Professional Documents
Culture Documents
FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active
Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot
(or actually, on the same DC) as has been configured by the Active Directory installation
process. However, there are scenarios where an administrator would want to move one or more
of the FSMO roles from the default holder DC to a different DC.
Moving the FSMO roles while both the original FSMO role holder and the future FSMO role
holder are online and operational is called Transferring, and is described in the Transferring
FSMO Roles article.
However, when the original FSMO role holder went offline or became non operational for a long
period of time, the administrator might consider moving the FSMO role from the original, non-
operational holder, to a different DC. The process of moving the FSMO role from a non-
operational role holder to a different DC is called Seizing, and is described in this article.
If a DC holding a FSMO role fails, the best thing to do is to try and get the server online again.
Since none of the FSMO roles are immediately critical (well, almost none, the loss of the PDC
Emulator FSMO role might become a problem unless you fix it in a reasonable amount of time),
so it is not a problem to them to be unavailable for hours or even days.
If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to a reliable
computer. Administrators should use extreme caution in seizing FSMO roles. This operation, in
most cases, should be performed only if the original FSMO role owner will not be brought back
into the environment. Only seize a FSMO role if absolutely necessary when the original role
holder is not connected to the network.
What will happen if you do not perform the seize in time? This table has the info:
Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain
controller must not be activated in the forest again. It is necessary to reinstall Windows if these
servers are to be used again.
Another consideration before performing the seize operation is the administrator's group
membership, as this table lists:
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then
click OK.
C:'WINDOWS>ntdsutil
ntdsutil:
ntdsutil: roles
fsmo maintenance:
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and
then press ENTER.
4. Type connect to server <servername>, where <servername> is the name of the server
you want to use, and then press ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
server connections: q
fsmo maintenance:
6. Type seize <role>, where <role> is the role you want to seize. For example, to seize the
RID Master role, you would type seize rid master:
Options are:
7. You will receive a warning window asking if you want to perform the seize. Click on Yes.
fsmo maintenance: Seize infrastructure master
Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002
(UNAVAILABLE)
, data 1722
Note: All five roles need to be in the forest. If the first domain controller is out of the forest then
seize all roles. Determine which roles are to be on which remaining domain controllers so that all
five roles are not on only one server.
8. Repeat steps 6 and 7 until you've seized all the required FSMO roles.
9. After you seize or transfer the roles, type q, and then press ENTER until you quit the
Ntdsutil tool.
Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global
Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object
information because it does not contain any references to objects that it does not hold. This is
because a GC server holds a partial replica of every object in the forest.
TRANSFERING
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called
FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active
Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot
(or actually, on the same DC) as has been configured by the Active Directory installation
process. However, there are scenarios where an administrator would want to move one or more
of the FSMO roles from the default holder DC to a different DC.
Moving the FSMO roles while both the original FSMO role holder and the future FSMO role
holder are online and operational is called Transferring, and is described in this article.
The transfer of an FSMO role is the suggested form of moving a FSMO role between domain
controllers and can be initiated by the administrator or by demoting a domain controller.
However, the transfer process is not initiated automatically by the operating system, for example
a server in a shut-down state. FSMO roles are not automatically relocated during the shutdown
process - this must be considered when shutting down a domain controller that has an FSMO role
for maintenance, for example.
In a graceful transfer of an FSMO role between two domain controllers, a synchronization of the
data that is maintained by the FSMO role owner to the server receiving the FSMO role is
performed prior to transferring the role to ensure that any changes have been recorded before the
role change.
However, when the original FSMO role holder went offline or became non operational for a long
period of time, the administrator might consider moving the FSMO role from the original, non-
operational holder, to a different DC. The process of moving the FSMO role from a non-
operational role holder to a different DC is called Seizing, and is described in the Seizing FSMO
Roles article.
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an
MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of
the following three MMC snap-in tools:
To transfer the FSMO role the administrator must be a member of the following group:
Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUI
To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO
Roles:
1. Open the Active Directory Users and Computers snap-in from the Administrative Tools
folder.
2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the
icon next to Active Directory Users and Computers and press Connect to Domain
Controller.
3. Select the domain controller that will be the new role holder, the target, and press OK.
4. Right-click the Active Directory Users and Computers icon again and press Operation
Masters.
5. Select the appropriate tab for the role you wish to transfer and press the Change button.
6. Press OK to confirm the change.
7. Press OK all the way out.
1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools
folder.
2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the
icon next to Active Directory Domains and Trusts and press Connect to Domain
Controller.
3. Select the domain controller that will be the new role holder and press OK.
4. Right-click the Active Directory Domains and Trusts icon again and press Operation
Masters.
5. Press the Change button.
6. Press OK to confirm the change.
7. Press OK all the way out.
1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:
regsvr32 schmmgmt.dll
2. Press OK. You should receive a success confirmation.
3. From the Run command open an MMC Console by typing MMC.
4. On the Console menu, press Add/Remove Snap-in.
5. Press Add. Select Active Directory Schema.
6. Press Add and press Close. Press OK.
7. If you are NOT logged onto the target domain controller, in the snap-in, right-click the
Active Directory Schema icon in the Console Root and press Change Domain Controller.
