Windows 7 / Getting Started

---

Seizing Operations Master Roles

If a domain controller performing a single master operation fails and you cannot bring the system back to service, you have the option of seizing the operations token. When you seize a role, you designate a new master without gracefully removing the role from the failed master.

Seizing a role is a drastic action, so before seizing a role, think carefully about whether it is necessary. Determine the cause and expected duration that the operations master will be offline. If the operations master can be brought online in sufficient time, wait. What is sufficient time? It depends on the impact of the role that has failed:

• PDC emulator failure The PDC emulator is the operations master that has the most immediate impact on normal operations and on users if it becomes unavailable. Fortunately, the PDC Emulator role can be seized to another domain controller and then transferred back to the original role holder when the system comes back online.
• Infrastructure master failure A failure of the infrastructure master is noticeable to administrators but not to users. Because the master is responsible for updating the names of group members from other domains, it can appear as if group membership is incorrect even though, as mentioned earlier in this tutorial, membership is not actually affected. You can seize the infrastructure master role to another domain controller and then transfer it back to the previous role holder when that system comes online.
• RID master failure A failed RID master eventually prevents domain controllers from creating new SIDs and, therefore, prevents you from creating new accounts for users, groups, or computers. However, domain controllers receive a sizable pool of RIDs from the RID master, so unless you are generating numerous new accounts, you can often go for some time without the RID master online while it is being repaired. Seizing this role to another domain controller is a significant action. After the RID master role has been seized, the domain controller that had been performing the role cannot be brought back online.
• Schema master failure The schema master role is necessary only when schema modifications are being made, either directly by an administrator or by installing an Active Directory integrated application that changes the schema. At other times, the role is not necessary. It can remain offline indefinitely until schema changes are necessary. Seizing this role to another domain controller is a significant action. After the schema master role has been seized, the domain controller that had been performing the role cannot be brought back online.
• Domain naming master failure The domain naming master role is necessary only when you add a domain to the forest or remove a domain from a forest. Until such changes are required to your domain infrastructure, the domain naming master role can remain offline for an indefinite period of time. Seizing this role to another domain controller is a significant action. After the domain naming master role has been seized, the domain controller that had been performing the role cannot be brought back online.

Although you can transfer roles by using the administrative tools, you must use Ntdsutil.exe to seize a role. To seize an operations master role, perform the following steps:

1. From the command prompt, type ntdsutil and press Enter.
2. At the ntdsutil prompt, type roles and press Enter.
   The next steps establish a connection to the domain controller that you want to perform the single master operation role.
3. At the fsmo maintenance prompt, type connections and press Enter.
4. At the server connections prompt, type connect to server DomainControllerFQDN and press Enter, where DomainControllerFQDN is the FQDN of the domain controller you want to perform the role.
   Ntdsutil responds that it has connected to the server.
5. At the server connections prompt, type quit and press Enter.
6. At the fsmo maintenance prompt, type seize Role and press Enter, where Role is one of the following:
   • schema master
   • domain naming master
   • RID master
   • PDC
   • infrastructure master
7. At the fsmo maintenance prompt, type quit and press Enter.
8. At the ntdsutil prompt, type quit and press Enter.

Returning a Role to Its Original Holder

To provide for planned downtime of a domain controller if a role has been transferred, not seized, the role can be transferred back to the original domain controller.

If, however, a role has been seized and the former master can be brought back online, you must be very careful. The PDC emulator and infrastructure master are the only operations master roles that can be transferred back to the original master after having been seized.

If you have seized the schema, domain naming, or RID roles to another domain controller, you must not bring the original domain controller back online without first completely decommissioning it. That means you must keep the original role holder physically disconnected from the network, and you must remove AD DS by using the Dcpromo /forceremoval command. You must also clean the metadata for that domain controller, as described in http://go.microsoft.com/fwlink/?LinkId=80481.

After the domain controller has been completely removed from Active Directory, if you want the server to rejoin the domain, you can connect it to the network and join the domain. If you want it to be a domain controller, you can promote it. If you want it to resume performing the operations master role, you can transfer the role back to the DC.

Note: Because of the critical nature of domain controllers, it is recommended that you completely reinstall the former domain controller in this scenario.