FSMO Role Failure Symptoms

Symptoms of FSMO Problems

If one or more of your FSMO role holders has problems, bad things can happen. To help you troubleshoot such situations, the table below describes some of the symptoms that can occur when FSMO role holders go missing or don’t work properly.

Symptom Possible Role Involved Reason
Users can’t log on. PDC Emulator If system clocks become unsynchronized, Kerberos may fail.
Can’t change passwords. PDC Emulator Password changes need this role holder.
Account lockout not working. PDC Emulator Account lockout enforcement needs this role holder.
Can’t raise the functional level for a domain. PDC Emulator This role holder must be available when the raising the domain functional level.
Can’t create new users or groups. RID Master RID pool has been depleted.
Problems with universal group memberships. Infrastructure Master Cross-domain object references need this role holder.
Can’t add or remove a domain. Domain Naming Master Changes to the namespace need this role holder.
Can’t promote or demote a DC. Domain Naming Master Changes to the namespace need this role holder.
Can’t modify the schema. Schema Master Changes to the schema need this role holder.
Can’t raise the functional level for the forest. Schema Master This role holder must be available when the raising the forest functional level.

VBSCript : Force Automatic DNS config on DHCP enabled NIC

Useful for AD / DNS migrations, this script will scan a text file containing a list of PC names and will interrogate each one to see if it is DHCP enabled on each NIC. If DHCP is enabled it will delete any manually assigned DNS servers and configure the NIC to automatically get the DNS servers via DHCP.

‘ Script to scan PCs for network cards that use DHCP and remove
‘ all manually set DNS servers for those cards only

On Error Resume Next

Const ForReading = 1

Set objFSO = CreateObject(“Scripting.FileSystemObject”)
Set objTextFile = objFSO.OpenTextFile _
    (“hosts.txt”, ForReading)

Do Until objTextFile.AtEndOfStream
    strComputer = objTextFile.Readline
    Wscript.Echo “Processing ” & strComputer
Set objWMIService = GetObject(“winmgmts:” _
  & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)
Set colNicConfigs = objWMIService.ExecQuery _
  (“SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True”)
For Each objNicConfig In colNicConfigs
    WScript.Echo VbCrLf & ”  Network Adapter ” & objNicConfig.Index & _
      VbCrLf & ”    ” & objNicConfig.Description & VbCrLf
    If objNicConfig.DHCPEnabled Then
                intSetDNSServers = _
        WScript.Echo “DHCP not enabled on this card”
    End If

VBScript : Find Files By Owner

The following code will list all files which a particular user owns, you will need to ‘pipe’ its output to a file using the following command: cscript.exe find-own.vbs > files.txt

Set objShell = CreateObject (“Shell.Application”)
Set objStartFolder = objShell.Namespace (“N:\”)
Set objFSO = CreateObject(“Scripting.FileSystemObject”)

strUsername = “NETBIOSNAME\sAMAccountName”
oFolder = “N:\”

Dim arrHeaders(13)

ShowSubfolders objFSO.GetFolder(oFolder)

Sub ShowSubFolders(Folder)
On Error Resume Next
    For Each Subfolder in Folder.SubFolders
        Set oNsp = objShell.Namespace(Subfolder.Path)
        ‘Dim arrHeaders(13)
        For i = 0 to 13
            arrHeaders(i) = oNsp.GetDetailsOf (oNsp.Items, i)

        For Each strFileName in oNsp.Items
            If LCASE(oNsp.GetDetailsOf (strFileName, 8)) = LCASE(strUsername) Then
            Wscript.Echo Subfolder.Path & “\” & strFilename & “,” & arrHeaders(1) & “,” & Replace(oNsp.GetDetailsOf (strFileName, 1),”,”,””)
            End If
    ShowSubFolders Subfolder
End Sub

VBScript ; Ping Test

The following code will ping a semi-colon de-limited list of computers, displaying output on the command windows. Save the file as ping.vbs and call using the following command: cscript.exe ping.vbs

Set WshShell = CreateObject(“WScript.Shell”)

strPCs = “host1;host2”
strPCs = Split(strPCs,”;”)

For each PC in strPCs

Sub PingTest(strComputer)
    Set objScriptExec = WshShell.Exec(“ping ” & strComputer)
    Do While Not objscriptexec.Stdout.AtEndOfStream
        str = objscriptexec.Stdout.ReadLine   
        If InStr(1,str,”Lost = 0″,1) > 0 Then
            WScript.Echo(”   ” & strComputer & “: OK – 100%”)
        ElseIf    InStr(1,str,”Lost = 1″,1) > 0 Then
            WScript.Echo(”   ” & strComputer & “: FAIL – 75%”)
        ElseIf    InStr(1,str,”Lost = 2″,1) > 0 Then
            WScript.Echo(”   ” & strComputer & “: FAIL – 50%”)
        ElseIf    InStr(1,str,”Lost = 3″,1) > 0 Then
            WScript.Echo(”   ” & strComputer & “: FAIL – 25%”)
        ElseIf InStr(1,str,”Lost = 4″,1) > 0 Then
            WScript.Echo(”   ” & strComputer & “: FAIL – 0%”)
        End If
End Sub

Manual Windows Defender Update

If, like many, you have configured your Windows Firewall / any other 3rd party firewall to block all outgoing traffic you will find that Windows defender will be unable to update unless you allow port 80/443 (HTTP/HTTPS) for executable svchost.exe. However, this is a core Windows executable, and therefore you may wish to block this as it isn’t used by Windows Defender alone.

The solution therefore is to manually update your windows defender definitions using the following URLs:


The latest x86 / 32bit Windows Defender Updates are always available using this URL:


For x64 versions of Windows, use the following URL:


Finally, for Itanium version of Windows use the following URL:


VBScript; List AD Group Members

The script below will list all members of a particular group within AD.

The script should be called as follows from a  command window: cscript.exe script_name.vbs > Group-Members.txt

This will ‘pipe’ the results into a text file in the same folder as the vbs file.


‘—————————- Begin Copy Here

Dim arrNames()

intSize = 0

Set objGroup = GetObject(“LDAP://CN=Merchandising,OU=Security Groups,OU=UK,DC=mydom,DC=com”)

For Each strUser in objGroup.Member
    Set objUser =  GetObject(“LDAP://” & strUser)
    ReDim Preserve arrNames(intSize)
    arrNames(intSize) = objUser.CN
    intSize = intSize + 1

For i = (UBound(arrNames) – 1) to 0 Step -1
    For j= 0 to i
        If UCase(arrNames(j)) > UCase(arrNames(j+1)) Then
            strHolder = arrNames(j+1)
            arrNames(j+1) = arrNames(j)
            arrNames(j) = strHolder
        End If

For Each strName in arrNames
    Wscript.Echo strName

‘—————————- End Copy Here