Isolate a DC - Part 7: Seize all FSMO roles
This is Part 7 of a series on Active Directory Forest recovery; you need to have your FSMOs under control.
Seize all FSMO roles
The roles you seize will depend on if you are in a parent or child domain, the script below leverages NTDSUTIL to seize all roles for a forest root domain, and the Infrastructure Master, PDC and RID Master for Child domains. It also updates the FSMO owner attribute on your Application partitions (usually just Forest DNS zones and Domain DNS Zones)
function seize-AllFSMORoles{
$domain = get-addomain
$forest = get-adforest
$DC = get-addomaincontroller
$grouplist = [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups.value
if ($Domain.dnsroot -eq $forest.rootdomain) {
if (!($grouplist -match '-518$') -or !($grouplist -match '-519$') -or !($grouplist -match '-512$')) {Write-Warning "You must have Domain, Schema and Enterprise Admin roles to proceed - no changes will be made";return;}
Write-verbose "Using NTDSUtil to sieze all forest FSMO roles"
ntdsutil "roles" con "con to dom $($domain.dnsroot)" q "Sei PDC" "Sei Inf ma" "sei sch ma" "sei na ma" "sei rid ma" q q
Write-Warning "PDC role has been moved - be sure to update NTP configuration of local server"
} else {
if (!($grouplist -match '-512$')) {Write-Warning "You must have Domain Admin to proceed - no changes will be made";return;}
Write-verbose "Using NTDSUtil to sieze all child domain FSMO roles"
ntdsutil "roles" con "con to dom $($domain.dnsroot)" q "Sei Inf ma" "sei PDC" "sei rid ma" q q
}
Write-verbose "updating RoleOwner for application partitions"
$forest.applicationpartitions | ?{$_ -match "^dc=[^,]+,$([regex]::escape($domain.distinguishedname))`$"} | %{ set-adobject $_ -replace @{fSMORoleOwner=($DC.NTDSSettingsObjectDN)}}
}
seize-AllFSMORoles
All the other parts of this series are available here
- Part 1: Configure the Network
- Part 2: Reset SYSVOL Sync State
- Part 3: Activate Administrator Account
- Part 4: Reset DSRM Password
- Part 5: Disable Global Catalog
- Part 6: Raise RID Pools
- Part 7: Seize all FSMO roles
- Part 8: Metadata cleanup all other DCs
- Part 9: Reset Intra-Forest trust passwords
- Part 10: Reset KrbTGT password twice