4/2/2020 Seizing FSMO Roles - Petri

ACTIVE DIRECTORY

Seizing FSMO Roles

Daniel Petri | Jan 08, 2009

Previous Active Directory Article Next Active Directory Article

Working with Group Policy Web Servers Training Labs

Daniel Petri
WE USE COOKIES TO IMPROVE YOUR BROWSING EXPERIENCE.

Find out more about our cookie policy here.

https://www.petri.com/seizing_fsmo_roles 1/13
4/2/2020 Seizing FSMO Roles - Petri

Seizing FSMO Roles

How can I forcibly transfer (seize) some or all of the FSMO Roles from one
DC to another?

Windows 2000/2003 Active Directory domains utilize a Single Operation

Master method called FSMO (Flexible Single Master Operation), as
described in Understanding FSMO Roles in Active Directory.

The five FSMO roles are:

Schema master – Forest-wide and one per forest.

Domain naming master – Forest-wide and one per forest.

RID master – Domain-specific and one for each domain.

PDC – PDC Emulator is domain-specific and one for each domain.

Infrastructure master – Domain-specific and one for each domain.

In most cases an administrator can keep the FSMO role holders (all 5 of
them) in the same spot (or actually, on the same DC) as has been
configured by the Active Directory installation process. However, there are
scenarios where an administrator would want to move one or more of the
FSMO roles from the default holder DC to a different DC.

Moving the FSMO roles while both the original FSMO role holder and the
future FSMO role holder are online and operational is called Transferring,
and is described in the Transferring FSMO Roles article.

However, when the original FSMO role holder went offline or became non
SECTIONS
operational for a long period of time, the administrator might consider
moving the FSMO role from the original, non-operational holder, to a
different DC. The process of moving the FSMO role from a non-operational
role holder to a different DC is called Seizing, and is described in this article.

If a DC holding a FSMO role fails, the best thing to do is to try and get the
server online again. Since none of the FSMO roles are immediately critical
(well, almost none, the loss of the PDC Emulator FSMO role might become
a problem unless you fix it Seizing FSMO Roles
in a reasonable amount of time), so it is not a
problem to them to be unavailable for hours or even days.

If a DC becomes unreliable, try to get it back on line, and transfer the FSMO
roles to a reliable computer. Administrators should use extreme caution in
seizing FSMO roles. This operation, in most cases, should be performed
only if the original FSMO role owner will not be brought back into the
environment. Only seize a FSMO role if absolutely necessary when the
original role
WE USE COOKIES TO holder
IMPROVE is not
YOURconnected to the
BROWSING network.
EXPERIENCE.

Find out more about our cookie policy here.

https://www.petri.com/seizing_fsmo_roles 2/13
4/2/2020 Seizing FSMO Roles - Petri

What will happen if you do not perform the seize in time? This table has the
info:

FSMO Role Loss implications

Schema The schema cannot be extended. However, in

the short term no one will notice a missing
Schema Master unless you plan a schema
upgrade during that time.

Domain Naming Unless you are going to run DCPROMO, then

you will not miss this FSMO role.

RID Chances are good that the existing DCs will

have enough unused RIDs to last some time,
unless you‘re building hundreds of users or
computer object per week.

PDC Emulator Will be missed soon. NT 4.0 BDCs will not be

able to replicate, there will be no time
synchronization in the domain, you will
probably not be able to change or troubleshoot
group policies and password changes will
become a problem.

Infrastructure Group memberships may be incomplete. If you

only have one domain, then there will be no
impact.

Important: If the RID, Schema, or Domain Naming FSMOs are seized, then
the original domain controller must not be activated in the forest again. It is
necessary to reinstall Windows if these servers are to be used again.

