Transferring Active Directory FSMO Roles

Posted on by Luca Sturlese

A while back I wrote an article about all of the different Active Directory FSMO roles available, why they are important and on which Domain Controller they should be place in a Windows forest and/or Windows domain.

However, even if you have placed all FSMO roles on the correct DCs, sometimes it is necessary to move them to another server for one reason or another. This article documents how to move Active Directory FSMO roles from one Domain Controller to another.

There are a few ways to move or transfer AD FSMO roles:

  1. Using the GUI Management Consoles
  2. Using the Command Line
  3. Using PowerShell

When selecting a method there is no right or wrong way. I would recommend using the method you feel most comfortable with, unless you need to automate the process, in which case you will have to use the either the command line or the PowerShell method.

Each of the options are documented below:

Check Active Directory FSMO role placement

Before we get going, I thought it would be a good idea to document how to determine the current location of each FSMO role. To do this, the easiest way is to:

  1. Launch Command Prompt (Start >> Run >> cmd)
  2. From the Command Prompt, run the following: 

netdom query fsmo
  1. This will list all of the FSMO roles and on what domain controller they are currently running on.

Now that we have this information, we can continue on with moving each AD FSMO role to a new server.

Option 1: Transferring Active Directory FSMO Roles – via GUI:

To transfer each FSMO role is slightly different, depending on the type of role you are transferring. Below are the steps to transfer all the five FSMO roles via the GUI:

Transferring the Domain-Specific roles: Relative ID Master, PDC Emulator, Infrastructure Master roles

  1. Log into the DC you want to transfer the role(s) to as a Domain Administrator
  2. Launch Active Directory Users and Computers
  3. Connect to the DC you want to transfer the role to. To do this complete these steps:
    1. From the left-hand pane navigation, right-click the root entry (Active Directory Users and Computers)
    2. Click Change Domain Controller
    3. Select the appropriate DC from the list
    4. Click OK
  4. From the left-hand pane navigation, right-click on the domain and select Operations Master
  5. This will display the Operations Master window
  6. From here, select the appropriate tab of the role you want to transfer (i.e. RID, PDC, Infrastructure Master)
  7. Click on the Change button
  8. Click Yes to confirm the transfer of the FSMO role

Transferring the Domain Naming Master role

  1. Log into the DC you want to transfer the role to as an Enterprise Administrator
  2. Launch Active Directory Domains and Trusts
  3. Connect to the DC you want to transfer the role to. To do this, complete these steps:
    1. From the left-hand pane navigation, right-click the root entry (Active Directory Domain and Trusts)
    2. Click on Change Active Directory Domain Controller
    3. Select the appropriate DC from the list
    4. Click OK
  4. From the left-hand pane navigation, right-click the root entry (Active Directory Domain and Trusts) and click Operations Master
  5. This will display the Operations Master window
  6. From here, click the Change button
  7. Click Yes to confirm the transfer of the FSMO role

Transferring the Schema Master role

  1. Log into the DC you want to transfer the role to as an Enterprise Administrator
  2. To transfer the Schema Master role, you use the Schema Master MMC tool. To do this, you need to first register the corresponding DDL. To do this, complete the following:
    1. Start >> Run >> cmd
    2. Run the following command: regsvr32 schmmgmt.dll
    3. A success message should appear. Click OK
  3. Start >> Run >> MMC
  4. From the File menu, click on Add/Remove Snap-Ins
  5. From the window that appears, select Active Directory Schema and click Add
  6. Click OK
  7. Connect to the DC you want to transfer the role to. To do this, complete these steps:
    1. From the left-hand pane navigation, right-click Active Directory Schema
    2. Select the appropriate DC from the list
    3. Click OK
  8. From the left-hand pane menu, right-click Active Directory Schema and click Operations Master
  9. From the window that appears, click on the Change button
  10. Click Yes to confirm the transfer of the FSMO role

Option 2: Transferring Active Directory FSMO Roles – via Command Line:

To move AD FSMO Roles using the command line, do the following:

