Seizing FSMO Roles

How can I forcibly transfer (seize) some or all of the FSMO Roles from one DC to another?

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.

The five FSMO roles are:

  • Schema master – Forest-wide and one per forest.
  • Domain naming master – Forest-wide and one per forest.
  • RID master – Domain-specific and one for each domain.
  • PDC – PDC Emulator is domain-specific and one for each domain.
  • Infrastructure master – Domain-specific and one for each domain.

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.

Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in the Transferring FSMO Roles article.

However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a different DC is called Seizing, and is described in this article.

If a DC holding a FSMO role fails, the best thing to do is to try and get the server online again. Since none of the FSMO roles are immediately critical (well, almost none, the loss of the PDC Emulator FSMO role might become a problem unless you fix it in a reasonable amount of time), so it is not a problem to them to be unavailable for hours or even days.

If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to a reliable computer. Administrators should use extreme caution in seizing FSMO roles. This operation, in most cases, should be performed only if the original FSMO role owner will not be brought back into the environment. Only seize a FSMO role if absolutely necessary when the original role holder is not connected to the network.

What will happen if you do not perform the seize in time? This table has the info:

FSMO Role Loss implications
Schema The schema cannot be extended. However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time.
Domain Naming Unless you are going to run DCPROMO, then you will not miss this FSMO role.
RID Chances are good that the existing DCs will have enough unused RIDs to last some time, unless youre building hundreds of users or computer object per week.
PDC Emulator Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem.
Infrastructure Group memberships may be incomplete. If you only have one domain, then there will be no impact.

Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be used again.

The following table summarizes the FSMO seizing restrictions:

FSMO Role Restrictions
Schema Original must be reinstalled
Domain Naming
RID
PDC Emulator Can transfer back to original
Infrastructure

Another consideration before performing the seize operation is the administrators group membership, as this table lists:

FSMO Role Administrator must be a member of
Schema Schema Admins
Domain Naming Enterprise Admins
RID Domain Admins
PDC Emulator
Infrastructure

To seize the FSMO roles by using Ntdsutil, follow these steps:

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

  1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
  1. Type roles, and then press ENTER.

Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.

  1. Type connections, and then press ENTER.
  1. Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER.
  1. At the server connections: prompt, type q, and then press ENTER again.
  1. Type seize <role>, where <role> is the role you want to seize. For example, to seize the RID Master role, you would type seize rid master:

Options are:

  1. You will receive a warning window asking if you want to perform the seize. Click on Yes.