Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller

SUMMARY

This article describes how to use the Ntdsutil.exe tool to seize or transfer Flexible Single Master Operations (FSMO) roles.

MORE INFORMATION

The first Microsoft Windows 2000 Active Directory domain controller in a forest is granted five FSMO roles when you run the Dcpromo.exe program and install Active Directory. There are two FSMO roles that are forest-wide and three that are per domain. If child domains are created, the two forest-wide roles do not change. A forest with two domains would have eight FSMOs; two for the forest and three domain specific FSMO roles in each domain.

The five FSMO roles are:

• Schema master- Forest-wide and one per forest
• Domaine naming master – Forest-wide and one per forest
• Domain naming master – Forest-wide and one per forest
• RID master – Domain-specific and one for each domain
• DC – PDC Emulator is domain-specific and one for each domain
• Infrastructure master – Domain-specific and one for each domain

To move the FSMO roles from one computer to another, you can use two different methods. The first method is a transfer and is the method that is recommended. You can use the first method if both computers are running. Use the second method if the FSMO roles holder is offline. The second method requires you to use the Ntdsutil.exe tool to seize the roles.

Note: Only seize the FSMO roles to the remaining Active Directory domain controllers if you are removing the FSMO role holder from the domain or forest.

To seize or transfer the FSMO roles by using Ntdsutil, follow these steps:

1. On any domain controller, click Start, click Run, type ntdsutil in the Open box, and then click OK.

Note: Microsoft recommends that you use the domain controller that is taking the FSMO roles.

2. Type roles, and then press ENTER.

To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.

3. Type connections, and then press ENTER.

4. Type connect to server servername, where servername is the name of the server you want to use, and then press ENTER.

5. At the server connections: prompt, type q, and then press ENTER again.

6. Type seize role, where role is the role you want to seize. For a list of roles that you can seize, type ? at the Fsmo maintenance: prompt, and then press ENTER, or consult the list of roles at the beginning of this article. For example, to seize the RID Master role, you would type seize rid master. The one exception is for the PDC Emulator role, whose syntax would be “seize pdc” and not “seize pdc emulator”.

Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.

Microsoft recommends that you only seize all roles when the other domain controller is not returning to the domain, otherwise fix the broken domain controller with the roles.

Note If the domain controller that formerly held any FSMO role is not present in the domain and if it has had its roles seized by the earlier steps in this article, remove it from the Active Directory by following the procedure that is outlined in the following Microsoft Knowledge Base article: For additional information, click the following article number to view the article in the Microsoft Knowledge Base: HOW TO: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion

If the original domain controller with the FSMO roles is still online, transfer the roles. Type transfer role.

7. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.

Note: Do not put the Infrastructure Master role on the same domain controller as the global catalog.

To check if a domain controller is also a global catalog server:

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

2. Double-click Sites in the left pane, and then browse to the appropriate site or click Default-first-site-name if no other sites are available.

3. Open the Servers folder, and then click the domain controller.

4. In the domain controller’s folder, double-click NTDS Settings.

5. On the Action menu, click Properties.

6. On the General tab, locate the Global Catalog check box to see if it is selected.

For additional information about FSMO roles, click the article numbers below to view the articles in the Microsoft Knowledge Base:

Windows 2000 Active Directory FSMO Roles

Flexible Single Master Operation Transfer and Seizure Process

NOTE: Do not put the Infrastructure Master (IM) role on the same domain controller as the global catalog server. If the Infrastructure Master runs on a global catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a global catalog server holds a partial replica of every object in the forest.

The information in this article applies to:

• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Datacenter Server

See this article on the original website eSupport

Microsoft KB: Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller