Symptoms of FSMO Problems
If one or more of your FSMO role holders has problems, bad things can happen. To help you troubleshoot such situations, the table below describes some of the symptoms that can occur when FSMO role holders go missing or don’t work properly.
| Symptom | Possible Role Involved | Reason |
| Users can’t log on. | PDC Emulator | If system clocks become unsynchronized, Kerberos may fail. |
| Can’t change passwords. | PDC Emulator | Password changes need this role holder. |
| Account lockout not working. | PDC Emulator | Account lockout enforcement needs this role holder. |
| Can’t raise the functional level for a domain. | PDC Emulator | This role holder must be available when the raising the domain functional level. |
| Can’t create new users or groups. | RID Master | RID pool has been depleted. |
| Problems with universal group memberships. | Infrastructure Master | Cross-domain object references need this role holder. |
| Can’t add or remove a domain. | Domain Naming Master | Changes to the namespace need this role holder. |
| Can’t promote or demote a DC. | Domain Naming Master | Changes to the namespace need this role holder. |
| Can’t modify the schema. | Schema Master | Changes to the schema need this role holder. |
| Can’t raise the functional level for the forest. | Schema Master | This role holder must be available when the raising the forest functional level. |
One reply on “FSMO Role Failure Symptoms”
How can the system clocks become unsynchronized ? I am trying to simulate that problem on Vmware and no matter how I change the clocks the user can always logon . I do this for testing purposes only …