Seizing FSMO Roles
What will happen if you do not perform the seize in time? This table has the info:
| FSMO Role | Loss implications |
| Schema | The schema cannot be extended. However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time. |
| Domain Naming | Unless you are going to run DCPROMO, then you will not miss this FSMO role. |
| RID | Chances are good that the existing DCs will have enough unused RIDs to last some time, unless youre building hundreds of users or computer object per week. |
| PDC Emulator | Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem. |
| Infrastructure | Group memberships may be incomplete. If you only have one domain, then there will be no impact. |
Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be used again.
The following table summarizes the FSMO seizing restrictions:
| FSMO Role | Restrictions |
| Schema | Original must be reinstalled |
| Domain Naming | |
| RID | |
| PDC Emulator | Can transfer back to original |
| Infrastructure |
Another consideration before performing the seize operation is the administrators group membership, as this table lists:
| FSMO Role | Administrator must be a member of |
| Schema | Schema Admins |
| Domain Naming | Enterprise Admins |
| RID | Domain Admins |
| PDC Emulator | |
| Infrastructure |
To seize the FSMO roles by using Ntdsutil, follow these steps:
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.
- On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
|
1
2
3
4
5
|
Microsoft Windows[Version5.2.3790]
(C)Copyright1985-2003Microsoft Corp.
C:\WINDOWS>ntdsutil
ntdsutil:
|
- Type roles, and then press ENTER.
|
1
2
|
ntdsutil:roles
fsmo maintenance:
|
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.
- Type connections, and then press ENTER.
|
1
2
|
fsmo maintenance:connections
server connections:
|
- Type connect to server , where is the name of the server you want to use, and then press ENTER.
|
1
2
3
4
|
server connections:connect to server server100
Binding to server100...
Connected to server100 using credentials of locally logged on user.
server connections:
|
- At the server connections: prompt, type q, and then press ENTER again.
|
1
2
|
server connections:q
fsmo maintenance:
|
- Type seize , where is the role you want to seize. For example, to seize the RID Master role, you would type seize rid master:
Options are:
|
1
2
3
4
5
|
Seize domain naming master
Seize infrastructure master
Seize PDC
Seize RID master
Seize schema master
|
- You will receive a warning window asking if you want to perform the seize. Click on Yes.
-
Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.
- Repeat steps 6 and 7 until youve seized all the required FSMO roles.
- After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.
Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.[https://www.petri.com/seizing_fsmo_roles]