Learn AD in 15 Minutes a Week: Active Directory Schema Master Page 6

Seizing FSMO Domain Controller Roles

After the Operations Masters roles have been spread out and balanced on other Domain Controllers in the forest, it normally is not necessary to change them again unless some environment variable has changed. Operations Masters roles can be seized if the situation calls for it.

Role seizure happens when the original Operation Master halts, be it temporarily or permanently. In the case of a short temporary stoppage of an Operation Master such as a BSOD or a somewhat longer one, say a drive failure where a restore from back up might be required, it is not necessarily recommended to perform a role seizure.

[NOTES FROM THE FIELD] - The loss of WAN links can make it appear as if certain FSMO servers have been "lost" to certain network segments and remote sites when this is clearly not the case.

The Infrastructure Master and the PDC Emulator Operation Master domain controllers can temporarily go offline and alternate domain controllers can safely seize their roles. When these original Operation Master domain controllers are brought back online from their failure, they are the only two that can re-seize their original roles back without major difficulty.

When the Schema Master, Domain Naming Master, or RID Master roles are seized by other Domain Controllers for any reason, you cannot bring the original Operation Master domain controller back online without potentially suffering major forest-wide issues, or domain issues in the case RID Operations Master.

The temporary loss of the Schema FSMO Domain Controller is not visible to network users and most normal, everyday network administration. Both can continue normally in most cases. The only way the loss of the Schema Master would become evident to an Administrator would be in the case where they are trying to modify the schema manually or installing an application that modifies the schema during installation, such as Exchange 2000.

If the Schema Master remains offline for a longer than acceptable length of time for your environment, you can seize the role by following these steps;

To seize the Schema FSMO Domain Controller role using NTDSUTIL you would click on the Start menu and select RUN and then type NTDSUTIL in the RUN box

At the NTDSUTIL prompt, type the ROLES command, which will put NTDSUTIL in FSMO MAINTENANCE MODE

Once you are in FSMO MAINTENANCE MODE you can type CONNECTIONS.

Once you are in SERVER CONNECTIONS MODE you can type CONNECT TO SERVER, and then enter the fully qualified domain name.

At the SERVER CONNECTIONS prompt, type QUIT.


At the FSMO MAINTENANCE prompt, type quit

At the NTDSUTIL prompt, type QUIT.

[NOTES FROM THE FIELD] - The offline Domain Controller that has the Schema Master roles seized from it while it was out of commission must never be brought back online. The system should be completely wiped. It's a running "recommendation" by instructors and seasoned network administrators that the system drives should be reformatted twice before rebuilding the server, just to fully accentuate the need to NEVER bring the server back online as a Schema Master in that domain again.

Well, that wraps up this section of Learn Active Directory Design and Administration in 15 Minutes a Week - Active Directory Schema Master. I hope you found it informative and will return for the next installment.

If you have any questions, comments or even constructive criticism, please feel free to drop me a note.

I want to write good, solid technical articles that appeal to a large range of readers and skill levels and I can only be sure of that through your feedback.

Until then, best of luck in your studies and remember,

When your buddy the cheapskate says "YOU GET THIS ONE, NEXT ROUND IS ON ME," realize that he's probably leaving right after this round.

Jason Zandri

This article was originally published on Jul 11, 2002
Page 6 of 6

Thanks for your registration, follow us on our social networks to keep up-to-date