The following table summarizes the FSMO seizing restrictions:

FSMO Role Restrictions

Schema Original must be reinstalled

Domain Naming

RID
WE USE COOKIES TO IMPROVE YOUR BROWSING EXPERIENCE.
PDC Emulator Can transfer back to original
Find out more about our cookie policy here.

https://www.petri.com/seizing_fsmo_roles 3/13
4/2/2020 Seizing FSMO Roles - Petri

Infrastructure

Another consideration before performing the seize operation is the

administrator‘s group membership, as this table lists:

FSMO Role Administrator must be a member of

Schema Schema Admins

Domain Naming Enterprise Admins

RID Domain Admins

PDC Emulator

Infrastructure

To seize the FSMO roles by using Ntdsutil, follow these steps:

Caution: Using the Ntdsutil utility incorrectly may result in partial or

complete loss of Active Directory functionality.

1. On any domain controller, click Start, click Run, type Ntdsutil in the Open
box, and then click OK.

PowerShell
1 Microsoft Windows [Version 5.2.3790]
2 (C) Copyright 1985-2003 Microsoft Corp.
3  
4 C:\WINDOWS>ntdsutil
5 ntdsutil:

1. Type roles, and then press ENTER.

PowerShell
1 ntdsutil: roles
2 fsmo maintenance:

Note: To see a list of available commands at any of the prompts in the

Ntdsutil tool, type ?, and then press ENTER.

1. Type connections, and then press ENTER.

WE USE COOKIES TO IMPROVE YOUR BROWSING EXPERIENCE. PowerShell

1 fsmo maintenance: connections
Find out more about our
2 server cookie policy here.
connections:

https://www.petri.com/seizing_fsmo_roles 4/13
4/2/2020 Seizing FSMO Roles - Petri

1. Type connect to server <servername>, where <servername> is the name

of the server you want to use, and then press ENTER.

PowerShell
1 server connections: connect to server server100
2 Binding to server100 ...
3 Connected to server100 using credentials of locally logged on user.
4 server connections:

1. At the server connections: prompt, type q, and then press ENTER again.

PowerShell
1 server connections: q
2 fsmo maintenance:

1. Type seize <role>, where <role> is the role you want to seize. For
example, to seize the RID Master role, you would type seize rid master:

Options are:

PowerShell
1 Seize domain naming master
2 Seize infrastructure master
3 Seize PDC
4 Seize RID master
5 Seize schema master

1. You will receive a warning window asking if you want to perform the
seize. Click on Yes.

PowerShell
1 fsmo maintenance: Seize infrastructure master
2 Attempting safe transfer of infrastructure FSMO before seizure.
3 ldap_modify_sW error 0x34(52 (Unavailable).
4 Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem
5 , data 1722
6  
7 Win32 error returned is 0x20af(The requested FSMO operation failed. The
8 r could not be contacted.)
9 )
10 Depending on the error code this may indicate a connection,
11 ldap, or role transfer error.
12 Transfer of infrastructure FSMO failed, proceeding with seizure ...
13 Server "server100" knows about 5 roles
14 Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site
15 Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site
16 PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Na
17 RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Na
18 Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-Fi
19 fsmo maintenance:

WE USE COOKIES TO IMPROVE YOUR BROWSING EXPERIENCE.

Note: All five roles need to be in the forest. If the first domain controller is
Find out more about
out of theour cookie
forest policy
then seizehere.
all roles. Determine which roles are to be on

https://www.petri.com/seizing_fsmo_roles 5/13
4/2/2020 Seizing FSMO Roles - Petri

which remaining domain controllers so that all five roles are not on only one
server.

1. Repeat steps 6 and 7 until you‘ve seized all the required FSMO roles.

2. After you seize or transfer the roles, type q, and then press ENTER until
you quit the Ntdsutil tool.

Note: Do not put the Infrastructure Master (IM) role on the same domain
controller as the Global Catalog server. If the Infrastructure Master runs on a
GC server it will stop updating object information because it does not
contain any references to objects that it does not hold. This is because a GC
server holds a partial replica of every object in the forest.

