Seizing FSMO Roles

 

Probably you ask yourself “why should I need to use this option”? I can transfer FSMO roles to the new Domain Controller and that’s it. You’re right, but transferring FSMO roles is not always possible. What if, your Domain Controller which held FSMO role(s) is broken and cannot be repaired? Even if you don’t need any of them at this moment, they need to be in your network, for sure.

Seizing FSMO roles is the last possible way of making another DC, FSMO holder to keep your Active Directory environment working. This option should be used as the last step. After you seize FSMO roles to another Domain Controller, previous cannot be connected into network, before complete reinstallation! This will corrupt your environment because seizing roles doesn’t clean them on the old DC. So, this option should be use only if your old DC won’t be possible to repair.

If you wish you may also check an article about Seizing FSMO roles with PowerShell

To seize FSMO roles you need to use ntdsutil tool. It’s not possible to do that over GUI.

Open command-line and type: ntdsutil

ntdsutil

Next step, is to connect to appropriate Domain Controller to which you want to seize roles

Type these commands:

ntdsutil: roles (enter)

fsmo maintenance: connections (enter)

server connections: connect to server <DC-Name> (enter)

Connecting to Domain Controller

Now, you’re connected to that Domain Controller, go one level up to context where you will be able to seize roles.

server connections: quit (enter)

fsmo maintenance:

Seizing FSMO roles

It’s time to seize FSMO roles to the new DC. It look similarly to transferring roles but instead of transfer you have to use seize word.

  • Schema master

fsmo maintenance: seize schema master (enter)

Confirm that you want to seize Schema master role to this server and wait until ntdsutil will do that.

Schema master seize

First, tool tries to do safe transfer role. But it cannot contact to broken DC and you will get an error, that it wasn’t possible. Then, role will be seized

Attempt to transfer FSMO role

Continue with role seizing.

  • Domain Naming master

Be aware that ntdsutil has small syntax difference in 2003 and 2008 server for seizing Domain Naming master.

for Windows Server 2003

fsmo maintenance: seize domain naming master (enter)

 for Windows Server 2008

fsmo maintenance: seize naming master (enter)

accept the change and wait until role will be seized

Domain Naming master seize

  • RID master

Follow the same steps for another FSMO roles

fsmo maintenance: seize rid master (enter)

RID master seize

  • PDC Emulator master

fsmo maintenance: seize pdc

PDC Emulator master seize

  • Infrastructure master

Important! In multi-domain environment where not all Domain Controllers are Global Catalogs, Infrastructure master has to be placed on a non-Global Catalog Domain Controller to prevent conflicts between them.

fsmo maintenance: seize infrastructure master

Infrastructure master seize

That was the last FSMO role to seize. You can verify that your new DC holds all of them

FSMO roles seizing summary

Leave ntdsutil tool by typing quit

fsmo maintenance: quit (enter)

ntdsutil: quit (enter)

and close command-line window.

You can also use netdom command to verify FSMO roles holder. Type in command-line: netdom query fsmo and review an output

Veryfing FSMO roles holder

You will see that your new Domain Controller hold all of FSMO roles right now.

Roles have been seized. Now, it’s time to do metadata cleanup to remove information about broken Domain Controller from your Active Directory environment, clean DNS records and Sites and Services.

To summarize ntdsutil commands:

ntdsutil (enter)

ntdsutil: roles (enter)

fsmo maintenance: connections (enter)

server connections: connect to server <DC-Name> (enter)

server connections: quit (enter)

fsmo maintenance: seize schema master (enter)

2003 server:fsmo maintenance: seize domain naming master (enter)

2008 server: fsmo maintenance: seize naming master (enter)

fsmo maintenance: seize rid master (enter)

fsmo maintenance: seize pdc (enter)

fsmo maintenance: seize infrastructure master (enter)

fsmo maintenance: quit (enter)

ntdsutil: quit (enter)

It’s done.

Author: Krzysztof Pytko

Facebooktwittergoogle_plusredditpinterestlinkedinmail

10 responses to “Seizing FSMO Roles”

  1. Terrance says :

    Very nice instructions and works great! Thanks

     
  2. Robert Schmidt says :

    Very nice instruction indeed! Very clear and quit easy. You saved my day today!

     
  3. www.skybet.com says :

    When I originally commented I clicked the “Notify me when new comments are added” checkbox and now each
    time a comment is added I get three e-mails
    with the same comment. Is there any way you can remove me from
    that service? Thank you!

     
    • iSiek says :

      Hi,

      I’m sorry but I also could not find any option to unsubscribe you from receiving new comments of this post

      Regards,
      Krzysztof

       
  4. iTerry says :

    Hi, I can to use it when to error message is: “Windows cannot create the object because the Directory Service was unable to allocate a relative identifier

     
  5. Keshav Reddy says :

    Very nice instructions. Thanks a lot.

     

Leave a Reply

Your email address will not be published. Required fields are marked *