Seizing FSMO Roles

Probably you ask yourself “why should I need to use this option”? I can transfer FSMO roles to the new Domain Controller and that’s it. You’re right, but transferring FSMO roles is not always possible. What if, your Domain Controller which held FSMO role(s) is broken and cannot be repaired? Even if you don’t need any of them at this moment, they need to be in your network, for sure.

Seizing FSMO roles is the last possible way of making another DC, FSMO holder to keep your Active Directory environment working. This option should be used as the last step. After you seize FSMO roles to another Domain Controller, previous cannot be connected into network, before complete reinstallation! This will corrupt your environment because seizing roles doesn’t clean them on the old DC. So, this option should be use only if your old DC won’t be possible to repair.

To seize FSMO roles you need to use ntdsutil tool. It’s not possible to do that over GUI.

Open command-line and type: ntdsutil


Next step, is to connect to appropriate Domain Controller to which you want to seize roles

Type these commands:

ntdsutil: roles (enter)

fsmo maintenance: connections (enter)

server connections: connect to server <DC-Name> (enter)

Connecting to Domain Controller

Now, you’re connected to that Domain Controller, go one level up to context where you will be able to seize roles.

server connections: quit (enter)

fsmo maintenance:

Seizing FSMO roles

It’s time to seize FSMO roles to the new DC. It look similarly to transferring roles but instead of transfer you have to use seize word.

  • Schema master

fsmo maintenance: seize schema master (enter)

Confirm that you want to seize Schema master role to this server and wait until ntdsutil will do that.

Schema master seize

First, tool tries to do safe transfer role. But it cannot contact to broken DC and you will get an error, that it wasn’t possible. Then, role will be seized

Attempt to transfer FSMO role

Continue with role seizing.

  • Domain Naming master

Be aware that ntdsutil has small syntax difference in 2003 and 2008 server for seizing Domain Naming master.

for Windows Server 2003

fsmo maintenance: seize domain naming master (enter)

 for Windows Server 2008

fsmo maintenance: seize naming master (enter)

accept the change and wait until role will be seized

Domain Naming master seize

  • RID master

Follow the same steps for another FSMO roles

fsmo maintenance: seize rid master (enter)

RID master seize

  • PDC Emulator master

fsmo maintenance: seize pdc

PDC Emulator master seize

  • Infrastructure master

Important! In multi-domain environment where not all Domain Controllers are Global Catalogs, Infrastructure master has to be placed on a non-Global Catalog Domain Controller to prevent conflicts between them.

fsmo maintenance: seize infrastructure master

Infrastructure master seize

That was the last FSMO role to seize. You can verify that your new DC holds all of them

FSMO roles seizing summary

Leave ntdsutil tool by typing quit

fsmo maintenance: quit (enter)

ntdsutil: quit (enter)

and close command-line window.

You can also use netdom command to verify FSMO roles holder. Type in command-line: netdom query fsmo and review an output

Veryfing FSMO roles holder

You will see that your new Domain Controller hold all of FSMO roles right now.
Roles have been seized. Now, it’s time to do metadata cleanup to remove information about broken Domain Controller from your Active Directory environment, clean DNS records and Sites and Services.

To summarize ntdsutil commands:

ntdsutil (enter)

ntdsutil: roles (enter)

fsmo maintenance: connections (enter)

server connections: connect to server <DC-Name> (enter)

server connections: quit (enter)

fsmo maintenance: seize schema master (enter)

2003 server:fsmo maintenance: seize domain naming master (enter)

2008 server: fsmo maintenance: seize naming master (enter)

fsmo maintenance: seize rid master (enter)

fsmo maintenance: seize pdc (enter)

fsmo maintenance: seize infrastructure master (enter)

fsmo maintenance: quit (enter)

ntdsutil: quit (enter)

It’s done.

Ensure that your new primary domain controller is also a global catalog server:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
  2. Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available.
  3. Open the Servers folder, and then click the domain controller.
  4. In the domain controller's folder, double-click NTDS Settings.
  5. On the Action menu, click Properties.
  6. On the General tab, view the Global Catalog check box to see if it is selected.