Links

Windows 2000 Active Directory FSMO roles – 197132

Flexible Single Master Operation Transfer and Seizure Process – 223787

Using Ntdsutil.exe to seize or transfer FSMO roles to a domain controller –

255504

How To View and Transfer FSMO Roles in Windows Server 2003 – 324801

RELATED TOPICS:

Active Directory

WE USE COOKIES TO IMPROVE YOUR BROWSING EXPERIENCE.

MEMBER
Find LOGIN:
out more about our cookie policy here.

https://www.petri.com/seizing_fsmo_roles 6/13
4/2/2020 Seizing FSMO Roles - Petri

Username/Email

Password

Keep me signed in

Forgot password?

Sign In

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register

0 Comments Sort by Votes | Date

WE USE COOKIES TO IMPROVE YOUR BROWSING EXPERIENCE.

Find out more about our cookie There are

policy here. no comments yet.
https://www.petri.com/seizing_fsmo_roles 7/13
4/2/2020 Seizing FSMO Roles - Petri

PETRI NEWSLETTERS

OFFICE 365 INSIDER

With the need to interact with Office 365 in so many of our environments, this newsletter
is dedicated to sharing detailed knowledge from some of the top Office 365 experts in
the world. Delivered once a month to your inbox.

Email Submit

ALL NEWSLETTERS

WE USE COOKIES TO IMPROVE YOUR BROWSING EXPERIENCE.

Find out more about our cookie policy here.

https://www.petri.com/seizing_fsmo_roles 8/13
4/2/2020 Seizing FSMO Roles - Petri

MORE ARTICLES BY DANIEL PETRI

HOW TO

Purging Unwanted Messages from Exchange Online Mailboxes

Apr 02, 2020 | Tony Redmond

OVERVIEW

Everything You Need to Know About Azure – March 2020 Edition

Apr 01, 2020 | Aidan Finn

NEWS

Everything you Need to Know About Office 365 - March 2020

Apr 01, 2020 | Shane Young

WE USE COOKIES TO IMPROVE YOUR BROWSING EXPERIENCE.

Find out more about our cookie policy here.

https://www.petri.com/seizing_fsmo_roles 9/13
4/2/2020 Seizing FSMO Roles - Petri

RELATED ARTICLES

HOW TO

How to Audit LDAP Signing in an Active Directory Domain

Mar 18, 2020 | Russell Smith

WE USE COOKIES TO IMPROVE YOUR BROWSING EXPERIENCE.

Find out more about our cookie policy here.

https://www.petri.com/seizing_fsmo_roles 10/13
4/2/2020 Seizing FSMO Roles - Petri

OVERVIEW

How FIDO2 Passwordless Logins Work in Hybrid Azure AD

Environments
Mar 11, 2020 | Russell Smith

NEWS

Google Managed Service for Microsoft Active Directory Reaches

General Availability
Mar 05, 2020 | Russell Smith

WE USE COOKIES TO IMPROVE YOUR BROWSING EXPERIENCE.

Find out more about our cookie policy here.

https://www.petri.com/seizing_fsmo_roles 11/13
4/2/2020 Seizing FSMO Roles - Petri

REACH OUT LEARN MORE SITEMAP

Contact
WE USEUs ForumsYOUR BROWSINGWindows
COOKIES TO IMPROVE 10
EXPERIENCE.

Find out more about our cookie policy here.

https://www.petri.com/seizing_fsmo_roles 12/13
4/2/2020 Seizing FSMO Roles - Petri

Advertise With Us Podcasts Cloud Computing

About Us Webinars Office 365

Media Kit Newsletters Microsoft 365

Backup & Storage

SharePoint

Security

PowerShell

Windows Server

JOIN THE CONVERSATION

Create a free account today to participate in forum
conversations, comment on posts and more.

Join

Follow us

© 2020 BWW Media Group

Terms and Conditions of Use | Privacy Policy

WE USE COOKIES TO IMPROVE YOUR BROWSING EXPERIENCE.

Find out more about our cookie policy here.

https://www.petri.com/seizing_fsmo_roles 13/13