How do I move Active Directory FSMO roles from one domain controller to another?

On occasion, you might need to transfer one or more Flexible Single Master Operation (FSMO) roles from one Active Directory domain controller to another. Perhaps the domain controller holding the FSMO has failed, or you simply need to relocate the FSMO role to optimize Active Directory performance.

There are two means of transferring FSMO roles: seizing and what I'll refer to as a peaceable transfer. In a peaceable transfer, which Microsoft documentation simply refers to as a transfer, the domain controller already holding the FSMO role is online and functioning perfectly, and you're usually transferring the role to optimize domain performance. This situation is ideal, and I prefer to accomplish the transfer through the various Active Directory consoles. However, if the domain controller holding the FSMO has failed, you might need to seize the role from a different domain controller, which I prefer to accomplish with command-line tools.

Seizing a FSMO role can result in problems if the original domain controller is ever returned to service. I'll discuss these concerns in more detail for each FSMO role.

Transferring the Schema Master Role

You accomplish a peaceable transfer of the schema master by using the Schema console. By default, Windows does not provide a preconfigured Schema console or even make the console snap-in available for your use. Follow these steps to gain access to the Schema console:

  1. Open a command prompt window.
  2. Change to the \Windows\System32 folder.
  3. Run regsvr32 schmmgmt.dll to register the Schema snap-in.
  4. Close the command prompt window.
  5. Open a blank Microsoft Management Console (MMC) window.
  6. From the File menu, choose Add/Remove Snap-In.
  7. Click Add.
  8. Locate Active Directory Schema in the list, and double-click it.
  9. Click Close, then click OK.

To transfer the schema master, right-click Active Directory Schema, and select Operations Master from the pop-up menu. You'll see the Change Schema Master dialog box, which Figure 8.1 shows.

Figure 8.1: Changing the schema master role.

Click Change, and select the domain controller that you want to hold the schema master role.

  • To seize the schema master role:
  • Open a command prompt window.
  • Run Ntdsutil.exe
  • At the Ntdsutil command prompt, enter
    roles
  • Enter
    connections
  • Enter
    connect to server servername
    providing the fully qualified name of the domain controller that you want to seize the schema master role.
  • Enter
    qui
  • Enter
    seize schema master

After you seize the schema master, do not return the original schema master domain controller to the network. Doing so will result in an authority conflict. If you are able to repair the original domain controller, first demote it to a member server while it is disconnected from the network, reconnect it, then reinstall Active Directory using DCPromo.

Transferring the Domain Naming Master Role

The process of transferring the domain naming master role involves basically the same steps as transferring the schema master does. However, rather than using the schema console, you'll use the Active Directory Domains and Trusts console on the domain controller that currently holds the role. Simply right-click Active Directory Domains and Trusts in the console, and select Operations Masters from the pop-up menu.

Seizing this role requires the use of the Ntdsutil command-line utility. Run the utility as described for seizing the schema master role, but enter seize domain naming master at the appropriate prompt.

If you are forced to seize the domain naming master role, do not return the original domain controller to the network until it has been demoted to member server status.

Transferring the RID Master, Infrastructure Master, or PDC Emulator Roles

Transferring the RID master, infrastructure master, or PDC emulator roles involves basically the same steps as transferring the schema master role. However, rather than using the schema console, you'll use the Active Directory Users and Computers console, which is configured by default on every domain controller. Simply right-click the appropriate domain in the console, and select Operations Masters from the pop-up menu. You'll see a dialog box similar to the one that Figure 8.2 shows, which provides a separate tab for transferring each of the three domainspecific roles.

Figure 8.2: Transferring the domain-specific FSMO roles.

Seizing these roles also requires the use of the Ntdsutil command-line utility. Run the utility as described for seizing the schema master role, but enter the appropriate seize command at the appropriate prompt:

  • To seize the PDC emulator role, use seize PDC.
  • To seize the infrastructure master role, use seize infrastructure master.
  • To seize the RID master role, use seize rid master.

If you are forced to seize any of these roles, do not return the original domain controller that held the role to the network until that domain controller has been demoted to member server status. Although this step isn't strictly necessary with the PDC emulator role (the original holder of the role will generally "let go" when it comes back online), I prefer safe over sorry and always demote the original holder before returning it to the network.