Bobcares

Transferring/Seizing FSMO Roles to Another Domain Controller

by | Dec 23, 2020

Transferring/Seizing FSMO roles to another domain controller can be done easily with a few quick steps.

At Bobcares we often get requests from our customers to get this done as part of our Server Management Services.

Today, let’s see how our Support Engineers do this for our customers with ease.

What is FSMO and FSMO Roles in Active Directory Domain

Before going to the steps for transferring or seizing FSMO Roles to Another Domain Controller we will grab some idea about FSMO and the roles of FSMO.

Flexible single master operation (FSMO) is a Microsoft Active Directory feature which is a specialized domain controller task.

This is used when standard data transfer and update methods turn out to be inadequate.

We can perform most standard operations in Active Directory on any domain controller. The AD replication service is responsible for distributing these changes throughout the AD directory

To perform operations that require uniqueness, we need the domain controllers with the FSMO roles. The main task of the FSMO roles is to prevent such conflicts.

FSMO roles in an Active Directory domain

There are five FSMO roles in an Active Directory domain.

Out of the five rules, three rules are unique for an AD forest, while the other three roles are for each domain.

Two roles are unique for an AD forest:

1. The Schema Master is responsible for making changes to the Active Directory schema.

2. The Domain naming master provides unique names for all domains and application sections you create in your AD forest.

Three roles for each domain:

1. The PDC emulator is the main browser in Windows network which tracks user lockouts when entering wrong passwords.

This is the main NTP server of the domain and provides compatibility with clients running Windows 2000/NT, it also used by DFS root servers to update the namespace information.

2. The Infrastructure Master is responsible for updating the cross-domain object links; and the adprep/domainprep command is run on it

3. The RID Master — the server distributes RIDs (in packs by 500 pieces) to other domain controllers to create unique object identifiers (SIDs).

How to List FSMO Role Owners in a Domain

We will check the steps to list FSMO role owners before going to steps of transferring/seizing FSMO Roles to Another Domain Controller.

In order to find all FSMO role owners in the domain, run the command:

netdom query fsmo
Schema master dc01.test.com
Domain naming master dc01.test.com
PDC dc01.test.com
RID pool manager dc01.test.com
Infrastructure master dc01.test.com

We can view FSMO roles for another domain:

netdom query fsmo /domain:bobcares.com

From the above results we can see that all FSMO roles are located on the DC01. When deploying a new AD forest (domain), all FSMO roles are placed to the first DC.

The domain administrator can transfer any FSMO role to any other domain controller.

We can get the information about FSMO roles in our domain via PowerShell using the Get-ADDomainController cmdlet (the RSAT Active Directory for PowerShell module must be installed):

Get-ADDomainController -Filter * | Select-Object Name, Domain, Forest, OperationMasterRoles |Where-Object {$_.OperationMasterRoles}

Or we can view the forest or domain level FSMO roles as follows:

Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator
Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster

 

There are two ways of moving FSMO roles: transferring (when both DCs are available) or seizing (when a DC with a FSMO role is not available or has been broken).

Methods to Transfer FSMO Roles to Another Domain Controller

We can transfer FSMO roles in Active Directory using several methods some methods used by our support engineers are discussed below.

Transferring FSMO roles is relevant when optimizing our AD infrastructure, or a DC that holds FSMO role has suffered catastrophic hardware/software failure.

1. How to Transfer FSMO Roles with PowerShell

The easiest and fastest way to transfer FSMO roles in a domain is using the Move-ADDirectoryServerOperationMasterRole PowerShell cmdlet.

We can transfer one or more FSMO roles at a time to the specified DC.

