This is the Title of the Book, eMatter Edition
Copyright © 2008 O’Reilly & Associates, Inc. All rights reserved.
Understanding Operations Master Roles
Transferring and Seizing Roles Manually
Sometimes you might need to change the operations master roles that domain con-
trollers are playing without necessarily using the graphical interface. It might be that
you inadvertently unplugged and reformatted your first domain controller in your
domain too early, without transferring its roles elsewhere. Or maybe your specific
server is temporarily offline but you really need a role transferred as soon as possible.
If your PDC emulator domain controller or infrastructure masters are
offline, it is OK to transfer these roles through the GUI using the afore-
mentioned procedures. You’ll need to confirm the offline transfer a
couple of times before it will go through, but eventually it will succeed.
Windows Server 2003 comes with the NTDSUtil tool, a command-line utility that
allows you to perform Active Directory maintenance that goes above and beyond
what the GUI tools allow. In this case, you might need to transfer the schema mas-
ter, domain-naming master, or RID master roles—or you might need to force that
transfer if the original holder of those roles is unavailable.
To transfer a role using NTDSUtil, open a command prompt and run NTDSUTIL.
Then follow these steps:
roles to switch into FSMO Maintenance mode.
connections to enter the Server Connections context.
connect to <targetcomputer>, where <targetcomputer> is the computer to
which you want to transfer the role.
quit to leave the Server Connections context.
transfer schema master, transfer domain naming master,ortransfer rid
, whichever is appropriate, to transfer the role you want. NTDSUtil will
attempt to contact the current holder of that operations master role. If it can,
and that machine approves the transfer, your operation is complete. However, if
for some reason the utility can’t contact that computer, error messages will
If you find error messages when you’re simply attempting a transfer, you can force
the role transfer by using the
SEIZE command. After step 4 in the previous proce-
dure, start the following.
Once you have seized a role, never let the previous holder of that role
back onto the network unless you’ve reformatted the machine. I
repeat: never, ever do this. The previous holder doesn’t know the roles
were transferred and is not able to figure it out for itself. Picture a bit-
ter custody battle.