How to Transfer FSMO Roles
How can I transfer some or all of the FSMO roles from one DC to another?
In this article, you will learn how to transfer FSMO roles in Active Directory quickly using the command lines tools and GUI.
Windows Server Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation).
🎬 Watch This Week in IT.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same domain controller) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder domain controller (DC) to a different DC.
Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in this article.
Transfer FSMO roles using PowerShell
You can move/transfer FSMO roles using the PowerShell Move-ADDirectoryServerOperationMasterRole cmdlet. The syntax for the command is as follows:
Move-ADDirectoryServerOperationMasterRole -Identity -OperationMasterRole -Server-Identity sets the domain controller (DC) you want to assign the role(s) to
-OperationMasterRole specifies the role(s) you want to seize. You can specify the roles by name or number
Move the PDC Emulator role
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole PDCEmulatorMove RID Master
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole RIDMasterMove Infrastructure Master
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole InfrastructureMasterMove Schema Master
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole SchemaMasterMove Domain Naming Master
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole DomainNamingMasterYou can check FSMO roles, and which DCs hold each role, using the GUI and command line.
Transfer FSMO roles using the GUI
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools:
- Active Directory Schema snap-in
- Active Directory Domains and Trusts snap-in
- Active Directory Users and Computers snap-in
To transfer the FSMO role the administrator must be a member of the following group:
| FSMO Role | Administrator must be a member of |
| Schema | Schema Admins |
| Domain Naming | Enterprise Admins |
| RID | Domain Admins |
| PDC Emulator | |
| Infrastructure |
Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUI
To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles:
- Open the Active Directory Users and Computers snap-in from the Administrative Tools folder.
- If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Users and Computers and press Connect to Domain Controller.
- Select the domain controller that will be the new role holder, the target, and press OK.
- Right-click the Active Directory Users and Computers icon again and press Operation Masters.
- Select the appropriate tab for the role you wish to transfer and press the Change button.
- Press OK to confirm the change.
- Press OK all the way out.
Transferring the Domain Naming Master via GUI
To Transfer the Domain Naming Master Role:
- Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder.
- If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Domains and Trusts and press Connect to Domain Controller.
- Select the domain controller that will be the new role holder and press OK.
- Right-click the Active Directory Domains and Trusts icon again and press Operation Masters.
- Press the Change button.
- Press OK to confirm the change.
- Press OK all the way out.
Transferring the Schema Master via GUI
To Transfer the Schema Master Role:
- Register the Schmmgmt.dll library by pressing Start > RUN and typing:
regsvr32 schmmgmt.dll- Press OK. You should receive a success confirmation.
- From the Run command open an MMC Console by typing MMC.
- On the Console menu, press Add/Remove Snap-in.
- Press Add. Select Active Directory Schema.
- Press Add and press Close. Press OK.
- If you are NOT logged onto the target domain controller, in the snap-in, right-click the Active Directory Schema icon in the Console Root and press Change Domain Controller.
- Press Specify …. and type the name of the new role holder. Press OK.
- Right-click right-click the Active Directory Schema icon again and press Operation Masters.
- Press the Change button.
- Press OK all the way out.
Transferring the FSMO Roles via Ntdsutil
To transfer the FSMO roles from the Ntdsutil command:
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.
- On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
C:\WINDOWS>ntdsutil
ntdsutil:- Type roles, and then press ENTER.
ntdsutil: roles
fsmo maintenance:Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.
- Type connections, and then press ENTER.
fsmo maintenance: connections
server connections:- Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER.
server connections: connect to server server100
Binding to server100 …
Connected to server100 using credentials of locally logged on user.
server connections:- At the server connections: prompt, type q, and then press ENTER again.
server connections: q
fsmo maintenance:- Type transfer <role>. where <role> is the role you want to transfer.
For example, to transfer the RID Master role, you would type transfer rid master:
Options are:
Transfer naming master
Transfer infrastructure master
Transfer PDC
Transfer RID master
Transfer schema master- You will receive a warning window asking if you want to perform the transfer. Click on Yes.
- After you transfer the roles, type q and press ENTER until you quit Ntdsutil.exe.
- Restart the server and make sure you update your backup.
When to transfer FSMO roles?
The transfer of an FSMO role is the suggested form of moving a FSMO role between domain controllers and can be initiated by the administrator or by demoting a domain controller. However, the transfer process is not initiated automatically by the operating system, for example a server in a shut-down state. FSMO roles are not automatically relocated during the shutdown process – this must be considered when shutting down a domain controller that has an FSMO role for maintenance, for example.
In a graceful transfer of an FSMO role between two domain controllers, a synchronization of the data that is maintained by the FSMO role owner to the server receiving the FSMO role is performed prior to transferring the role to ensure that any changes have been recorded before the role change. However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a different DC is called Seizing, and is described in the Seizing FSMO Roles article.
FAQ
What happens if I transfer FSMO roles to a domain controller that’s not properly synchronized?
When you transfer FSMO roles to an unsynchronized domain controller, it can lead to replication inconsistencies and potential directory service disruptions. Always ensure the target DC is fully synchronized before initiating the transfer process.
Can I automatically schedule FSMO roles transfer during off-peak hours?
While you can script the transfer FSMO roles process using PowerShell, Microsoft recommends against automating role transfers as it requires careful monitoring and verification to ensure directory service stability.
What’s the impact on Active Directory if I transfer FSMO roles during business hours?
Transferring FSMO roles during peak hours typically has minimal impact on users, as the process is relatively quick. However, it’s best practice to transfer FSMO roles during maintenance windows to ensure any potential issues can be addressed without affecting operations.
How long does it typically take to transfer FSMO roles between domain controllers?
The time to transfer FSMO roles usually ranges from a few seconds to several minutes, depending on factors like network connectivity, replication status, and the specific roles being transferred. Complex environments may require additional time for full synchronization.
Are there any prerequisites for the target DC before I transfer FSMO roles to it?
Before you transfer FSMO roles, ensure the target DC has sufficient resources (CPU, memory, disk space), is properly configured in the domain, has stable network connectivity, and is running a compatible or newer Windows Server version than the current role holder.
Renowned as the creator of the acclaimed Petri IT Knowledgebase back in 1999 Daniel Petri has become a distinguished figure in the IT realm, recognized for delivering reliable, expertise-driven content. This website - www.petri.com - not only embodie...
