In today’s article, we will see how to transfer one or more FSMO roles from one Domain Controller to another. This can be done in a variety of ways, but we will focus more on using the graphical user interface (GUI), PowerShell and NTDSUtil.
To proceed with the transfer of FSMO roles, we consider that DCs that already have a role are active in our infrastructure. Otherwise, if a DC holding a FSMO role is no longer online and operational, then we use the seize method instead of simple transfer.
Before you move a role, you need to know where the FSMO roles are in the Domain Controllers.
Transfer FSMO roles using the GUI
To transfer domain-specific FSMO roles, ie RID Master, Infrastructure Master and PDC Emulator, follow the steps below.
Open the Active Directory Users and Computers console, right-click the domain and then in Operations Masters. Here, each tab displays the three FSMO roles.
To transfer one of the three FSMO roles to another DC, click Change and confirm your action.
To transfer the forest-specific FSMO Domain Naming Master role, follow these steps.
Open the Active Directory Domain and Trusts console, right-click the icon and then Operations Masters. If you are not already connected to the DC you are about to transfer the role, then you can do so by clicking Change Active Directory Domain Controller in the same menu.
In the same way, you will see who is the current role holder and by clicking the Change button you can transfer the role to another DC.
To transfer the forest-specific FSMO Schema Master role, follow the steps below.
First, in a command-line window with administrator rights, type the following command to register the AD Schema snap-in.
regsvr32 schmmgmt.dll |
Then, open an MMC console (for example, pressing mmc on the Search or Run), and from the File – Add / Remove Snap-in menu, add the Active Directory Schema console.
Here, right click on the icon and then in Operations Masters. You will need to be connected to the corresponding DC you are going to transfer the role you can do through the Change Active Directory Domain Controller option in the menu.
As before, by clicking the Change button you can move the Schema Master role to another DC.
Transfer FSMO roles using PowerShell
Transferring FSMO roles through PowerShell is a much easier and faster process without unnecessary clicks.
You can transfer one or more FSMO roles to a DC using the following command. For example, to transfer the PDC Emulator.
Move-ADDirectoryServerOperationMasterRole -Identity <TargerDC> -OperationMasterRole pdcemulator |
On the -OperationMasterRole switch you can declare one or more FSMO roles separated by a comma (,). So you can transfer all 5 roles with just one command.
For example.
-OperationMasterRole pdcemulator, ridmaster, infrastructuremaster, schemamaster, domainnamingmaster |
After pressing Enter you will be prompted to confirm the transfer action.
Finally, you can confirm that the roles were transferred using the corresponding PowerShell commands.
Transfer FSMO roles using the NTDSUtil tool
First, open the command prompt with administrative privileges.
Type ntdsutil and press Enter.
Type roles and press Enter.
Type connections and press Enter.
Type connect to server DC01 and press Enter, where DC01 is the server computer name that will transfer the FSMO roles to.
Type quit and press Enter.
Next, we will transfer FSMO roles one by one with the corresponding command, as the case may be. After each Enter appears a confirmation window. Just click Yes to continue.
For Schema Master, type transfer schema master and press Enter.
For RID Master, type transfer rid master and press Enter.
For Domain Naming Master, type transfer naming master and press Enter.
For PDC Emulator, type transfer pdc and press Enter.
For Infrastructure Master, type transfer infrastructure master and press Enter.
After transferring the roles you want, press quit to exit the NTDSUtil environment.
there seems to stuff be missing from one of your examples. -OperationMasterRole pdcemulator, ridmaster, infrastructuremaster, schemamaster, domainnamingmaster is NOT a complete command. I tried adding Move but it still does not work.
I just tested this PowerShell oneliner on my lab and it transfer the FSMO roles between my two DCs. Are you sure you typed the command correctly?
The entire command is:
Move-ADDirectoryServerOperationMasterRole -Identity -OperationMasterRole pdcemulator, ridmaster, infrastructuremaster, schemamaster, domainnamingmaster
Oh, and add your DC’s hostname after the -Identity handle! Seems like the commenting system deleted it.
Nicely written. Thank you!
hey i know its a old thread but if u can please reply, after tranferring the fsmo roles i still want to keep the old server around as a backup domain controller, can i just let it run? or i need to demote it?
and does dns need to point to the fsmo role server?
The most common practice is to use two DCs instead of one, so you can have both running. Are the DCs hold the DNS role as well? That depends on your environment actually. However, in a two servers scenario that are both DNS servers, we configure DNS settings to point to both the other DC and the DC itself.
Thank you so much! I did not realize how easy it was. 🙂
Good afternoon,
What is the best practice for completing a transfer of the FSMO roles? Should I wait until after hours or is this change instant?
they will change instantly.
Thanks 🙂
Excellent article! Thanks you!
Useful, thank you.
Well written article and easy to follow steps. I used the GUI method and was able to easily move the roles on a DC that I was demoting.
the content section you mentioned as “Type connect to server DC01 and press Enter” but in the snippet you are connecting to server DC02 (connect to server DC02).
Do i need to connect to DC02 if i need to transfer the roles from DC01 to DC02 ? if yes, then why its mentioned initially to connect to DC01. i am bit confused. can you please clarify this.