How can I transfer some or all of the FSMO roles from one DC to another?
Last Update: Oct 15, 2024 | Published: Jan 07, 2009
In this article, you will learn how to transfer FSMO roles in Active Directory quickly using the command lines tools and GUI.
Windows Server Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation).
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same domain controller) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder domain controller (DC) to a different DC.
Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in this article.
You can move/transfer FSMO roles using the PowerShell Move-ADDirectoryServerOperationMasterRole cmdlet. The syntax for the command is as follows:
Move-ADDirectoryServerOperationMasterRole -Identity -OperationMasterRole -Server
-Identity sets the domain controller (DC) you want to assign the role(s) to
-OperationMasterRole specifies the role(s) you want to seize. You can specify the roles by name or number
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole PDCEmulator
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole RIDMaster
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole InfrastructureMaster
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole SchemaMaster
Move-ADDirectoryServerOperationMasterRole -Identity "DC3" -OperationMasterRole DomainNamingMaster
You can check FSMO roles, and which DCs hold each role, using the GUI and command line.
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools:
To transfer the FSMO role the administrator must be a member of the following group:
FSMO Role | Administrator must be a member of |
Schema | Schema Admins |
Domain Naming | Enterprise Admins |
RID | Domain Admins |
PDC Emulator | |
Infrastructure |
To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles:
To Transfer the Domain Naming Master Role:
To Transfer the Schema Master Role:
regsvr32 schmmgmt.dll
To transfer the FSMO roles from the Ntdsutil command:
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.
C:\WINDOWS>ntdsutil
ntdsutil:
ntdsutil: roles
fsmo maintenance:
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.
fsmo maintenance: connections
server connections:
server connections: connect to server server100
Binding to server100 …
Connected to server100 using credentials of locally logged on user.
server connections:
server connections: q
fsmo maintenance:
For example, to transfer the RID Master role, you would type transfer rid master:
Options are:
Transfer naming master
Transfer infrastructure master
Transfer PDC
Transfer RID master
Transfer schema master
The transfer of an FSMO role is the suggested form of moving a FSMO role between domain controllers and can be initiated by the administrator or by demoting a domain controller. However, the transfer process is not initiated automatically by the operating system, for example a server in a shut-down state. FSMO roles are not automatically relocated during the shutdown process – this must be considered when shutting down a domain controller that has an FSMO role for maintenance, for example.
In a graceful transfer of an FSMO role between two domain controllers, a synchronization of the data that is maintained by the FSMO role owner to the server receiving the FSMO role is performed prior to transferring the role to ensure that any changes have been recorded before the role change. However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a different DC is called Seizing, and is described in the Seizing FSMO Roles article.