Real-Life Scenario: Seizing FSMO Roles from a Dead Domain Controller

Situation:

Imagine your company has two Domain Controllers:

DC1 – Primary Domain Controller holding all FSMO roles
DC2 – Secondary Domain Controller used for backup and authentication

Suddenly, DC1 crashes permanently due to hardware failure. The hard disk is damaged, and the server cannot be repaired or brought online again.

Now, your Active Directory is stuck, because FSMO roles (like RID Master, PDC Emulator, etc.) are still pointing to DC1, which is dead.

🎯 Goal:

You need to seize (forcefully take) the FSMO roles and assign them to DC2 so that your domain starts working properly again.

When to Seize FSMO Roles?

If a Domain Controller holding one or more FSMO roles has failed and cannot be recovered or brought online, you need to seize those roles using NTDSUTIL.

Warning!

Seizing a FSMO role is a last resort. Only seize a role if the original role holder is permanently offline and will never come back.

Steps to Seize FSMO Roles

Open Command Prompt as Administrator.
Launch NTDSUTIL:
```
ntdsutil
```
Enter FSMO maintenance mode:
```
roles
```

Connect to a live Domain Controller:

connections
connect to server 
quit

Seize each FSMO role as required:

seize schema master
seize naming master
seize rid master
seize pdc
seize infrastructure master

Exit NTDSUTIL:
```
quit
quit
        
```

Example

To seize RID Master from a failed DC:

ntdsutil
roles
connections
connect to server DC2
quit
seize rid master
quit
quit

Verify FSMO Roles

After seizing, check the FSMO roles to ensure they have been successfully transferred:

netdom query fsmo

← Previous Next →