Alexander's Blog

Sharing knowledge with the global IT community since November 1, 2004

How to Seize an Active Directory FSMO Role

/
/
ad-mania

There are 5 roles in Active Directory, called Flexible Single Master Operations (FSMO) roles, that are handled by certain Domain Controllers in Active Directory. If you only have one Domain Controller (DC) then all 5 roles will reside on that DC. However, you can transfer or seize the role when you have multiple DCs either to optimize the behavior of certain services that are managed by these roles, or when you are adding or removing DCs in your network.

  1. Schema master – The Schema master role is forest-wide and there is one for each forest. This role is required to extend the schema of an Active Directory forest or to run the adprep /domainprep command.
  2. Domain naming master – The Domain naming master role is forest-wide and there is one for each forest. This role is required to add or remove domains or application partitions to or from a forest.
  3. RID master – The RID master role is domain-wide and there is one for each domain. This role is required to allocate the RID pool so that new or existing domain controllers can create user accounts, computer accounts or security groups.
  4. PDC emulator – The PDC emulator role is domain-wide and there is one for each domain. This role is required for the domain controller that sends database updates to Windows NT backup domain controllers. The domain controller that owns this role is also targeted by certain administration tools and updates to user account and computer account passwords.
  5. Infrastructure master – The Infrastructure master role is domain-wide and there is one for each domain. This role is required for domain controllers to run the adprep /forestprep command successfully and to update SID attributes and distinguished name attributes for objects that are referenced across domains.

Usually transferring the role is considered a relatively safe process and it requires that both the source and the destination server are running and available on the network. However, seizing the role is meant to be used in rare situations, such as a DC that has crashed and you need to replace it with a new server. In that case you can seize the role which essentially transfers the role forcibly, even if the source server is unavailable.

Here are the steps you can use to seize a FSMO role.

  1. It is best to log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
  2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
  3. Type roles, and then press ENTER.
  4. Type connections, and then press ENTER.
  5. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
  6. At the server connections prompt, type q, and then press ENTER.
  7. Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
  8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

For more information, check out the article KB255504.


Copyright ©2014 Zubair Alexander. All rights reserved.

  • Facebook
  • Twitter
  • Linkedin

Leave a Comment

Your email address will not be published. Required fields are marked *

This div height required for enabling the sticky sidebar