[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Seize Domain Controller 2016 in case of FSMO holder failure.

Published on
3,447 Points
Last Modified:
Exchange Server, Windows Server, Active Directory, Virtualization, Skype for Business Expert.
Seizing the Operation Master Roles in Windows Server 2016 in case of FSMO holder failure.

Active Directory utilizes Flexible Single Master Operations (FSMO) roles to perform a specialized set of tasks on deployed Domain Controllers (DC). Depending on the infrastructure/design, these roles are located on different servers and sometimes all roles run in a single DC. With a successful disaster recovery plan in place. Mostly smaller sized companies/businesses will run all roles on a single server.

Those without disaster recovery plans or running all roles from one DC, while not recommended, are sometimes unavoidable in some smaller sized businesses. The major concern with running all roles off one DC is that the roles cannot be migrated to another server should said server crash. The only way to migrate these roles is by seizing the operation master roles should no disaster recovery plan exist. 

Today I had an incident with FSMO holder failed and I am documenting the recovery I did. In my case failed FSMO holder name is DC01.corp.cijekuwait.com and additional domain controller name is DC001.DC01.corp.cijekuwait.com. I am seizing DC001 to make DC001 so it will function as FSMO holder. We will seize all the 5 roles. i.e.Schema master, Naming master, RID master, PDC Emulator and Infrastructure master.

This step-by-step will detail the use of ntdsutil.exe, a handy tool used to manage and maintain one’s active directory infrastructure, to seize the operation master roles.

1. Login to server as domain administrator/Enterprise administartor and open elevated  "command prompt".

2. Type "netdom query fsmo"  and press enter to check the current FSMO holder. i.e. in my case it is DC01.corp.cijekuwait.com as in the screenshot. 

3.  Now lets seize the roles on server DC001 which is the Additional Domain Controller (ADC) as of now. Type "NTDSUTIL" and press enter from the additional domain controller.

4. Type "roles" and press enter.

5. Type "connections" and press enter. 

6. Connect to the additional domain controller (running domain controller) by running the command "connect to server DC001.corp.cijekuwait.com" and press enter.

7. Press "q"  and enter to quit.


8. Lets start seizing one by one.  Type  "seize schema master" and press enter. Press "yes"  to confirm.

8.1. If seizing of schema master is completed successfully you are supposed to get a result as below.

9. Type  "seize naming master" and press enter. Press "yes"  to confirm.

9.1. If seizing of naming master is completed successfully you are supposed to get a result as below.

10. Type  "seize RID master" and press enter. Press "yes"  to confirm. 

10.1. If seizing of RID master is completed successfully you are supposed to get a result as below.

11. Type  "seize PDC" and press enter. Press "yes"  to confirm. 

11.1.If seizing of PDC emulator is completed successfully you are supposed to get a result as below.

12.Type  "seize infrastructure master" and press enter. Press "yes"  to confirm. 

12.1. If seizing of Infrastructure master is completed successfully you are supposed to get a result as below. 

13. Type "q" and enter twice to exit from NTDSUTIL.

Now, lets check again the same command (netdom query fsmo) ran in step 2 to check the FSMO folder. 

If the customer doesn't have an additional domain controller and with no backups for FSMO holder it will become a real disaster. I have to create all user and rejoin all PCs to the new domain. In short an ADC will save a network from entire network failure/entire infrastructure. 

Hope this helps. And thanks for reading my article.

Author:MAS (MVE)

Featured Post

Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Join & Write a Comment

Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month