Windows Server

Seizing FSMO roles in Windows Server 2003

Windows Server 2003's AD tools allow you to transfer the FSMO roles to other domain controllers gracefully. While you should use these whenever possible, occasionally computers (and computers acting as domain controllers) fail, leaving you no choice but to seize the FSMO roles that the failed computer once held.

Windows Server 2003 Active Directory (AD) continues to support flexible single master of operations (FSMO) functionality. This means that there are certain roles that only one domain controller can hold in the forest at a time. The roles allow the directory service to operate with all domain controllers at equal levels, as opposed to the Primary Domain Controller/Backup Domain Controller scenario used with Windows NT domains.

The AD tools -- AD Users And Computers and AD Sites And Services -- allow you to transfer the FSMO roles to other domain controllers gracefully. While you should use these whenever possible, occasionally computers (and computers acting as domain controllers) fail, leaving you no choice but to seize the FSMO roles that the failed computer once held.

Note: You should use the command line tools presented here to seize FSMO roles only as a last resort, seizing the FSMO roles from domain controllers that are permanently out of service. The reason for this is that to restore the original master, you will need to format and rebuild the system and then add it again to AD. Seizing the FSMO roles from a domain controller requires the deletion of original information from AD.

To seize a FSMO role, complete the following steps:

  1. Find the current FSMO role holders by entering Netdom query fsmo at the command prompt.
  2. Check to be sure that the server with the role you wish to seize is permanently offline. If not, you will have to rebuild the server after you seize the role.

Note: It is a good idea to take the steps to seize a role from the console of the server to which you're assigning the role. You can log on via Remote Desktop to perform these actions.

  1. Open a command prompt on the target server.
  2. Start the Directory Services Management Utility by typing ntdsutil.
  3. At the ntdsutil prompt, type roles. The utility now is in Operations Master Maintenance mode.
  4. At the FSMO maintenance prompt, type connections and then enter connect to server and the fully qualified domain name (FQDN) of the server to which you wish to assign the role(s). For example:

Ntdsutil> connections

connections> connect to server domain1.chicago.hugecorp.com

  1. After you establish the connection, type quit to exit the connections prompt. This will return you to the FSMO maintenance prompt.
  2. At the FSMO maintenance prompt, type seize and the role identifier for the role you wish to seize.

Note: The FSMO role IDs are the names of the FSMO roles: PDC, RID master, infrastructure master, schema master, and domain naming master.

  1. Type quit at the FSMO maintenance prompt and type quit at the ntdsutil prompt to exit.

Remember that you should seize the Operations Master Roles only as a last resort if the Domain Controller holding the role is permanently offline.

Miss a Windows Server 2003 tip?

Check out the Windows Server 2003 archive, and catch up on the most useful tips from this newsletter.

Stay on top of the latest Windows Server 2003 tips and tricks with our free Windows Server newsletter, delivered each Wednesday. Automatically sign up today!

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

4 comments
Photogenic Memory
Photogenic Memory

I've really gotten away from dealing with active directroy. However, this really peaks my interest. Thanks for posting. I'm going to try this one of these weekends as a project.

Photogenic Memory
Photogenic Memory

I'm sorry for maybe perhaps misunderstanding you. I did go to your site to see if your script was a text file that could read and understood. However, what I do see is that you have an MSDOS executable and transferfsmo.cmd file? What are these? Is this legit? Why would you make it an .exe file instead of submitting text with instructions on how to make your own? Apologies for being cautious but can you please update? Thank you.

Roli79
Roli79

Hi, 1st if you download the archive on my blog (http://tinyurl.com/3alleb8) then extract it and copy the FSMOtransfer.cmd file whereever you want. This file ist the main "application". It work's in conjunction with NTDSUTIL.EXE What you can download from MS website. I put the coice.exe with into the archive, too, because on WINXP machines it isn't a on board utility, as far as i know. This is the default call for the Script: FSMOtransfer.cmd %userdnsdomain%

Editor's Picks