8. Press Specify .... and type the name of the new role holder. Press OK.
9. Right-click right-click the Active Directory Schema icon again and press Operation
Masters.
10. Press the Change button.
11. Press OK all the way out.
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active
Directory functionality.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then
click OK.
C:'WINDOWS>ntdsutil
ntdsutil:
ntdsutil: roles
fsmo maintenance:
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and
then press ENTER.
4. Type connect to server <servername>, where <servername> is the name of the server
you want to use, and then press ENTER.
server connections: q
fsmo maintenance:
6. Type transfer <role>. where <role> is the role you want to transfer.
For example, to transfer the RID Master role, you would type transfer rid master:
Options are:
7. You will receive a warning window asking if you want to perform the transfer. Click on
Yes.
8. After you transfer the roles, type q and press ENTER until you quit Ntdsutil.exe.
9. Restart the server and make sure you update your backup.
MICROSOFT DOCUMENTATION
Certain domain and enterprise-wide operations that are not good for multi-master updates are performed by
a single domain controller in an Active Directory domain or forest. The domain controllers that are assigned
to perform these unique operations are called operations masters or FSMO role holders.
The following list describes the 5 unique FSMO roles in an Active Directory forest and the dependent
• Schema master - The Schema master role is forest-wide and there is one for each forest. This role
is required to extend the schema of an Active Directory forest or to run the adprep /domainprep
command.
• Domain naming master - The Domain naming master role is forest-wide and there is one for each
forest. This role is required to add or remove domains or application partitions to or from a forest.
• RID master - The RID master role is domain-wide and there is one for each domain. This role is
required to allocate the RID pool so that new or existing domain controllers can create user
required for the domain controller that sends database updates to Windows NT backup domain
controllers. The domain controller that owns this role is also targeted by certain administration tools
domain. This role is required for domain controllers to run the adprep /forestprep command
successfully and to update SID attributes and distinguished name attributes for objects that are
The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain
controller in the forest root domain. The first domain controller in each new child or tree domain is assigned
the three domain-wide roles. Domain controllers continue to own FSMO roles until they are reassigned by
• An administrator gracefully demotes a role-holding domain controller by using the Active Directory
Installation Wizard. This wizard reassigns any locally-held roles to an existing domain controller in
the forest. Demotions that are performed by using the dcpromo /forceremoval command leave
• The current role holder is operational and can be accessed on the network by the new FSMO owner.
• You are gracefully demoting a domain controller that currently owns FSMO roles that you want to
maintenance and you need specific FSMO roles to be assigned to a “live” domain controller. This
may be required to perform operations that connect to the FSMO owner. This would be especially
true for the PDC Emulator role but less true for the RID master role, the Domain naming master role
• The current role holder is experiencing an operational error that prevents an FSMO-dependent
/forceremoval command.
• The operating system on the computer that originally owned a specific role no longer exists or has
been reinstalled.
As replication occurs, non-FSMO domain controllers in the domain or forest gain full knowledge of changes
that are made by FSMO-holding domain controllers. If you must transfer a role, the best candidate domain
controller is one that is in the appropriate domain that last inbound-replicated, or recently inbound-
replicated a writable copy of the “FSMO partition” from the existing role holder. For example, the Schema
domain>, and this mean that roles reside in and are replicated as part of the CN=schema partition. If the
domain controller that holds the Schema master role experiences a hardware or software failure, a good
candidate role-holder would be a domain controller in the root domain and in the same Active Directory site
as the current owner. Domain controllers in the same Active Directory site perform inbound replication every
5 minutes or 15 seconds.
PDC DC=<domain>
RID DC=<domain>
Infrastructure DC=<domain>
A domain controller whose FSMO roles have been seized should not be permitted to communicate with
existing domain controllers in the forest. In this scenario, you should either format the hard disk and
reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a
private network and then remove their metadata on a surviving domain controller in the forest by using the
ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder whose role has
been seized into the forest is that the original role holder may continue to operate as before until it inbound-
replicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO roles
include creating security principals that have overlapping RID pools, and other problems.
To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or
domain controller that is located in the forest where FSMO roles are being transferred. We
recommend that you log on to the domain controller that you are assigning FSMO roles to. The
logged-on user should be a member of the Enterprise Administrators group to transfer Schema
master or Domain naming master roles, or a member of the Domain Administrators group of the
domain where the PDC emulator, RID master and the Infrastructure master roles are being
transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?,
5. Type connect to server servername, and then press ENTER, where servername is the name of
the domain controller you want to assign the FSMO role to.
7. Type transfer role, where role is the role that you want to transfer. For a list of roles that you can
transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at
the start of this article. For example, to transfer the RID master role, type transfer rid master.
