Possible Impacts when Putting Online an Old FSMO Role Holder
When losing an FSMO roles holder, FSMO roles hosted on the lost Domain Controller should be seized if it will take a long time to repair its failure or if the server can no longer be recovered. After a seizing operation, the old FSMO roles holder should not be back online before forcibly demoting it or re-installing its operating system. That is very important in order to avoid major impacts on your Active Directory Domain Services infrastructure.
This Wiki article explains the possible impacts that may occur when putting online an old FSMO holder after seizing its FSMO roles. This is summarized in the following table:
FSMO role |
Possible impacts |
Severity |
Conflicts might occur on Active Directory Schema if two Schema Masters are trying to make updates in the same time. That might lead to a corruption in the Active Directory forest. |
Critical (*1) |
|
Inconsistencies may be identified when displaying domains managed in an Active Directory forest. Metadata cleanup, adding and removing new Domains / Domain Controllers will not be possible. |
Critical (*1) |
|
Password validation will randomly succeed or fail, replication of password modifications will become slower and time synchronization issues may occur. |
Medium (*2) |
|
Wrong display of group membership after updates will occur. |
Medium (*2) |
|
Duplicated RID pools will be assigned to Domain Controllers which will result in data corruption and security issues because of re-use of SIDs. |
Critical (*1) |
(*1) A forest / Domain recovery is required to solve the issues.
(*2) No permanent damages are caused and the issues can be solved without doing a forest / Domain recovery.
The impacts vary from an FSMO role to another but it is always not recommended to put online an old FSMO holder after seizing its FSMO roles as this is a high risk operation that might cause permanent or temporary disruption on your Active Directory environment.