In the previous section, I explained how to transfer FSMO roles from one domain controller to another. But there are certain situations where we will not be able to transfer the FSMO roles, such as the following:

• Hardware failures: If the domain controller that holds the FSMO roles failed due to hardware issues and there is no other way to bring it back online, it is possible to seize the FSMO roles. However, if the failed server is protected by a backup DR solution, it's still worth going through that process than the seize process because it will still be able to recover the domain controller in the most up-to-date, usable status.
• System operation issues: If the domain controller has issues such as operating system corruptions, viruses, malware, file corruptions, it may not be allowed to transfer the FSMO role to another domain controller, which will also lead to FSMO role seize.
• Forcefully removed domain controller: If the FSMO role holder is forcefully decommissioned using the /forceremoval command, in order to keep infrastructure operations running, FSMO roles will need to seize.

The FSMO role seize process should be used only in a disaster where you cannot recover the FSMO role holder. Some of the FSMO roles (RID, domain naming master, schema master) can still afford a few hours of downtime with minimum business impacts. Therefore, we do not use the seize option as the first option if the FSMO role holder can still be recovered or fixed.

Once the seize process is completed, the old FSMO role holder should not be brought online again. It is recommended that you format and remove it from the network. At any given time, it is not possible to have the same FSMO role appear in two servers in the same domain.

In the following example, there are two domain controllers in the infrastructure. REBEL-SDC02 is the FSMO role holder and REBEL-PDC-01 is the additional domain controller. Due to hardware failure, I cannot bring REBEL-SDC02 online and I need to seize the FSMO roles:

In order to seize the roles, the following command can be used:

Move-ADDirectoryServerOperationMasterRole -Identity REBEL-PDC-01 -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster -Force

This command will take a few minutes to complete as in the background, it will try to connect to the original FSMO role holder.

The only change in the command from the FSMO role transfer is the -Force parameter at the end. Otherwise, it's the exact same command. You also can seize the individual role using Move-ADDirectoryServerOperationMasterRole -Identity REBEL-PDC-01 -OperationMasterRole <FSMO Role> -Force.

<FSMO Role> can be replaced with the actual FSMO role value.

Once the command is completed, we can test the new FSMO role holder:

As we can see, REBEL-PDC-01 becomes the new FSMO role holder.