NIST's guidance for a Zero Trust Architecture

Active Directory Fundamentals

How to seize FSMO roles

It is a reasonably simple operation to move one or more FSMO roles from one Domain Controller to another. However, given that all DCs are functioning properly and are online. Learn more about FSMO roles here.

What occurs if a DC that is currently performing an FSMO role crashes or shuts down for an extended period of time? Due to the server being offline, FSMO role transfer cannot be accomplished.

In such cases, we force transfer FSMO roles, and this process is referred to as ‘Seize’.

The last resort to the issue is to take over the FSMO roles from a non-operational DC, which means that the DC cannot be made functional again without being completely reinstalled.

Even if you can restore it (for instance after a crash), if you have taken over its roles, you shouldn’t let it rejoin the network because it will exacerbate the issues with the current setup.

How to determine when to seize the FSMO roles?

You must seize all roles to a suitable and healthy DC if an FSMO role holder experiences a failure or is otherwise taken out of service before its roles are moved.

FSMO roles can be seized in the following scenarios:

  • When you are unable to transfer the position because the present role holder is experiencing an operational problem that prohibits an FSMO-dependent operation from succeeding.
  • Use the dcpromo /forceremoval command to force-demote a DC that owns an FSMO role.  

When the computer’s initial operating system for a particular role is either no longer present or has been reinstalled.

Keep in mind that the above command leaves FSMO roles in an invalid state until the administrator re-assigns them.

How to seize FSMO roles using GUI?

By deleting a DC computer account through the Active Directory Users and Computers (ADUC) console, roles can be taken over using the GUI. To do this:

  • Connect ADUC to the DC you want to receive the FSMO role first. Change Domain Controller can be accessed by right-clicking the Active Directory Users and Computers node in ADUC
  • Look out for the DC you want to connect and connect to it
  • Click the Domain Controllers OU
  • Right-click the DC you want to seize the FSMO role from and click Delete
  • Now, click Yes on the first two prompts
  • Finally, you’ll receive a popup informing you that the role(s) will be transferred to another DC because the DC previously had an FSMO role. Your ADUC Console will be connected to this DC. By selecting OK, the roles will be seized and transferred to the new DC while the computer account of the offline DC will be terminated.

How to seize FSMO roles using PowerShell? 

  • Ensure you have a windows PowerShell open and run  Move-ADDirectoryServerOperationMasterRole providing the name of the new DC as the Identity parameter along with the Force parameter
  • Now, taking for example you are seizing the RID master role, and assigning it to the NewDC3 DC
  • Run the following command- Move-ADDirectoryServerOperationMasterRole -Identity “NewDC3” RidMaster -Force

How to seize FSMO roles using the Ntdsutil utility?

  • Log in to either a DC in the forest where the FSMO roles are being migrated or a member PC that has the AD RSAT tools installed.
  • Select Start > Run, type ntdustil in the Open box, and click OK
  • Type Roles and then press Enter
  • Type Connections and click Enter
  • Now, type connect to server  <servername> and click on Enter. Here, <servername> is the name of the DC you want to assign the FSMO role to
  • When you see the server connections prompt, type q, and click Enter
  • Now, to seize the role, Type seize <role>, and click Enter. Here <role> is the role that you wish to seize. For example, if you wish to seize the RIDMaster role, then enter that role.
  • A few exceptions exist for the PDC emulator role whose syntax is seize pdc, and the domain naming master whose syntax is seize naming master

Learn more about seizing FSMO roles from a dead domain controller.

Best practices to seize FSMO roles

  • It is advised that you only seize all roles when the prior job holder won’t be coming back to the domain.
  • It is always best to login to the DC you are assigning the FSMO roles to.
  • Don’t seize an operations master role when you may transfer it politely by using the standard transfer procedure.

SumamryAlthough moving FSMO roles isn’t something you do every day, you’ll need to be aware of them when you’re promoting new DCs, demoting existing DCs, and decommissioning servers.

Related posts
Active Directory Fundamentals

How to transfer FSMO roles

Active Directory Fundamentals

Securing administrator accounts in Active Directory

Active Directory Fundamentals

How to install the PowerShell Active Directory module

Active Directory Fundamentals

How to resolve an Active Directory lockout issue

×

There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from IAMRoundup.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.