Windows Server 2003 Active Directory (AD) continues to support flexible single master of operations (FSMO) functionality. This means that there are certain roles that only one domain controller can hold in the forest at a time. The roles allow the directory service to operate with all domain controllers at equal levels, as opposed to the Primary Domain Controller/Backup Domain Controller scenario used with Windows NT domains.
The AD tools — AD Users And Computers and AD Sites And Services — allow you to transfer the FSMO roles to other domain controllers gracefully. While you should use these whenever possible, occasionally computers (and computers acting as domain controllers) fail, leaving you no choice but to seize the FSMO roles that the failed computer once held.Note: You should use the command line tools presented here to seize FSMO roles only as a last resort, seizing the FSMO roles from domain controllers that are permanently out of service. The reason for this is that to restore the original master, you will need to format and rebuild the system and then add it again to AD. Seizing the FSMO roles from a domain controller requires the deletion of original information from AD.
To seize a FSMO role, complete the following steps:
- Find the current FSMO role holders by entering Netdom query fsmo at the command prompt.
- Check to be sure that the server with the role you wish to seize is permanently offline. If not, you will have to rebuild the server after you seize the role.
- Open a command prompt on the target server.
- Start the Directory Services Management Utility by typing ntdsutil.
- At the ntdsutil prompt, type roles. The utility now is in Operations Master Maintenance mode.
- At the FSMO maintenance prompt, type connections and then enter connect to server and the fully qualified domain name (FQDN) of the server to which you wish to assign the role(s). For example:
connections> connect to server domain1.chicago.hugecorp.com
- After you establish the connection, type quit to exit the connections prompt. This will return you to the FSMO maintenance prompt.
- At the FSMO maintenance prompt, type seize and the role identifier for the role you wish to seize.
- Type quit at the FSMO maintenance prompt and type quit at the ntdsutil prompt to exit.
Remember that you should seize the Operations Master Roles only as a last resort if the Domain Controller holding the role is permanently offline.
Miss a Windows Server 2003 tip?
Check out the Windows Server 2003 archive, and catch up on the most useful tips from this newsletter.
Stay on top of the latest Windows Server 2003 tips and tricks with our free Windows Server newsletter, delivered each Wednesday. Automatically sign up today!
Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.