Akomolafe.com ....we are the web

FSMO Roles Manipulations in a nutshell

To Seize or Transfer
THAT is the question. In a nutshell, either one will work for you. However, use this rule of thumbs:

If the original owner of the Roles is DOWN HARD with NO hope of recovery, ALWAYS SEIZE THE ROLES. Period. Simple.

If the original owner of the Roles will EVER come back online as a DC (without being REBUILT) into THE SAME domain, NEVER use the SEIZE option. Period. Simple.

Don't use the GUI to transfer/seize roles. Apart from making you lazy, there are some roles you really can NOT transfer in the GUI without going through some hoops. So, stick with the command line option.

Now, the Seizure or Transfer process itself is very easy, but delicate. It's not something you want to trivialize on a production environment, but it's not something you need a consultant for either. The process has a very detailed information on the command parameters such that you do not need to commit everything to memory. If you know HOW to type "?", you are just an "Enter" away from help.

OK, here's ALL you need to know about manipulating FSMO. Commands that you need to type are in Bold-type. Explanation or comments are in Italics

c:>ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server ServerFQDN (where ServerFQDN is the FQDN of the Server that will assume the new Role)
server connections: q
fsmo maintenance: See HINT below
fsmo maintenance: Seize (or Transfer) Role (where Role is THE Role you want to transfer or seize, e.g. schema master)
Answer "YES" to the windows that pops up asking you whether you are sure or just plain drunk.
Repeat the Seize/Transfer command for each Role you want to Seize or Transfer.
When you are done, you are back to the "fsmo maintenance:" Prompt
fsmo maintenance: q
fsmo maintenance: q

After seizing the role, you need to ensure that the DC does NOT "accidentally" come back online in its old incarnation. The easiest way to ensure that this "accident" does not happen is to delete the DC from AD completely. To do this, you will use - (you guessed it :)) - our friend NTDSUTIL. Here's how:

C:>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections
server connections: connect to server ServerFQDN (where ServerFQDN is the FQDN of the Server that will assume the new Role)
server connections: q
metadata cleanup: select operation target
select operation target: list sites
select operation target: select site 0 (replace 0 with the Site number of the site in which the dead DC resides)
select operation target: list domains in site
select operation target: select domain 0 (replace 0 with the Domain number of the Domain to which the dead DC belongs)
select operation target: list servers for domain in site
select operation target: select server 0 (replace 0 with the Server number of the dead DC)

VERY IMPORTANT: This procedure is difficult to reverse. Let's say, for the sake of sanity, that THIS PROCEDURE IS IRREVERSIBLE. Be VERY, VERY SURE that you have selected the correct SERVER number of the DC you want to remove. IF you have ANY doubt, just start pressing "q, Enter" from now on until you get back to your command prompt, then take a break, have some coffee or smoke or whatever and come back when you have verified that you were not dreaming or kidding.

OK, now that we are sure you want to do this, continue from where we left off.

select operation target: q
metadata cleanup: remove selected server (At this point, NTDSUTIL will do its best to confirm your state of mind. Answer the question truthfully and lucidly)

Poof!, Now your DC is gone. At this point, you either congratulate yourself, call Microsoft PSS or an expensive AD Consultant or start looking for the latest copy of your resume. Alright, if you are in the congratulatory mode, then finish up before you pop the champagne.

metadata cleanup: q
ntdsutil: q

HINT:
Typing "?" at any point in NTDSUTIL will provide you a list of all the actions/tasks available for execution at that point.

For example, typing "?" at the "fsmo maintenance:" prompt will give you the following clues:

Connections - Connect to a specific domain controller
Help - Print this help information
Quit - Return to the prior menu
Seize domain naming master - Overwrite domain role on connected server
Seize infrastructure master - Overwrite infrastructure role on connected server
Seize PDC - Overwrite PDC role on connected server
Seize RID master - Overwrite RID role on connected server
Seize schema master - Overwrite schema role on connected server
Select operation target - Select sites, servers, domains, roles and Naming Contexts
Transfer domain naming master - Make connected server the domain naming master
Transfer infrastructure master - Make connected server the infrastructure master
Transfer PDC - Make connected server the PDC
Transfer RID master - Make connected server the RID master
Transfer schema master - Make connected server the schema master

Till next time, have a nice one - and have 2 for me.