There are five well-known master roles in AD that can be “seized” with “ntdsutil”, but this post is about a couple master roles that seem to be left out when trying to recover from losing a domain controller without properly “demoting” with “dcpromo”.
If you are using “Active Directory Integrated DNS Zones”, there are usually a couple special directory partitions added: “DomainDnsZones” and “ForestDnsZones”. These have their own “Infrastructure Master” FSMO role. If the role “owner” (domain controller in charge of this role / responsibility) will never be available again, you can reassign it with a script provided by Microsoft. The following articles have the script “fixfsmo.vbs” you will need:
- Could not contact a replica for partition DC=DomainDnsZones,DC=Contoso,DC=com
- ForestDNSZones or DomainDNSZones FSMO says “The role owner attribute could not be read”
This has helped me out on several occasions. Not sure how common this is in other environments, but we seem to always see funky hard-to-solve issues like this.