Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Assume the following scenario. The server that holds the relative ID (RID) operations master role is no longer accessible and must be rebuilt. You attempt to seize the RID Master role with the Ntdsutil tool to a different domain controller but you receive the following error:

Attempting safe transfer of RID FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-0321093D, problem 5002 (UNAVAILABLE), data 8

Win32 error returned is 0x20af (The requested FSMO operation failed. The current FSMO holder could not be contacted.)
Depending on the error code this may indicate a connection, ldap, or role transfer error.

Transfer of RID FSMO failed, proceeding with seizure ...
Search failed to find any Domain Controllers

Symptoms

The fSMORoleOwner attribute of the RID Manager$ object in Active Directory is invalid. For example, the following value would result in this error:

  1. CN=NTDS Settings DEL:a586a105-5a9c-4b2f-8289-bc5b43841ac8,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=com

Cause

To resolve this issue, use the AdsiEdit tool to update the fSMORoleOwner attribute of the Rid Manager$ object in Active Directory.

  1. Open AdsiEdit (AdsiEdit.msc).

  2. Expand Domain, then select CN=System.

  3. With CN=System selected in the left pane, right-click CN=RID Manager$ and select Properties.

  4. The fSMORoleOwner attribute should correspond to the old RID Master. For example, if DC01 was the old RID Master (the server that is no longer available), the fSMORoleOwner attribute would be:

    CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=com

    An example of a invalid value for the fSMORoleOwner attribute that may result in a error when attempting to seize the role would be:

    CN=NTDS Settings DEL:a586a105-5a9c-4b2f-8289-bc5b43841ac8,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=com

  5. Change the fSMORoleOwner attribute value to reflect the domain controller that you want to be the RID Master. For example if DC01 is the failed domain controller, and DC02 is the domain controller to which you want to seize the RID Master role, you would change the attribute to reflect that DC02 will be the new RID Master.

    CN=NTDS Settings,CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=com

  6. Changing the fSMORoleOwner attribute accomplishes the same thing as seizing the role with Ntdsutil. Therefore after changing the attribute manually you do not need to use Ntdsutil to seize the role.

Resolution

Facebook LinkedIn Email

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×