SEIZING FSMO ROLESSEIZING FSMO ROLES
In this article we will examine a scenario of a network, having 2 domain controllers and the one holding the FSMO roles fails.
The procedure will show how to Seizing FSMO roles.

Implications

If the server that holds the FSMO (Flexible Single Master Operations) roles fails, it can have several implications for your Active Directory infrastructure. The FSMO roles are essential for the proper functioning of an Active Directory domain, and their failure can impact various operations. Here’s what can happen in such a scenario:

  1. Authentication and Logon: The failed server may be one of the domain controllers responsible for authenticating users and processing logon requests. If it fails, users may experience difficulties logging in, and new authentications. However, if you have multiple domain controllers, the remaining one should continue to handle authentication requests.
  2. Active Directory Updates: The failed server might hold the PDC Emulator FSMO role, which is responsible for time synchronization, password changes, and other critical functions. In its absence, these operations will be affected until the PDC Emulator role is seized or transferred to another domain controller.
  3. Schema Modifications: If the failed server holds the Schema Master FSMO role, making changes to the Active Directory schema will be impossible until the role is seized or transferred to another domain controller.
  4. Domain Controller Management: The failed server may also be responsible for the Domain Naming Master or Infrastructure Master FSMO roles. If it holds the Domain Naming Master role, you won’t be able to add or remove domains

Resolution

If the failed domain controller is completely offline and inaccessible, you cannot use the standard procedure to transfer or seize FSMO roles.

In a scenario where the domain controller holding the FSMO roles is offline and there is no way to get back online, you can follow an alternative procedure to seize the FSMO roles. Here are the steps:

  1. Identify the current FSMO role holders: On any available domain controller, open a command prompt with administrative privileges and run the following command: netdom query fsmo. This will display the current FSMO role holders.
  2. Seize the FSMO roles: Since the failed domain controller is offline, you will need to seize the roles. To do this, you will use the NTDSUTIL command-line utility, of Windows Server. Open a command prompt with administrative privileges and follow these steps:
    • Type ntdsutil and press Enter to launch the NTDSUTIL tool.
    • Type roles and press Enter to enter the FSMO maintenance mode.
    • Type connections and press Enter to switch to the connection management mode.
    • Type connect to server <DC name> and press Enter, replacing <DC name> with the name of an available domain controller that will assume the roles.
    • Type quit and press Enter to exit the connection management mode.
    • Type seize <role> and press Enter, replacing <role> with the name of each FSMO role you want to seize. Repeat this step for each role you want to seize.

    Make sure to seize all the necessary roles.

  3. Confirm the role seizure: After seizing the roles, you should receive confirmation that the roles were successfully seized. Review the output to ensure the roles transfer to the appropriate domain controller.
  4. Check for replication: After seizing the FSMO roles, it is essential to verify that the domain controller holding the roles is replicating properly with other domain controllers in the network. You can use the Repadmin command-line tool to check the replication status.

Please note that the “seizing FSMO roles” procedure is a last resort when the original role holder is permanently offline. Seizing roles procedure can take place when you are certain that the original role holder will not come back online. Microsoft recommends to gracefully transfer FSMO roles whenever possible.

 

Difference of Transferring and Seizing FSMO Roles

Transferring makes the old DC know that it does not own the role(s) any more. If the DC is permanently broken then you can seize the role on a remaining DC. (e. g. hardware defect) .