Isolate a DC - Part 7: Seize all FSMO roles

This is Part 7 of a series on Active Directory Forest recovery; you need to have your FSMOs under control.

Seize all FSMO roles

The roles you seize will depend on if you are in a parent or child domain, the script below leverages NTDSUTIL to seize all roles for a forest root domain, and the Infrastructure Master, PDC and RID Master for Child domains. It also updates the FSMO owner attribute on your Application partitions (usually just Forest DNS zones and Domain DNS Zones)

function seize-AllFSMORoles{
    $domain = get-addomain
    $forest = get-adforest
    $DC = get-addomaincontroller
    $grouplist = [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups.value
    if ($Domain.dnsroot -eq $forest.rootdomain) {
        if (!($grouplist -match '-518$') -or !($grouplist -match '-519$') -or !($grouplist -match '-512$')) {Write-Warning "You must have Domain, Schema and Enterprise Admin roles to proceed - no changes will be made";return;}
        Write-verbose "Using NTDSUtil to sieze all forest FSMO roles"
        ntdsutil "roles" con "con to dom $($domain.dnsroot)" q "Sei PDC" "Sei Inf ma" "sei sch ma" "sei na ma" "sei rid ma" q q  
        Write-Warning "PDC role has been moved - be sure to update NTP configuration of local server"      
    } else {
        if (!($grouplist -match '-512$')) {Write-Warning "You must have Domain Admin to proceed - no changes will be made";return;}
        Write-verbose "Using NTDSUtil to sieze all child domain FSMO roles"
        ntdsutil "roles" con "con to dom  $($domain.dnsroot)" q  "Sei Inf ma" "sei PDC" "sei rid ma" q q
    }
    Write-verbose "updating RoleOwner for application partitions"       
    $forest.applicationpartitions | ?{$_ -match "^dc=[^,]+,$([regex]::escape($domain.distinguishedname))`$"} | %{ set-adobject $_ -replace @{fSMORoleOwner=($DC.NTDSSettingsObjectDN)}}
}

seize-AllFSMORoles

All the other parts of this series are available here