How to seize a lost FSMO role

Recently, I was in the process of installing a new Windows Server 2008 R2 domain controller into a Server 2003 Native domain with a single Server 2003 domain controller.

During the process, I ran all of the necessary checks (ie: dcdiag, etc.) to verify everything in the domain looked correct. I received an issue when running `netdom query fsmo` that basically said it could not complete the operation. I used the GUI to verify all of the FSMO roles and found that there was an error listed in the schema master section.

Having never come across this before, I did research and found this Microsoft KB (255504) that explained how to seize a FSMO role if one is “lost.”

WARNING: Make sure you are absolutely certain that the FSMO role is lost and the system that used to hold this role is not just having issues or is powered off. If at all possible, it would be better to “fix” the issue, rather than just overwrite the settings with a new FSMO role holder.

Here is the text from the KB that I followed and that successfully let me take over the lost schema role (I performed these steps on the Windows Server 2003 domain controller before promoting the Windows Server 2008 R2 system):

Seize FSMO roles

To seize the FSMO roles by using the Ntdsutil utility, follow these steps:

  1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being seized. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
  2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
  3. Type roles, and then press ENTER.
  4. Type connections, and then press ENTER.
  5. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
  6. At the server connections prompt, type q, and then press ENTER.
  7. Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, notseize pdc emulator.
  8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

ADMX File Location

I recently wanted to look at what Group Policy options existed for managing a piece of software, so I downloaded the relevant ADMX files from Microsoft and couldn’t remember what to do with them.

After some quick searching, I found a blog post that answered my question – http://tigermatt.wordpress.com/2009/06/06/where-do-i-put-my-admx-files/

In summary:

  • Copy the ADMX files to %systemroot%\PolicyDefinitions (%systemroot% should be C:\WINDOWS).
  • Copy the ADML files (if they exist) to %systemroot%\PolicyDefinitions\en-US (again, %systemroot% should be C:\WINDOWS).
  • Restart your Group Policy Management Console for the policy files to appear, no need to add a new template.

Also, a good piece of information that was noted on this blog post was that the ADMX/ADML files don’t need to be present on every machine on the network, just on the machine where you are creating/editing the policies.