How to Transfer Active Directory FSMO Roles

In an Active Directory Forest there are five Flexible Single Master Operation (FSMO) roles which are assigned to one or more domain controllers in the environment. Out of those five, two are forest wide operation roles and three are domain wide.

Forest-wide Operation Master Roles:

  • Schema master
  • Domain naming master

In the whole forest there has to be only one Schema master role holder and one domain naming master role holder. It is unique in the whole forest.

Domain-wide Operation Master Roles:

  • Relative ID (RID) master
  • Primary domain controller (PDC) emulator master
  • Infrastructure master

These roles are unique in each domain in the forest. There can be one RID master, PDC emulator master and Infrastructure master role.

View FSMO Role Holders

Before we discuss about how to transfer the FSMO roles between domain controllers, let’s understand how we can view the FSMO Role holders in the Active Directory.

The easiest method of reading about the FSMO Role holders is by running the below command:

NETDOM /query FSMO

Other than the above command, you can check the role holders from the Active Directory consoles (Active Directory Schema snap-in, Active Directory Users and Computers and Active Directory Domains and Trusts).

The third way and the most common way that the administrators use is by leveraging the inbuilt utility called ntdsutil. To know more about these methods, refer to this KB Article:

http://support.microsoft.com/kb/234790

P.S. The above methods can be performed on any domain controller.

Transfer FSMO Roles

Now when it comes to transferring the FSMO roles, you would do where you would want to move a specific role to some other dc. It could be because of hardware phasing out, business needs or any other reason. Other than this, if a holder of an existing FSMO role is no more active in the environment then you would have to seize that FSMO role to another dc which is active.

The below table talks about various mmc that would be used to transfer different FSMO roles:

Role Console in MMC
Schema master Active Directory Schema
Domain naming master Active Directory Domains and Trusts
RID master  Active Directory Users and Computers
PDC emulator master Active Directory Users and Computers
Infrastructure master Active Directory Users and Computers

You have to have proper permissions to be able to perform the transfer operation. Please look at the below table that talks about the permissions required to be able to transfer FSMO Roles:

FSMO Role Administrator must be a member of
Schema Schema Admins
Domain Naming Enterprise Admins
RID Domain Admins
PDC Emulator
Infrastructure

Transferring Schema Master:

  1. Open Active Directory Schema snap-in. If it is not installed, refer to the below link for the installation:

http://technet.microsoft.com/en-us/library/cc755885(WS.10).aspx

  1. In the console, right-click Active Directory Schema and then click Change Domain Controller.
  2. Click Specify Name and type the name of the domain controller to which you want to transfer the role to.
  3. In the console, right-click Active Directory Schema, and then click Operations Master.
  4. Click Change.

Transferring Domain Naming Master Role:

  1. Open Active Directory Domains and Trusts.
  2. In the console, right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.
  3. In Enter the name of another domain controller, type the name of the domain controller to which you want to transfer the role to. Alternatively, you can select from the list of available domain controllers as well.
  4. In the console, right-click Active Directory Domains and Trusts, and then click Operations Master.
  5. Click Change.

Transferring the RID Master, PDC Emulator, and Infrastructure Masters:

  1. Open Active Directory Users and Computers.
  2. In the console, right-click Active Directory Users and Computers, and then click Connect to Domain Controller.
  3. In Enter the name of another domain controller, type the name of the domain controller to which you want to transfer the role to. Alternatively, you can select from the list of available domain controllers as well.
  4. In the console, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Masters.
  5. Select the appropriate tab for the role you wish to transfer and press the Change button.