If you read this article it's very likely you are having issues with a FSMO role master server, most possibly with the PDC emulator as the absence of this role has adverse effects in the infrastructure almost immediately.
I assume you've already tried to bring that role holder online, so seizing the role to another server is the only option at this point. That case I won't waste your time and jump right into the FSMO role seizing process.
Keep in mind: if the original server becomes available after seizing the FSMO roles to a new server, in order to move the roles back to where they were you need to reinstall the original server. In theory, the PDC emulator role and the Infrastructure role can be transferred back even after a seizing procedure, but the Domain Naming, the Schema and and RID master roles will not be accepted unless the original role holder server is rebuilt.
How to seize the FSMO roles to a new server?
You have two ways:
- Use Powershell: the same Move-ADDirectoryServerOperationMasterRole command is used with the -Force switch
- Use NTDSUtil
Use PowerShell to seize FSMO Roles
The procedure is exactly the same as if we were simply transfer the roles to a new domain controller (full article on that is found here), except this time we use the -Force switch to let the shell know we want to go all the way, even if the current role holder is offline.
To seize ALL the roles to our target domain controller called "TargetDC", use the following
command. If you want to seize only specific roles, use the name or corresponding role number (0-4) of the specific role.
# Seize ALL roles to "TARGETDC" Move-ADDirectoryServerOperationMasterRole -Identity "TARGETDC" -OperationMasterRole 0,2,1,3,4 -Force -Confirm:$false # Roles: PDCEmulator or 0 RIDMaster or 1 InfrastructureMaster or 2 SchemaMaster or 3 DomainNamingMaster or 4
Don't worry if the process hangs for many minutes, it's normal as the shell first tried to normally transfer all roles and if that times out, then it goes on with the seizing job
Seize FSMO Roles with NTDSUtil
The second option is using ntdsutil. Open an elevated shell or cmd window first (right-click and choose "Run as administrator"). The do the following:
- Type in: ntdsutil [hit enter]
- Type in: roles [hit enter]
- Type in: connections [hit enter]
- Type in: connect to server TARGETDC [hit enter]
- Type in: q [hit enter]
- Now type in the following command one after another, depending on which roles you want to seize:Seize PDC [hit enter]
Seize RID master [hit enter]
Seize infrastructure master [hit enter]
Seize schema master [hit enter]
Seize naming master [hit enter]
For reference, see the transcript of the actual process below:
Comments