Active Directory has five operational master roles that can be transferred from domain controller to domain controller as required. In some cases the role may not be able to be transferred; for example, if the hardware on the domain controller was to fail, a transfer cannot be made. When this occurs, the operational master role must be seized. This video looks at how to seize an operational master role, clean up the Active Directory database afterwards, and recover a server that has had an operational master role seized.
Demo seizing the role 04:40
Demo cleaning up the Active Directory database 08:55
Demo removing Active Directory from a recovered server 14:04
What is an operational master role?
See our operational master role video for more information.
Impact of missing operational master role
Seizing an operational master role from a failed server is a drastic step. Once complete, the domain controller can not be started back up on the network. Before seizing the operational master role, first consider the effect the missing operational master role will have as listed below.
Schema master: If this role is missing then changes will not be able to be made to the Active Directory schema. The schema defines the design of the Active Directory database. If you are not planning on making changes to the structure of the Active Directory database this role could be off line indefinitely.
Domain Naming Master: This is required when adding/removing domains. If you are not adding or removing domains the Domain Naming Operational Master Role could be offline indefinitely.
Relative ID Master: Otherwise known as RID master, it allocates RID’s to Domain Controllers. These are used to create Active Directory objects. Without RID’s Domain Controllers cannot create new objects. RID’s are allocated in pools so a domain controller will not run out quickly unless a lot of Active Directory objects are created at once.
PDC Emulator: A PDC emulator is considered the final authority on password authentication. If the PDC emulator is down, a user may experience problems logging in just after a password change. Short outage should not be problem but it is recommended to try to recover the domain controller holding the PDC emulator quickly if it fails.
Infrastructure master: In a single domain/forest environment, a missing infrastructure master will not cause any problems. In a multiple domain environment, this will only cause problems if none of your domain controllers are global catalog servers. If this is the case, cross domain objects may not be updated correctly when changed.
Seizing a role
Seizing a role is considered a last resort and once completed the domain controller that was holding that operational master role will not be able to be started back up on the network again. A domain controller that can have an operational master role transferred or seized is often referred to as a standby operational master.
In order to seize an operational master role, you need to run the command NTDSUtil from the command prompt. Once inside the tool, run the following commands.
connect to server (Domain controller role will be seized by)
Seize PDC|RID master|schema master|infrastructure master|naming master
Removing Domain Controller Configuration
Once you seize the operational master role, the configure data for that domain controller will still exist in Active Directory. This can be removed by performing the following steps.
Run NTDSUtil from the command prompt
connect to server (any domain controller)
select operational target
select domain (your domain number shown in list domain)
select site (your site number shown in list sites)
list servers in site
select server (your server number shown in list servers in site)
Remove selected server
Run Active Directory Sites and Services from administrative tools
Find the record for your failed domain controller. It should not have domain listed next to its name. Press delete to delete the record.
Reusing a failed server
If you have seized an operational master role from a domain controller and later recover the domain controller, Active Directory will need to be removed from the domain controller before it can be added and reused on the domain. This can be done with the following steps.
Make sure the server is not connected to the network.
From the command line run DCPromo /ForceRemoval