How to Seize a FSMO Role with NTDSUtil

If a domain controller that holds one or more of the five FSMO roles becomes permanently unavailable, you’ll ultimately need to seize the roles to another domain controller. Seizing FSMO roles is not a graceful process and is intended only to be performed when the unexpected occurs. In normal day-to-day operations, if you need to change what domain controller a FSMO role is held by, you should instead transfer the role. In order to seize the RID Master, PDC Emulator, or Infrastructure Master, you’ll need to be logged in as a Domain Admin. To seize the Schema Master or Domain Naming Master, you must be logged in with Schema Admin or Enterprise Admin permissions, respectively.

If you are seizing the RID Master or Schema Master, you must ensure that the domain controller holding either of those roles is never brought back on the network without being forcefully demoted or erased! I recommend that you immediately perform a metadata cleanup of the domain controller in question once the role is transferred.

In this example, we’ll seize the PDC Emulator to a domain controller called coho-chi-adc02. I have provided the commands to seize each of the four other FSMO roles at the conclusion of these steps.

  1. Open an elevated command prompt
  2. Type ntdsutil and press Enter.
  3. Type roles and press Enter.
  4. Type connections and press Enter.
  5. Type connect to server coho-chi-adc02 and press Enter.
Replace coho-chi-adc02 in the previous step with the name of the domain controller you want to seize the FSMO role to.
  1. Type quit and press Enter. Your screen should look similar to the following after this step:

image_b8363556-099d-4c73-af8f-ae63bf1fc57b

  1. Type Seize PDC and press Enter. You will be prompted to confirm the seizure as shown below. Once you click yes, the seizure process will begin. This will take some time to complete. As a safety mechanism, NTDSUtil will first try to transfer the role. This should timeout and fail and then the actual seizure will occur.

image_fb167c26-6c5b-4c6f-8c68-4f9a0a28e862

Once the seizure occurs, you will see output similar to the following written to the console. While the output includes an error, the important success message (highlighted in yellow) is also included.

Attempting safe transfer of PDC FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-032105B1, problem 5002 (UNAVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of PDC FSMO failed, proceeding with seizure …

Server “coho-chi-adc02” knows about 5 roles
Schema – CN=NTDS Settings,CN=COHO-CHI-ADC01,CN=Servers,CN=Chicago,CN=Sites,CN=Configuration,DC=cohovines,DC=com
Naming Master – CN=NTDS Settings,CN=COHO-CHI-ADC01,CN=Servers,CN=Chicago,CN=Sites,CN=Configuration,DC=cohovines,DC=com
PDC – CN=NTDS Settings,CN=COHO-CHI-ADC02,CN=Servers,CN=Chicago,CN=Sites,CN=Configuration,DC=cohovines,DC=com
RID – CN=NTDS Settings,CN=COHO-CHI-ADC01,CN=Servers,CN=Chicago,CN=Sites,CN=Configuration,DC=cohovines,DC=com
Infrastructure – CN=NTDS Settings,CN=COHO-CHI-ADC01,CN=Servers,CN=Chicago,CN=Sites,CN=Configuration,DC=cohovines,DC=com

To seize the other roles, run the following commands in lieu of “Seize PDC”. If you are seizing multiple roles, you can seize them sequentially without repeating steps one through six:

  • Domain Naming Master – “Seize naming master”
  • Infrastructure Master – “Seize infrastructure master”
  • RID Master – “Seize RID master”
  • Schema Master – “Seize schema master”

Once you have completed seizing the roles you need, you can close the command prompt. The changes will replicate throughout your forest via normal channels.

Posted in Active Directory Tagged with: , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*