Back to All Scenarios
PASSEDserver / fsmo_role_holder_offline
FSMO Role Holder DC Offline
The domain controller holding all 5 FSMO roles (PDC Emulator, RID Master, Infrastructure Master, Schema Master, Domain Naming Master) goes down due to a motherboard failure. Password changes, account creation, and domain joins all fail.
Pattern
ACTIVE_DIRECTORY
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | ACTIVE_DIRECTORY | ACTIVE_DIRECTORY | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 30 linked | |
| Cascade Escalation | Yes | Yes | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
Single-domain forest. DC-01 holds all 5 FSMO roles. DC-01 hardware failure (motherboard). DC-02 is the only other DC. No recent system state backup of DC-01. RID pool on DC-02 nearly exhausted.
Injected Error Messages (3)
Domain Controller DC-01 offline — all 5 FSMO roles unavailable (PDC Emulator, RID Master, Infrastructure Master, Schema Master, Domain Naming Master), hardware failure detected, LDAP port 389 unreachable, DNS service on DC-01 down
AD operations degraded on DC-02 — PDC Emulator unreachable for password changes, RID pool exhaustion imminent (50 RIDs remaining), cannot create new accounts, domain join operations failing with 'The specified domain does not exist'
Help desk password reset portal failing — AD password change operations timing out, PDC Emulator FSMO role holder DC-01 unreachable, users unable to reset passwords, Kerberos pre-authentication errors increasing
Neural Engine Root Cause Analysis
The primary domain controller DC-01 hosting all 5 FSMO roles has suffered a complete hardware failure, resulting in total unavailability of critical Active Directory services including LDAP, DNS, and authentication. This represents a single point of failure scenario where the loss of one server has catastrophically impacted the entire domain infrastructure. The 12 correlated incidents within the same timeframe indicate a widespread service outage affecting multiple dependent systems and services that rely on Active Directory authentication and DNS resolution.
Remediation Plan
1. Immediately assess if DC-01 can be restored (check power, network, hardware status). 2. If DC-01 is unrecoverable, identify and promote a secondary domain controller to seize FSMO roles. 3. If no secondary DC exists, restore DC-01 from latest system state backup or deploy new DC and restore from AD backup. 4. Transfer FSMO roles to the recovered/new DC using ntdsutil or PowerShell. 5. Update DNS settings across the network to point to the new primary DC. 6. Verify all 5 FSMO roles are operational and test domain authentication. 7. Monitor correlated incidents for resolution as AD services recover.
Tested: 2026-03-30Monitors: 3 | Incidents: 3Test ID: cmncjitbr01upobqef8d957zt