seized all over the place to your heart's content.

With the rest (RID, Naming, and Schema), it's not that you can't transfer back. It's that the recommendation is to never turn a DC back on after the role has been seized from it. The risk is that the two DCs both think they own the role; divergent schema changes, overlapping RIDs, and overlapping domains in the forest are the potential results.

How difficult it is to create these scenarios is another matter entirely (knowledge of the seizure will replicate to the old role holder and it will cease thinking it's the master - broken replication/connectivity is needed to create any risk); the recommendation to not bring the old DC back online is made due to an abundance of caution on Microsoft's part.

If you have to seize a RID, Naming, or Schema master's role, the safe course is to nuke the DC's metadata from orbit and reinstall the OS.

Share:
5,697

Related videos on Youtube

Spirit
Author by

Spirit

IT Specialist, Sysadmin and Tech Addict. Expertise: Cisco, VMware, Windows (all)

Updated on September 18, 2022

Comments

  • Spirit
    Spirit almost 2 years

    Everywhere I read about the FSMO roles it is written that after it is seized the FSMO role can not be transferred back to its original server.

    Did someone knows why? Lets say that I seize the Schema Master and then I try to transfer it back? What will happen?

    Of course that this does not apply to PDC Emulator or the Infrastructure master.

  • Spirit
    Spirit almost 13 years
    ROFL "nuke the DC's metadata from orbit".. Thanks for the link and the advice.. gonna remember this for good :)
  • Jonathan J
    Jonathan J over 12 years
    Don't confuse seizure of roles with transfer. Seizure should only be used in the event that the role holder has failed and cannot be brought back online; if the server is online and functional you should do a transfer. Any role that is transferred -- not seized -- can be returned to the server it was transferred from. When you seize a role, the original role holder thinks it still holds that role. If you bring it back online, there will be multiple holders of the role, and AD corruption could occur.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

No longer able to edit scripts in SYSVOL/domain/scripts on Server 2008
processing of Group Policy failed only on 2008 Servers and Name Resolution failure on the current domain controller
DCDIAG VerifyEnterpriseReferences test failed on PDC
Domain Controller/Active Directory Time is 5 minutes slow
GPO Printer Deployment Ordering greyed out
Adding another domain controller to a small 2008R2 network: steps I am missing(?)
How to change the default domain controller when querying AD in a different site?
Server 2008 DFS Replication Issues
Cannot connect to Active Directory Domain Controller
Will cached domain credentials stay working if machine never re-connects to domain?