The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc
emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil
prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
To seize the FSMO roles by using the Ntdsutil utility, follow these steps:
domain controller that is located in the forest where FSMO roles are being seized. We recommend
that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user
should be a member of the Enterprise Administrators group to transfer schema or domain naming
master roles, or a member of the Domain Administrators group of the domain where the PDC
emulator, RID master and the Infrastructure master roles are being transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.
5. Type connect to server servername, and then press ENTER, where servername is the name of
the domain controller that you want to assign the FSMO role to.
7. Type seize role, where role is the role that you want to seize. For a list of roles that you can seize,
type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start
of this article. For example, to seize the RID master role, type seize rid master. The one exception
is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil
prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
Notes
o Under typical conditions, all five roles must be assigned to “live” domain controllers in the
forest. If a domain controller that owns a FSMO role is taken out of service before its roles
are transferred, you must seize all roles to an appropriate and healthy domain controller.
We recommend that you only seize all roles when the other domain controller is not
returning to the domain. If it is possible, fix the broken domain controller that is assigned
the FSMO roles. You should determine which roles are to be on which remaining domain
controllers so that all five roles are assigned to a single domain controller. For more
information about FSMO role placement, click the following article number to view the
o If the domain controller that formerly held any FSMO role is not present in the domain and
if it has had its roles seized by using the steps in this article, remove it from the Active
Directory by following the procedure that is outlined in the following Microsoft Knowledge
Base article:
216498 How to remove data in active directory after an unsuccessful domain controller
demotion
o Removing domain controller metadata with the Windows 2000 version or the Windows
Server 2003 build 3790 version of the ntdsutil /metadata cleanup command does not
relocate FSMO roles that are assigned to live domain controllers. The Windows Server 2003
Service Pack 1 (SP1) version of the Ntdsutil utility automates this task and removes
the role has been reassigned since the backup was made.
o Do not put the Infrastructure master role on the same domain controller as the global
catalog server. If the Infrastructure master runs on a global catalog server it stops updating
object information because it does not contain any references to objects that it does not
hold. This is because a global catalog server holds a partial replica of every object in the
forest.
1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory
2. Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-
3. Open the Servers folder, and then click the domain controller.
6. On the General tab, view the Global Catalog check box to see if it is selected.
For more information about FSMO roles, click the following article numbers to view the articles in the
FSMO Roles
In a forest, there are at least five FSMO roles that are assigned to one or more domain controllers. The
• Schema Master: The schema master domain controller controls all updates and modifications to the
schema. To update the schema of a forest, you must have access to the schema master. There can
removal of domains in the forest. There can be only one domain naming master in the whole forest.
• Infrastructure Master: The infrastructure is responsible for updating references from objects in its
domain to objects in other domains. At any one time, there can be only one domain controller
domain controllers in a particular domain. At any one time, there can be only one domain controller
controller (PDC) to workstations, member servers, and domain controllers that are running earlier
versions of Windows. For example, if the domain contains computers that are not running Microsoft
Windows NT backup domain controllers, the PDC emulator master acts as a Windows NT PDC. It is
also the Domain Master Browser, and it handles password discrepancies. At any one time, there can
be only one domain controller acting as the PDC emulator master in each domain in the forest.
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool.
Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in
tools:
If a computer no longer exists, the role must be seized. To seize a role, use the Ntdsutil.exe utility.
Use the Active Directory Schema Master snap-in to transfer the schema master role. Before you can use
Register Schmmgmt.dll
2. Type regsvr32 schmmgmt.dll in the Open box, and then click OK.
3. Click OK when you receive the message that the operation succeeded.
3. Click Add.
4. Click Active Directory Schema, click Add, click Close, and then click OK.
5. In the console tree, right-click Active Directory Schema, and then click Change Domain
Controller.
6. Click Specify Name, type the name of the domain controller that will be the new role holder, and
7. In the console tree, right-click Active Directory Schema, and then click Operations Master.
8. Click Change.
9. Click OK to confirm that you want to transfer the role, and then click Close.
1. Click Start, point to Administrative Tools, and then click Active Directory Domains and
Trusts.
2. Right-click Active Directory Domains and Trusts, and then click Connect to Domain
Controller.
NOTE: You must perform this step if you are not on the domain controller to which you want to
transfer the role. You do not have to perform this step if you are already connected to the domain
controller that will be the new role holder, and then click OK.
-or-
o In the Or, select an available domain controller list, click the domain controller that will
4. In the console tree, right-click Active Directory Domains and Trusts, and then click Operations
Master.
5. Click Change.
6. Click OK to confirm that you want to transfer the role, and then click Close.
1. Click Start, point to Administrative Tools, and then click Active Directory Users and
Computers.
2. Right-click Active Directory Users and Computers, and then click Connect to Domain
Controller.
NOTE: You must perform this step if you are not on the domain controller to which you want to
transfer the role. You do not have to perform this step if you are already connected to the domain
controller that will be the new role holder, and then click OK.
-or-
o In the Or, select an available domain controller list, click the domain controller that will
4. In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and
5. Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and
6. Click OK to confirm that you want to transfer the role, and then click Close.