Active Directory Forest Recovery - Seize an operations master role

• Applies to:

  ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅ Windows Server 2016

Use the following procedure to seize an operations master role (also known as a flexible single master operations (FSMO) role). You can use Ntdsutil.exe, a command-line tool that is installed automatically on all DCs.

Seize an operations master role

1. At the command prompt, type the following command, and then press ENTER:

   ntdsutil
   

2. At the ntdsutil: prompt, type the following command, and then press ENTER:

   roles
   

3. At the FSMO maintenance: prompt, type the following command, and then press ENTER:

   connections
   

4. At the server connections: prompt, type the following command, and then press ENTER:

   Connect to server ServerFQDN
   

   Where ServerFQDN is the fully qualified domain name (FQDN) of this DC, for example: connect to server nycdc01.example.com.

   If ServerFQDN does not succeed, use the NetBIOS name of the DC.

5. At the server connections: prompt, type the following command, and then press ENTER:

   quit
   

6. Depending on the role that you want to seize, at the FSMO maintenance: prompt, type the appropriate command as described in the following table, and then press ENTER.

Role	Credentials	Command
Domain naming master	Enterprise Admins	Seize naming master
Schema master	Schema Admins	Seize schema master
Infrastructure master Note: After you seize the infrastructure master role, you may receive an error later if you need to run Adprep /Rodcprep. For more information, see KB article 949257.	Domain Admins	Seize infrastructure master
PDC emulator master	Domain Admins	Seize pdc
RID master	Domain Admins	Seize rid master

After you confirm the request, Active Directory or AD DS attempts to transfer the role. When the transfer fails, some error information appears, and Active Directory or AD DS proceeds with the seizure. After the seizure is complete, a list of the roles and the Lightweight Directory Access Protocol (LDAP) name of the server that currently holds each role appears. You can also run Netdom Query FSMO at an elevated command prompt to verify current role holders.

Note

If this computer was not a RID master before the failure and you attempt to seize the RID master role, the computer tries to synchronize with a replication partner before accepting this role. However, because this step is performed when the computer is isolated, it will not succeed in synchronizing with a partner. Therefore, a dialog box appears asking you whether you want to continue with the operation despite this computer not being able to synchronize with a partner. Click Yes.

Next steps

• AD Forest Recovery - Prerequisites
• AD Forest Recovery - Devise a custom forest recovery plan
• AD Forest Recovery - Steps to restore the forest
• AD Forest Recovery - Identify the problem
• AD Forest Recovery - Determine how to recover
• AD Forest Recovery - Perform initial recovery
• AD Forest Recovery - Procedures
• AD Forest Recovery - Frequently Asked Questions (FAQ)
• AD Forest Recovery - Recover a single domain within a multidomain forest
• AD Forest Recovery - Redeploy remaining DCs
• AD Forest Recovery - Virtualization
• AD Forest Recovery - Cleanup