Backtrack:  
Blog
 
Seizing FSMO roles in a Windows-domain
by lunarg on May 2nd 2011, at 13:18

If for some reason, the PDC dies horribly, you are left with a semi-working domain. While the basic functionality will still be operational, certain aspects of the domain can no longer be reconfigured. If the broken DC can no longer be rescued, you need to transfer the five FSMO roles to a working DC as soon as possible as to ensure your domain will remain healthy.

Implications of FSMO role loss

If FSMO roles are not transferred time, it can have implications on the following items, depending on the roles that are located on the offline DC:

FSMO roleImplications of loss
Schema The schema cannot be extended or reconfigured. This is not a problem unless you wish to perform a schema upgrade during the outage.
Domain Naming Promotion and demotion of DCs will not be possible if this role is unavailable.
RID You will miss this role when you wish to add a large quantity of objects to the AD during its outage. In normal circumstances, the surviving DCs will have enough RIDs available to overcome the outage for a while.
PDC Emulator This role will be missed very quickly. NT 4.0 BDCs will not be able to replicate, time synchronisation won't work, password changes will not be corrected registered, group policy changes will not be applied correctly.
Infrastructure Required for proper workings of group memberships. You won't miss this role if there's only one domain.

Seizing FSMO roles

One way to transfer roles to a working DC is by seizing them on said DC. This is done with the ntdsutil.

Warning
Seizing FSMO roles should only be done as a last resort, and only if the broken DC will never be online again!

On any domain controller, start ntdsutil, and follow the procedure:

ntdsutil:
  1. Type roles, then press Enter:
    2. ntdsutil: roles
fsmo maintenance:
  2. Type connections, press Enter:
    3. fsmo maintenance: connections
server connections:
  3. Type connect to server server-name, where server-name is the name of the DC you wish to transfer one or more roles to. Like before, you can always distribute the roles to different DCs.
    4. server connections: connect to server dc2
Binding to dc2 ...
Connected to dc2 using credentials of locally logged on user.
server connections:
  4. Go up one level by typing q, then press Enter.
    5. server connections: q
fsmo maintenance:

You now can start with seizing one or more roles. If you wish to distribute roles to different DCs, seize your roles, then connect to another DC and seize the remaining roles, and so on...

  1. Type Seize role, where role is the name of the role you want to seize for the active DC. Available role names are:
    • infrastructure master
    • naming master
    • PDC
    • RID master
    • schema master
    fsmo maintenance: Seize infrastructure master
    Note that you can view the role names by typing ?, then press Enter. Role names may differ depending on the version of Windows the DC is running.
  2. When seizing a role, you will be prompted whether you wish to continue or not. By default, the operation will first attempt a transfer rather than a seize. This is to ensure a seize won't occur if the original role holder is still running.
    When the seize is completed, a short summary is shown. In this summary, check whether the role holder is your new DC.

Repeat the above steps to transfer all roles to working DCs.

Notice
Avoid putting the Infrastructure Master (IM) role on the same DC as the Global Catalog (GC) server. If this is done, IM will stop updating object information because it doesn't contain any references to objects that it does not hold, because a GC holds a partial replica of every object in a forest.

When all roles have been transferred, exit out of ntdsutil by typing q, and hitting Enter repeatedly.

 
 
 
 
« November 2024»
SunMonTueWedThuFriSat
     12
3456789
10111213141516
17181920212223
24252627282930
 
Links
 
Quote
« Safety is not a coincidence. »