Transfers and seizes operations master roles. At the roles: prompt, type any of the parameters listed under Syntax.

Ntdsutil is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use ntdsutil, you must run the ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax

connections 
[select operation target] [{seize naming master | seize infrastructure master | seize PDC | seize RID master | seize schema master}] [{transfer naming master | transfer infrastructure master | transfer PDC | transfer RID master | transfer schema master}]

Parameters

Parameter	Description
connections	Invokes the Server connections submenu.
seize naming master	Forces the domain controller to which you are connected to claim ownership of the naming master operations master role without regard to the data associated with the role. Use only for recovery purposes.
seize infrastructure master	Forces the domain controller to which you are connected to claim ownership of the infrastructure operations master role without regard to the data associated with the role. Use only for recovery purposes.
seize PDC	Forces the domain controller to which you are connected to claim ownership of the PDC operations master role without regard to the data associated with the role. Use only for recovery purposes.
seize RID master	Forces the domain controller to which you are connected to claim ownership of the relative ID master role without regard to the data associated with the role. Use only for recovery purposes.
seize schema master	Forces the domain controller to which you are connected to claim ownership of the schema operations master role without regard to the data associated with the role. Use only for recovery purposes.
select operation target	Invokes the Select operation target submenu.
transfer naming master	Instructs the domain controller to which you are connected to obtain the naming master role by means of controlled transfer.
transfer infrastructure master	Instructs the domain controller to which you are connected to obtain the infrastructure operations master role by means of controlled transfer.
transfer PDC	Instructs the domain controller to which you are connected to obtain the PDC operations master by means of controlled transfer.
transfer RID master	Instructs the domain controller to which you are connected to obtain the relative ID master role by means of controlled transfer.
transfer schema master	Instructs the domain controller to which you are connected to obtain the schema operations master role by means of controlled transfer.
quit	Takes you back to the previous menu or exits the utility.
?	Displays help at the command prompt.
Help	Displays help at the command prompt.

Remarks

Although Active Directory is based on a multimaster administration model, some operations support only a single master. For multimaster operations, conflict resolution ensures that after the system finishes replicating, all replicas agree on the value for a given property on a given object. However, some data, for which adequate conflict resolution is not possible, is key to the operation of the system as a whole. This data is controlled by individual domain controllers called operations masters. These domain controllers are referred to as holding a particular operations master role.

Following are the five operations master roles, some are enterprise-wide and some are per domain:
- Schema Operations Master. There is a single schema operations master role for the entire enterprise. This role allows the operations master server to accept schema updates. There are other restrictions on schema updates.
- Relative ID Master. There is one relative ID master per domain. Each domain controller in a domain has the ability to create security principals. Each security principal is assigned a relative ID. Each domain controller is allocated a small set of relative IDs out of a domain-wide relative ID pool. The relative ID master role allows the domain controller to allocate new subpools out of the domain-wide relative ID pool.
- Domain-Naming Master. There is a single domain-naming master role for the entire enterprise. The domain-naming master role allows the owner to define new cross-reference objects representing domains in the Partitions container.
- PDC Operations Master. There is one primary domain controller (PDC) operations master role per domain. The owner of the PDC operations master role identifies which domain controller in a domain performs Windows NT 4.0 PDC activities in support of Windows NT 4.0 backup domain controllers and clients using earlier versions of Windows.
- Infrastructure Master. There is one infrastructure master role per domain. The owner of this role ensures the referential integrity of objects with attributes that contain distinguished names of other objects that might exist in other domains. Because Active Directory allows objects to be moved or renamed, the infrastructure master periodically checks for object modifications and maintains the referential integrity of these objects.

An operations master role can only be moved by administrative involvement; it is not moved automatically. Additionally, moving a role is controlled by standard access controls. Thus a corporation should tightly control the location and movement of operations master roles. For example, an organization with a strong IT presence might place the schema role on a server in the IT group and configure its access control list (ACL) so that it cannot be moved at all.

Operations master roles require two forms of management: controlled transfer and seizure.

Use controlled transfer when you want to move a role from one server to another, perhaps to track a policy change with respect to role location or in anticipation of a server being shut down, moved, or decommissioned.

Seizure is required when a server that is holding a role fails and you do not intend to restore it. Even in the case of a server recovered from a backup, the server does not assume that it owns a role (even if the backup tape says so), because the server cannot determine if the role was legitimately transferred to another server in the time period between when the backup was made and the server failed and was recovered. The restored server assumes role ownership only if a quorum of existing servers is available during recovery and they all agree that the restored server is still the owner.

The Roles submenu in Ntdsutil is used to perform controlled transfer and recovery of operations master roles. Controlled transfer is simple and safe. Because the source and destination servers are running, the system software guarantees that the operations master role token and its associated data is transferred atomically. Operations master role seizure is equally simple but not as safe. You simply tell a particular domain controller that it is now the owner of a particular role.

Caution

Do not make a server a role owner by means of seizure commands if the real role holder exists on the network. Doing this could create irreconcilable conflicts for key system data. If an operations master role owner is temporarily unavailable, do not make another domain controller the role owner. This could result in a situation where two computers function as the role owner, which might cause irreconcilable conflicts for key system data.