roles

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008

Seizes and transfers operations master roles (also known as flexible single master operations or FSMO roles). At the roles: prompt, type any of the parameters listed under “Syntax.”

This is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS server role installed. Dsmgmt is available if you have the AD LDS server role installed. These tools are also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).

To use either of these tools, you must run them from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax

connections 
[select operation target] [{seize naming master | seize infrastructure master | seize PDC | seize RID master | seize schema master}] [{transfer naming master | transfer infrastructure master | transfer PDC | transfer RID master | transfer schema master}]

Parameters

Parameter Description

connections

Invokes the Server connections submenu.

seize naming master

Forces the domain controller to which you are connected to claim ownership of the domain naming master operations master role without regard to the data associated with the role. Use only for recovery purposes.

seize infrastructure master

Forces the domain controller to which you are connected to claim ownership of the infrastructure operations master role without regard to the data associated with the role. Use only for recovery purposes.

seize PDC

Forces the domain controller to which you are connected to claim ownership of the primary domain controller (PDC) emulator operations master role without regard to the data associated with the role. Use only for recovery purposes.

seize RID master

Forces the domain controller to which you are connected to claim ownership of the relative ID (RID) operations master role without regard to the data associated with the role. Use only for recovery purposes.

seize schema master

Forces the domain controller to which you are connected to claim ownership of the schema operations master role without regard to the data associated with the role. Use only for recovery purposes.

select operation target

Invokes the Select operation target submenu.

transfer naming master

Instructs the domain controller to which you are connected to obtain the domain naming master role by means of controlled transfer.

transfer infrastructure master

Instructs the domain controller to which you are connected to obtain the infrastructure operations master role by means of controlled transfer.

transfer PDC

Instructs the domain controller to which you are connected to obtain the PDC emulator operations master role by means of controlled transfer.

transfer RID master

Instructs the domain controller to which you are connected to obtain the RID operations master role by means of controlled transfer.

transfer schema master

Instructs the domain controller to which you are connected to obtain the schema operations master role by means of controlled transfer.

quit

Takes you back to the previous menu, or exits the utility.

?

Displays Help at the command prompt.

Help

Displays Help at the command prompt.

Remarks

  • Although AD DS is based on a multimaster administration model, some operations support only a single master. For multimaster operations, conflict resolution ensures that after the system finishes replicating, all replicas agree on the value for a given property on a given object. However, some data, for which adequate conflict resolution is not possible, is key to the operation of the system as a whole. This data is controlled by individual domain controllers called operations masters. These domain controllers are referred to as holding a particular operations master role.

    The following are the five operations master roles; some are enterprise-wide and some are per domain:

    • Schema master. There is a single schema operations master role for the entire enterprise. This role allows the operations master server to accept schema updates. There are other restrictions on schema updates.

    • RID master. There is one RID master per domain. Each domain controller in a domain has the ability to create security principals. Each security principal is assigned a RID. Each domain controller is allocated a small set of RIDs out of a domain-wide RID pool. The RID operations master role makes it possible for the domain controller to allocate new subpools out of the domain-wide RID pool.

    • Domain naming master. There is a single domain naming operations master role for the entire enterprise. The domain naming operations master role allows the owner to define new cross-reference objects representing domains in the Partitions container.

    • PDC emulator master. There is one PDC emulator operations master role per domain. The owner of the PDC emulator operations master role identifies which domain controller in a domain performs Windows NT 4.0 PDC activities in support of Windows NT 4.0 backup domain controllers and client computers that use earlier versions of Windows.

    • Infrastructure master. There is one infrastructure master operations role per domain. The owner of this role ensures the referential integrity of objects with attributes that contain distinguished names of other objects that might exist in other domains. Because AD DS allows objects to be moved or renamed, the infrastructure master periodically checks for object modifications and maintains the referential integrity of these objects.

  • An operations master role can be moved only by administrative involvement; it is not moved automatically. In addition, moving a role is controlled by standard access controls. Therefore, an organization should tightly control the location and movement of operations master roles. For example, an organization with a strong information technology (IT) presence might place the schema master operations role on a server computer in the IT group and configure its access control list (ACL) so that it cannot be moved at all.

    Operations master roles require two forms of management: controlled transfer and seizure.

    Use controlled transfer when you want to move a role from one server to another, perhaps to track a policy change with respect to role location or in anticipation of a server being shut down, moved, or decommissioned.

    Seizure is required when a server that is holding a role fails and you do not intend to restore it. Even in the case of a server that is recovered from a backup, the server does not assume that it owns a role (even if the backup tape says so), because the server cannot determine if the role was legitimately transferred to another server in the time period between when the backup was made and the server failed and was recovered. The restored server assumes role ownership only if a quorum of existing servers is available during recovery and they all agree that the restored server is still the owner.

    The Roles submenu in Ntdsutil is used to perform controlled transfer and recovery of operations master roles. Controlled transfer is simple and safe. Because the source server and destination server are running, the system software guarantees that the operations master role token and its associated data are transferred atomically. Operations master role seizure is equally simple but not as safe: you simply tell a particular domain controller that it is now the owner of a particular role.

Warning

Do not make a server an operations master role owner by means of seizure commands if the real role holder exists on the network. Doing this can create irreconcilable conflicts for key system data. If an operations master role owner is temporarily unavailable, do not make another domain controller the role owner. This can result in a situation in which two computers function as the role owner, which might cause irreconcilable conflicts for key system data.

  • Ntdsutil does not correctly handle special characters, such as the apostrophe character ('), that you can enter at the ntdsutil: prompt at the command line. In some situations, there may be an alternative workaround. For more information, see local roles (https://go.microsoft.com/fwlink/?LinkId=157320).

Examples

To transfer the PDC emulator master role to the domain controller that you are currently connected to, type the following command, and then press ENTER:

fsmo maintenance: transfer PDC

Additional references

Command-Line Syntax Key

Dsmgmt

Ntdsutil

authoritative restore

configurable settings

DS behavior

files

group membership evaluation

ifm

LDAP policies

local roles

metadata cleanup

partition management

security account management

semantic database analysis

set DSRM password

snapshot