  1. Log into the DC you want to transfer the role to as an Enterprise Administrator (if transferring the Domain Naming Master or the Schema Master roles). Otherwise you can log in as a Domain Administrator
  2. Launch Command Prompt (Start >> Run >> cmd) Note: You might need to run command prompt in admin mode depending on the Windows version you are running
  3. From the command prompt, type ntdsutil and press Enter
  4. This will enter the ntdsutil command set
  5. Type roles and then press Enter
  6. Type connections and then press Enter
  7. Type connect to server <SERVER_NAME> where <SERVER_NAME> is the name of the domain controller you want to transfer the role(s) to. See example below: 

connect to server WP-DC-V02.testlab.com
  1. This will connect you to the server you want the role(s) to be transferred to
  2. Type q and press Enter
  3. Type transfer <ROLE_NAME> where <ROLE_NAME> is the name of the FSMO role you want to transfer. Below is an example of how to transfer each role: 

transfer infrastructure master
transfer naming master
transfer PDC
transfer RID master
transfer schema master
  1. Type q and press Enter to quit. Repeat until you have exited the ntdsutil command set

Here is the full set of commands you would type to transfer the PDC Emulator role to the WP-DC-V02 domain controller (Note: At the end of each line you would press Enter):


ntdsutil
roles
connections
connect to server WP-DC-V02.testlab.com
q
transfer PDC

Option 3: Transferring Active Directory FSMO Roles – via PowerShell:

To move AD FSMO Roles using PowerShell, run the following cmdlet, replacing <SERVER_NAME> with the domain controller you want to transfer the role(s) to:


Move-ADDirectoryServerOperationMasterRole -Identity “” -OperationMasterRole SchemaMaster, RIDMaster, InfrastructureMaster, DomainNamingMaster, PDCEmulator

Note: The example above shows you how to transfer all 5 FSMO roles. If you want to transfer a specific role (or only a few of them), then list the roles you want to move as the value for the -OperationMasterRole parameter of the cmdlet.

And that is it, you now know how to transfer or move all of the 5 FSMO roles to another domain controller using the GUI, command line and PowerShell.

Any questions or comments then let me know below…

Thanks Luca

Categories Active Directory, Windows Admin
Tags , , , , ,

Comments

  2. Does powershell command work on a 2008 32 Server?
    I would like to use that command from a 2008/32 to 2012R2.
    Cheers and thank you!

    Reply

  3. I followed your option 2 and one of the five roles cannot be transferred:

    fsmo maintenance: transfer schema master
    ldap_modify_sW error 0x32(50 (Insufficient Rights).
    Ldap extended error message is 00002098: SecErr: DSID-0315211E, problem 4003 (IN
    SUFF_ACCESS_RIGHTS), data 0

    Win32 error returned is 0x2098(Insufficient access rights to perform the operati
    on.)
    )
    Depending on the error code this may indicate a connection,
    ldap, or role transfer error.
    Server “DCDC01.cg.local” knows about 5 roles
    Schema – CN=NTDS Settings,CN=HQDC01,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,D
    C=cg,DC=local
    Naming Master – CN=NTDS Settings,CN=DCDC01,CN=Servers,CN=DC,CN=Sites,CN=Configur
    ation,DC=cg,DC=local
    PDC – CN=NTDS Settings,CN=DCDC01,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=c
    g,DC=local
    RID – CN=NTDS Settings,CN=DCDC01,CN=Servers,CN=DC,CN=Sites,CN=Configuration,DC=c
    g,DC=local
    Infrastructure – CN=NTDS Settings,CN=DCDC01,CN=Servers,CN=DC,CN=Sites,CN=Configu
    ration,DC=cg,DC=local

    Reply

Leave a Comment

Comment Formatting
You may use the following HTML tags and attributes in your comments: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Markdown is also supported to style and format your comments, making it useful for when posting code. See the Markdown Quick Refernce Guide for more information.

This site uses Akismet to reduce spam. Learn how your comment data is processed.