Transferring one or more FSMO roles from one Domain Controller to another is a simple operation. However, assuming that all DCs are online and operational.
What happens if a DC that already has an FSMO role crashes or goes down for a long amount of time? Because the server is no longer operational, the FSMO role transfer cannot be completed.
In such instances, we deploy a process known as’seize’ to force the transfer of FSMO responsibilities. Seizing FSMO responsibilities from a non-functional DC is the last option and indicates the DC will not be operational until it is rebuilt.
Even if you can restore it (for example, after a crash), if you have seized the role, it should not be returned to the network since it will cause more issues in the existing infrastructure.
As seen below, the FSMO roles may be seized using either PowerShell or NTDSUtil.
The command is the same as for a normal transfer, with the addition of the -Force switch.
To seize the Naming Master position, for example, execute the following command.
| Move-ADDirectoryServerOperationMasterRole -Identity <TargetDC> -OperationMasterRole domainnamingmaster -Force |
Where in the -OperationMasterRole switch you can declare one or more FSMO roles separated by a comma (,). For example:
| -OperationMasterRole schemamaster, domainnamingmaster, pdcemulator, ridmaster, infrastructurem |
First, open the command prompt with administrative privileges.
Type ntdsutil and press Enter.
Type roles and press Enter.
Type connections and press Enter.
Type connect to server DC01 and press Enter, where DC01 type the server computer name to transfer the FSMO roles to.
Type quit and press Enter.
Then, we will seize the FSMO roles one by one with the corresponding command, as the case may be. After each Enter appears a confirmation window. Just click Yes to continue.
Also, to mention that, during the seize process, NTDSUtil tries to make a simple transfer first (which obviously fails) and then proceeds to the forcible transfer.
For the Schema Master role, type seize schema master and press Enter.
For the Domain Naming Master role, type seize naming master and press Enter.
For the RID Master role, type seize rid master and press Enter.
For the PDC Emulator role, type seize pdc and press Enter.
For the Infrastructure Master role, type seize infrastructure master and press Enter.
Finally, type quit to exit the NTDSUtil environment.
So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!
Guys please don’t forget to like and share the post.Also join our Active Directory page and where you can post your queries/doubts and our experts will address them .
You can also share the feedback on below ActiveDirectory email id.
If you have any questions feel free to contact us on admin@activedirectory.in also follow us on facebook page to get updates about new blog posts.
Moving a domain controller (DC) to a production site after promotion involves several steps. Here's…
In Active Directory, staging and production sites refer to different environments used for testing and deploying changes…
If a domain controller (DC) has been down for an extended period of time, there…
Netlogon logs contain information related to the Netlogon service on a Windows Server, which is responsible for authenticating…
In Active Directory, sites are a logical construct used to group together network resources (such as domain…
You can redirect a specific subnet to authenticate from a particular Active Directory site by using site…