To totally unlock this section you need to Log-in
Login
You can use the Ntdsutil.exe (available on any Windows Server edition) command-line tool to transfer and seize any operations master (also known as flexible single master operations or FSMO) role.
You must use Ntdsutil.exe to seize the schema operations master, domain naming operations master, and relative ID (RID) operations master roles.
When you use Ntdsutil.exe to seize an operations master role, the tool first attempts a transfer from the current role owner. If the current role owner is not available, the tool seizes the role.
When you use Ntdsutil.exe to seize an operations master role, the procedure is nearly identical for all roles. There is a minor change in the command syntax for versions of Ntdsutil.exe that run on Windows Server 2008 and Windows Server 2008 R2, as noted in the following table. For more information about using Ntdsutil.exe, type ? at the ntdsutil: command prompt.
Recommended Best Practice setup of FSMO roles
If you only have one domain controller (not recommended), there is nothing to do since all roles must be on this server, but if you have multiple servers you should move some of these roles on to more servers.
It is also important to be aware of what servers are Global Catalog servers, especially if you have more than one domain and even if only one domain, they will be preferred by applications like Exchange server.
It is recommended to place the forest roles on one Domain Controller (DC) and the domain roles on another server. If not all Domain Controllers are Global Catalog servers, it is also important to place the infrastructure master on a server that is NOT a Global Catalog server.
Domain Controller #1
Place the two forest roles on this server:
- Schema Master
- Domain Master
Domain Controller #2
Place the domain roles on this server:
- RID Master
- Infrastructure Master
- PDC Emulator
If more domains exist in the forest, place the domain roles on a server in these domains like Domain Controller #2.
Why to seize AD roles?
Probably you ask yourself “why should I need to use this option”? I can transfer FSMO roles to the new Domain Controller and that’s it. You’re right, but transferring FSMO roles is not always possible.
What if, your Domain Controller which held FSMO role(s) is broken and cannot be repaired? Even if you don’t need any of them at this moment, they need to be in your network, for sure.
Seizing FSMO roles is the last possible way of making another DC, FSMO holder to keep your Active Directory environment working.
This option should be used as the last step. After you seize FSMO roles to another Domain Controller, previous cannot be connected into network, before complete reinstallation! This will corrupt your environment because seizing roles doesn’t clean them on the old DC. So, this option should be use only if your old DC won’t be possible to repair.
To seize FSMO roles you need to use ntdsutil tool. It’s not possible to do that over GUI.
Open command-line and type: ntdsutil
Next step, is to connect to appropriate Domain Controller to which you want to seize roles.
Type these commands:
ntdsutil: roles (enter)
fsmo maintenance: connections (enter)
server connections: connect to server(enter)
Now, you’re connected to that Domain Controller, go one level up to context where you will be able to seize roles.
server connections: quit (enter)
fsmo maintenance:
It’s time to seize FSMO roles to the new DC. It look similarly to transferring roles but instead of transfer you have to use seize word.
Schema master
fsmo maintenance: seize schema master (enter)
Confirm that you want to seize Schema master role to this server and wait until ntdsutil will do that.
First, tool tries to do safe transfer role. But it cannot contact to broken DC and you will get an error, that it wasn’t possible. Then, role will be seized:
Domain Naming master
Be aware that ntdsutil has small syntax difference in 2003 and 2008 server for seizing Domain Naming master.
For Windows Server 2003:
fsmo maintenance: seize domain naming master (enter)
For Windows Server 2008:
fsmo maintenance: seize naming master (enter)
Accept the change and wait until role will be seized.
RID master
Follow the same steps for the others FSMO roles, as in this case, for the RID role:
fsmo maintenance: seize rid master (enter)
PDC Emulator master
fsmo maintenance: seize pdc
Infrastructure master
Important: In multi-domain environment where not all Domain Controllers are Global Catalogs, Infrastructure master has to be placed on a non-Global Catalog Domain Controller to prevent conflicts between them.
fsmo maintenance: seize infrastructure master
That was the last FSMO role to seize. You can verify that your new DC holds all of them:
Leave ntdsutil tool by typing quit (or q).
fsmo maintenance: quit (enter)
ntdsutil: quit (enter)
And close command-line window.
You can also use netdom command to verify FSMO roles holder. Type in command-line: netdom query fsmo and review an output:
You will see that your new Domain Controller hold all of FSMO roles right now.
Roles have been seized. Now, it’s time to do metadata cleanup to remove information about broken Domain Controller from your Active Directory environment, clean DNS records and Sites and Services.
To summarize ntdsutil commands:
ntdsutil (enter)
ntdsutil: roles (enter)
fsmo maintenance: connections (enter)
server connections: connect to server(enter)
server connections: quit (enter)
fsmo maintenance: seize schema master (enter)
2003 server:fsmo maintenance: seize domain naming master (enter)
2008 server: fsmo maintenance: seize naming master (enter)
fsmo maintenance: seize rid master (enter)
fsmo maintenance: seize pdc (enter)
fsmo maintenance: seize infrastructure master (enter)
fsmo maintenance: quit (enter)
ntdsutil: quit (enter)
It’s done.
Transfer or seizeing Domain Controllers in a Windows Server production environment is always a bad moment for any system engineer or system administrator. :-) To do a good job you need to be well prepared to migrate FSMO roles, or seizeing in case of failure, to a new (or virtual, if needed) domain controller server.
To know more, read more on HeelpBook:
Active Directory – How to seize the Operations Master Roles http://heelpbook.altervista.org/2014/active-directory-how-to-seize-the-operations-master-roles/ #howto #tutorial #guide #heelpbook @heelpbook #microsoft