The following command will move two roles to DC02:

Move-ADDirectoryServerOperationMasterRole -Identity dc03 -OperationMasterRole PDCEmulator, RIDMaster

In the OperationMasterRole argument, we can specify either the name of the FSMO role or its index according to the following table:

PDCEmulator 0
RIDMaster 1
InfrastructureMaster 2
SchemaMaster 3
DomainNamingMaster 4

To transfer all FSMO roles at once to the additional domain controller, run this command:

Move-ADDirectoryServerOperationMasterRole -Identity dc03 -OperationMasterRole 0,1,2,3,4

[Need further assistance? We are here for you!]

 

2. Transferring FSMO Roles using Active Directory Graphic Snap-ins

To move FSMO roles, you can use standard Active Directory graphic snap-ins. The transfer operation is preferably performed on a DC with the FSMO role.

If the server local console is not available, use the Change Domain Controller option and select the domain controller in the MMC snap-in.

Transferring/Seizing FSMO Roles to Another Domain Controller

3. How to Transfer RID Master, PDC Emulator & Infrastructure Master Roles

To transfer domain-level roles (RID, PDC, Infrastructure Master), the Active Directory Users and Computers (DSA.msc) console is used.

1. Open the Active Directory Users and Computers (ADUC) snap-in
2. Right-click your domain name and select Operations Master

Transferring/Seizing FSMO Roles to Another Domain Controller

3. A window with three tabs (RID, PDC, Infrastructure) appears. Use these tabs to transfer the corresponding roles by specifying a new FSMO owner and clicking the Change button.

4. How to Transfer Schema Master Role

To transfer the forest-level Schema Master FSMO, the Active Directory Schema snap-in is used.

1. Before starting the snap-in, we must register the schmmgmt.dll library by running regsvr32 schmmgmt.dll in the command prompt.
2. Then open the MMC console, by typing MMC in the command prompt.
3. And Select File -> Add/Remove snap-in from the menu and add the Active Directory Schema console.
4. Right-click the console root (Active Directory Schema) and select Operations Master
5. Enter the domain controller name we want to transfer the Schema Master role to, then click Change and OK.

5. How to Transfer Domain Naming Master FSMO

1. To transfer the Domain Naming Master FSMO role, open the Active Directory Domains and Trusts console
2. Right-click the name of the domain and select Operations Master
3. Click Change, enter the name of the domain controller, and click OK.

[Need further assistance? We are here for you!]

6. Using Ntdsutil.exe to Transfer FSMO Roles from the Command Prompt

We have to use the ntdsutil.exe tool carefully, or we can break our Active Directory domain.

1. Run the command prompt on the domain controller and run: ntdsutil
2. Enter this command: roles
3. Then: connections
4. Then we must connect to the DC we want to transfer FSMO roles to. To do it, enter: connect to server <servername>
5. Type q and press Enter
6. To transfer an FSMO role we can use the command: transfer <role> , where <role> is the role we want to transfer.
7. Then confirm the FSMO role transfer.
8.Once this is done, press q and then Enter to quit ntdsutil.exe
9. Restart the domain controller.

[Finding it difficult to Transfer FSMO roles? We are here for you!]

 

Methods used for Seizing FSMO Roles to Another Domain Controller

When a DC with one of FSMO roles is broken (and cannot be recovered) or is unavailable for a long time, we can force to seize any of its roles.

1. Seize FSMO roles using PowerShell or NTDSUtil

We can use Move-ADDirectoryServerOperationMasterRole cmdlet for this, but we have to add ‘Force’ parameter is added in addition.

Move-ADDirectoryServerOperationMasterRole -Identity DC2 -OperationMasterRole PDCEmulator –Force

Here we are seizing the PDCEmulator role and force transfer it to DC02.

2. Seize FSMO roles to your DC02 server using ntdsutil.exe.

We can use the following commands:

ntdsutil
roles
connections
connect to server DC02 (the server to wich we want to transfer a role to)
quit

[Need assistance to seize FSMO roles? We are here for you!]

Conclusion

In short, we saw transferring/seizing FSMO Roles to Another Domain Controller. Also, we saw the method that our Support Engineers use.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.