Skip to content
Tech Shizz Logo

An Engineers Blog

  • TechShizz
  • blog

Quick Guide: Seizing FSMO roles

Posted on February 23, 2021 By rich No Comments on Quick Guide: Seizing FSMO roles

If a domain controller that holds one or more of the five
FSMO roles becomes permanently unavailable, you’ll ultimately need to
seize the roles to another domain controller. Seizing FSMO roles is not a
graceful process and is intended only to be performed when the
unexpected occurs. In normal day-to-day operations, if you need to
change what domain controller a FSMO role is held by, you should instead
transfer the role. In order to seize the RID Master, PDC
Emulator, or Infrastructure Master, you’ll need to be logged in as a
Domain Admin. To seize the Schema Master or Domain Naming Master, you
must be logged in with Schema Admin or Enterprise Admin permissions,
respectively.

If you are seizing the RID Master or Schema Master, you must ensure that the domain controller holding either of those roles is never
brought back on the network without being forcefully demoted or erased!
I recommend that you immediately perform a metadata cleanup of the
domain controller in question once the role is transferred.

In this example, we’ll seize the PDC Emulator to a domain controller
called coho-chi-adc02. I have provided the commands to seize each of the
four other FSMO roles at the conclusion of these steps.

  1. Open an elevated command prompt
  2. Type ntdsutil and press Enter.
  3. Type roles and press Enter.
  4. Type connections and press Enter.
  5. Type connect to server coho-chi-adc02 and press Enter.
Replace coho-chi-adc02 in the previous step with the name of the domain controller you want to seize the FSMO role to.
  1. Type quit and press Enter. Your screen should look similar to the following after this step:

image

  1. Type Seize PDC and press Enter. You will be prompted to
    confirm the seizure as shown below. Once you click yes, the seizure
    process will begin. This will take some time to complete. As a safety
    mechanism, NTDSUtil will first try to transfer the role. This should
    timeout and fail and then the actual seizure will occur.

image

Once the seizure occurs, you will see output similar to the following
written to the console. While the output includes an error, the
important success message (highlighted in yellow) is also included.

Attempting safe transfer of PDC FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-032105B1, problem 5002 (UNAVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of PDC FSMO failed, proceeding with seizure …

Server “coho-chi-adc02” knows about 5 roles
Schema – CN=NTDS Settings,CN=COHO-CHI-ADC01,CN=Servers,CN=Chicago,CN=Sites,CN=Configuration,DC=cohovines,DC=com
Naming Master – CN=NTDS Settings,CN=COHO-CHI-ADC01,CN=Servers,CN=Chicago,CN=Sites,CN=Configuration,DC=cohovines,DC=com
PDC – CN=NTDS Settings,CN=COHO-CHI-ADC02,CN=Servers,CN=Chicago,CN=Sites,CN=Configuration,DC=cohovines,DC=com
RID – CN=NTDS Settings,CN=COHO-CHI-ADC01,CN=Servers,CN=Chicago,CN=Sites,CN=Configuration,DC=cohovines,DC=com
Infrastructure – CN=NTDS Settings,CN=COHO-CHI-ADC01,CN=Servers,CN=Chicago,CN=Sites,CN=Configuration,DC=cohovines,DC=com

To seize the other roles, run the following commands in lieu of
“Seize PDC”. If you are seizing multiple roles, you can seize them
sequentially without repeating steps one through six:

  • Domain Naming Master – “Seize naming master”
  • Infrastructure Master – “Seize infrastructure master”
  • RID Master – “Seize RID master”
  • Schema Master – “Seize schema master”

Once you have completed seizing the roles you need, you can close the
command prompt. The changes will replicate throughout your forest via
normal channels.

Post navigation

❮ Previous Post: How to clear a print queue that won’t clear
Next Post: How to disable SIP ALG on a Draytek router ❯

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

Subscribe to our newsletter!

Recent Posts

  • How to implement a lightning-fast ransomware playbook
  • How to achieve defence in depth in your business
  • How to implement a SecOps team phishing response plan
  • How to block an Office 365 Sign-in correctly
  • Microsoft finally patched serious Exchange 0-day over a month old!

Recent Comments

    Archives

    • November 2022
    • July 2021
    • March 2021
    • February 2021

    Categories

    • Cyber Security
    • Uncategorized

    Meta

    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org

    Copyright © 2023 .

    Theme: Oceanly News Dark by ScriptsTown