Seizing the Operation Master Roles
Active Directory (AD) utilizes Flexible Single Master Operations (FSMO) roles to perform a specialized set of tasks on deployed Domain Controllers (DC).
Depending on the design, these roles could be located on different servers but in a single server all roles need to run from one DC. With a successful disaster recovery plan in place, one can easily recover said AD implementation as detailed in the information below.
Without a disaster recovery plans or running all roles from one DC, while not recommended, is sometimes unavoidable in some smaller sized businesses. The major concern with running all roles off one DC is that the roles cannot be migrated to another server should said server crash. The only way to migrate these roles is by seizing the operation master roles back to a working server.
The 5 Roles
- Schema Master – one per forest
- Domain Naming Master – one per forest
- Relative ID (RID) Master – one per domain
- Primary Domain Controller (PDC) Emulator – one per domain
- Infrastructure Master – one per domain
To Seize: Step by Step
- Login to the domain controller as Domain Administrator
- Create and Administrative Command prompt
- Run Command ntdsutil
- Type Connections
- Type connect to server <FQDN of new role holder>
- Type Quit or Q
The seize command is used to seize a single role or all roles.
NOTE: After entering each seize command, a pop up window appears to confirm. Simply enter yes to continue.
seize schema master
Seize domain naming master
seize RID master
seize PDC
seize infrastructure master
When done Type quit to exit from ntdsutil. The operation master roles should now have been successfully seized to the specified server if no errors were generated.