Learn AD in 15 Minutes a Week: Active Directory Schema Master Page 6
Seizing FSMO Domain Controller Roles
After the Operations Masters roles have been spread out and balanced on other Domain Controllers in the forest, it normally is not necessary to change them again unless some environment variable has changed. Operations Masters roles can be seized if the situation calls for it.
Role seizure happens when the original Operation Master halts, be it temporarily or permanently. In the case of a short temporary stoppage of an Operation Master such as a BSOD or a somewhat longer one, say a drive failure where a restore from back up might be required, it is not necessarily recommended to perform a role seizure.
[NOTES FROM THE FIELD] - The loss of WAN links can make it appear as if certain FSMO servers have been "lost" to certain network segments and remote sites when this is clearly not the case.
The Infrastructure Master and the PDC Emulator Operation
Master domain controllers can temporarily go offline and
alternate domain controllers can safely seize their roles.
When these original Operation Master domain controllers are
brought back online from their failure, they are the only
two that can re-seize their original roles back without
When the Schema Master, Domain Naming Master, or RID Master roles are seized by other Domain Controllers for any reason, you cannot bring the original Operation Master domain controller back online without potentially suffering major forest-wide issues, or domain issues in the case RID Operations Master.
The temporary loss of the Schema FSMO
Domain Controller is not visible to network users and most normal,
everyday network administration. Both can continue
normally in most cases. The only way the loss of the Schema
Master would become evident to an Administrator would be in
the case where they are trying to modify the schema manually
or installing an application that modifies the schema during
installation, such as Exchange 2000.
If the Schema Master remains offline for a longer than acceptable length of time for your environment, you can seize the role by following these steps;
To seize the Schema FSMO Domain Controller role using NTDSUTIL you would click on the Start menu and select RUN and then type NTDSUTIL in the RUN box
At the NTDSUTIL prompt, type the ROLES command, which will put NTDSUTIL in FSMO MAINTENANCE MODE
Once you are in FSMO MAINTENANCE MODE you can type CONNECTIONS.
Once you are in SERVER CONNECTIONS MODE you can type CONNECT TO SERVER, and then enter the fully qualified domain name.
At the SERVER CONNECTIONS prompt, type QUIT.
At the FSMO MAINTENANCE prompt, type SEIZE SCHEMA MASTER.
At the FSMO MAINTENANCE prompt, type quit
At the NTDSUTIL prompt, type QUIT.
[NOTES FROM THE FIELD] - The
offline Domain Controller that has the Schema Master roles
seized from it while it was out of commission must never be
brought back online. The system should be completely wiped.
It's a running "recommendation" by instructors and seasoned
network administrators that the system drives should be
reformatted twice before rebuilding the server, just to
fully accentuate the need to NEVER bring the server back
online as a Schema Master in that domain again.
Well, that wraps up this section of Learn Active Directory Design and Administration in 15 Minutes a Week - Active Directory Schema Master. I hope you found it informative and will return for the next installment.
If you have any questions, comments or even constructive criticism, please feel free to drop me a note.
I want to write good, solid technical articles that appeal to a large range of readers and skill levels and I can only be sure of that through your feedback.
Until then, best of luck in your studies and remember,
When your buddy the cheapskate says "YOU GET THIS ONE, NEXT ROUND IS ON ME," realize that he's probably leaving right after this round.