Seizing the Operation Master Roles in Windows Server 2016 in case of FSMO holder failure.
Active Directory utilizes Flexible Single Master Operations (FSMO) roles to perform a specialized set of tasks on deployed Domain Controllers (DC). Depending on the infrastructure/design, these roles are located on different servers and sometimes all roles run in a single DC. With a successful disaster recovery plan in place. Mostly smaller sized companies/businesses will run all roles on a single server.
Those without disaster recovery plans or running all roles from one DC, while not recommended, are sometimes unavoidable in some smaller sized businesses. The major concern with running all roles off one DC is that the roles cannot be migrated to another server should said server crash. The only way to migrate these roles is by seizing the operation master roles should no disaster recovery plan exist.
Today I had an incident with FSMO holder failed and I am documenting the recovery I did. In my case failed FSMO holder name is DC01.corp.cijekuwait.com and additional domain controller name is DC001.DC01.corp.cijekuwait.com. I am seizing DC001 to make DC001 so it will function as FSMO holder. We will seize all the 5 roles. i.e.Schema master, Naming master, RID master, PDC Emulator and Infrastructure master.
This step-by-step will detail the use of ntdsutil.exe, a handy tool used to manage and maintain one’s active directory infrastructure, to seize the operation master roles.
1. Login to server as domain administrator/Enterprise administartor and open elevated "command prompt".
2. Type "netdom query fsmo" and press enter to check the current FSMO holder. i.e. in my case it is DC01.corp.cijekuwait.com as in the screenshot.
3. Now lets seize the roles on server DC001 which is the Additional Domain Controller (ADC) as of now. Type "NTDSUTIL" and press enter from the additional domain controller.
4. Type "roles" and press enter.
5. Type "connections" and press enter.
6. Connect to the additional domain controller (running domain controller) by running the command "connect to server DC001.corp.cijekuwait.com" and press enter.
7. Press "q" and enter to quit.
8. Lets start seizing one by one. Type "seize schema master" and press enter. Press "yes" to confirm.
8.1. If seizing of schema master is completed successfully you are supposed to get a result as below.
9. Type "seize naming master" and press enter. Press "yes" to confirm.
9.1. If seizing of naming master is completed successfully you are supposed to get a result as below.
10. Type "seize RID master" and press enter. Press "yes" to confirm.
10.1. If seizing of RID master is completed successfully you are supposed to get a result as below.
11. Type "seize PDC" and press enter. Press "yes" to confirm.
11.1.If seizing of PDC emulator is completed successfully you are supposed to get a result as below.
12.Type "seize infrastructure master" and press enter. Press "yes" to confirm.
12.1. If seizing of Infrastructure master is completed successfully you are supposed to get a result as below.
13. Type "q" and enter twice to exit from NTDSUTIL.
Now, lets check again the same command (netdom query fsmo) ran in step 2 to check the FSMO folder.
If the customer doesn't have an additional domain controller and with no backups for FSMO holder it will become a real disaster. I have to create all user and rejoin all PCs to the new domain. In short an ADC will save a network from entire network failure/entire infrastructure.
Hope this helps. And thanks for reading my article.