{"id":4736,"date":"2014-07-05T11:19:28","date_gmt":"2014-07-05T19:19:28","guid":{"rendered":"https:\/\/www.zubairalexander.com\/stage\/?p=4736"},"modified":"2014-07-12T13:42:42","modified_gmt":"2014-07-12T21:42:42","slug":"how-to-seize-an-active-directory-fsmo-role","status":"publish","type":"post","link":"https:\/\/www.zubairalexander.com\/blog\/how-to-seize-an-active-directory-fsmo-role\/","title":{"rendered":"How to Seize an Active Directory FSMO Role"},"content":{"rendered":"

There are 5 roles in Active Directory, called Flexible Single Master Operations (FSMO) roles, that are handled by certain Domain Controllers in Active Directory. If you only have one Domain Controller (DC) then all 5 roles will reside on that DC. However, you can transfer or seize the role when you have multiple DCs either to optimize the behavior of certain services that are managed by these roles, or when you are adding or removing DCs in your network.<\/span><\/p>\n

    \n
  1. Schema master<\/strong> – The Schema master role is forest-wide and there is one for each forest. This role is required to extend the schema of an Active Directory forest or to run the adprep \/domainprep<\/strong> command.<\/span><\/li>\n
  2. Domain naming master<\/strong> – The Domain naming master role is forest-wide and there is one for each forest. This role is required to add or remove domains or application partitions to or from a forest. <\/span><\/li>\n
  3. RID master<\/strong> – The RID master role is domain-wide and there is one for each domain. This role is required to allocate the RID pool so that new or existing domain controllers can create user accounts, computer accounts or security groups.<\/span><\/li>\n
  4. PDC emulator<\/strong> – The PDC emulator role is domain-wide and there is one for each domain. This role is required for the domain controller that sends database updates to Windows NT backup domain controllers. The domain controller that owns this role is also targeted by certain administration tools and updates to user account and computer account passwords.<\/span><\/li>\n
  5. Infrastructure master<\/strong> – The Infrastructure master role is domain-wide and there is one for each domain. This role is required for domain controllers to run the adprep \/forestprep<\/strong> command successfully and to update SID attributes and distinguished name attributes for objects that are referenced across domains.<\/span><\/li>\n<\/ol>\n

    Usually transferring the role is considered a relatively safe process and it requires that both the source and the destination server are running and available on the network. However, seizing the role is meant to be used in rare situations, such as a DC that has crashed and you need to replace it with a new server. In that case you can seize the role which essentially transfers the role forcibl<\/span>y, even if the source server is unavailable.<\/span><\/p>\n

    Here are the steps you can use to seize a FSMO role.<\/span><\/p>\n

      \n
    1. It is best to log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.<\/span><\/li>\n
    2. Click Start<\/strong>, click Run<\/strong>, type ntdsutil<\/span> in the Open<\/strong> box, and then click OK<\/strong>.<\/span><\/li>\n
    3. Type roles<\/span>, and then press ENTER.<\/span><\/li>\n
    4. Type connections<\/span>, and then press ENTER.<\/span><\/li>\n
    5. Type connect to server servername<\/var><\/span>, and then press ENTER, where servername<\/var> is the name of the domain controller that you want to assign the FSMO role to.<\/span><\/li>\n
    6. At the server connections<\/strong> prompt, type q<\/span>, and then press ENTER.<\/span><\/li>\n
    7. Type seize role<\/var><\/span>, where role<\/var> is the role that you want to seize. For a list of roles that you can seize, type ?<\/span> at the fsmo maintenance<\/strong> prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type seize rid master<\/span>. The one exception is for the PDC emulator role, whose syntax is seize pdc<\/span>, not seize pdc emulator<\/span>.<\/span><\/li>\n
    8. At the fsmo maintenance<\/strong> prompt, type q<\/span>, and then press ENTER to gain access to the ntdsutil<\/strong> prompt. Type q<\/span>, and then press ENTER to quit the Ntdsutil utility.<\/span><\/li>\n<\/ol>\n

      For more information, check out the article<\/span> KB255504<\/a>.<\/p>\n

      \n

      Copyright \u00a92014 Zubair Alexander. All rights reserved.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

      There are 5 roles in Active Directory, called Flexible Single Master Operations (FSMO) roles, that are handled by certain Domain Controllers in Active Directory. If you only have one Domain Controller (DC) then all 5 roles will reside on that DC. However, you can transfer or seize the role when you have multiple DCs either […]<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[6,43,11,48,38,30,65],"tags":[],"class_list":["post-4736","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-articles","category-tips-tricks","category-windows-2000","category-windows-2003","category-longhorn-server","category-windows-2012"],"aioseo_notices":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/posts\/4736","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/comments?post=4736"}],"version-history":[{"count":0,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/posts\/4736\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/media?parent=4736"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/categories?post=4736"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/tags?post=4736"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}