FSMO Role Transferred

When you demoting the old Domain Controller which holds any of Single Master Operation
Roles or simply known as Flexible Single Master Operation roles (FSMO), you may wish to
manually transfer them into another Domain Controller.
This is not necessary because during DC decommission process, they would be transferred
automatically to any other DC within network but it’s nice to control this process.
FSMO roles should be placed in well-connected, reliable location to prevent disruption in
access to them.
There are 2 ways of transferring FSMO roles. You can do that using graphical consoles
available on a DC or any server/workstation with Administrative Tools / Remote Server
Administration Tools installed or using command-line tool called ntdsutil.
Transferring FSMO roles using command-line tool
There are five FSMO roles. Two of them are Forest-wide and three are Domain-wide roles.
That means, the Forest-wide FSMO roles are common for entire forest and by default are
held on the first Domain Controller within forest-root domain.
These roles are:
Forest-Wide Role
1. Schema master
2. Domain Naming master

Other three Domain-wide roles are:

3. Relative Identifier (RID) master
4. PDC Emulator master
5. Infrastructure master
And they are separate for each domain within the forest.
By default all five roles are assigned to the first DC (Domain Controller) created in the forest.
However, you can transfer or distribute them to other DC.

1. Schema Master Role – Schema Master is a forest wide role it means there will be only
one DC having schema master in a forest. Schema is a set of rules which is used to
define the structure of AD. It contains all the information about the attributes and
classes of the forest.

Schema is futher classified into:

a) Classes – Class is a template which is used to create an object.
b) Attributes – Attributes are properties of an object.
 Schema modifies automatically when we install exchange server.
`
Schema

Classes Attributes

Objects 1. User name

2. Phone No.
3. Department
4. Address
User Computer Groups 5. User Logon name

2. Domain Naming Master Role / Naming Master Role – It is also a forest wide role that
by default the first Domain Controller of the forest has Naming Master. It is
responsible for adding, removing and renaming the domain name in the whole forest.
Check and maintain the uniqueness of the domain names in the whole forest.

3. RID Master – It is also known as Relative Identifier Master Role (RID Role). All
objects in a domain have unique ID known as RID. Relative Identifier Master role
(RID role) provides the pool of RID’s to each of the Domain Controllers in a domain.
When a DC creates a user, group, or computer object, a unique RID is assigned to
each object.
How to Check RID cmd - dcdiag /test:ridmanager /v .

4. Infrastructure Master Role - Infrastructure Master provides all the group membership
updates from one domain to another domain. Or
Infrastructure Master maintains and updates the Universal Group Membership
Information.

5. PDC Emulator Role - Primary domain controller (PDC) is a domain-wide FSMO

role which means first Domain Controller of each domain of a forest have this role.
PDC is required to sync time between all the DCs and also between Domain
Controller and other computers of a domain. It also records all the password changes
 from client computers and replicate/update to all the DCs throughout the domain. It is
one of the most important roles because of its time sync feature, it should be online
24×7.

Transfer FSMO Role using from One DC to Other DC or ADC using CMD Mode.

Practical –
First of all you need to connect to Domain Controller or Additional domain controller to
which you want to transfer FSMO roles. To do that you have to type:
1. Login into ADC server Hostname – ANANTA-ADC
2. Check roles using cmd – netdom query fsmo
3. Type “ntdsutil”
4. Type “roles”
5. Type “connections”
6. Type “connect to server <server-DC or ADC> name”
Example – “connect to server ANANTA-ADC”

And now you will be able to transfer FSMO roles to selected Additional Domain Controller.
7. Type “quit”

 SCHEMA MASTER

1. Type “transfer schema master”

2. Click Yes button to move the role.
The role is Transferred

 NAMING Master or Domain Naming Master

To transfer Domain Naming master, you need to know small syntax difference between
ntdsutil in 2003 and 2008.
In 2003 server:
1. Type “transfer domain naming master”
2. Click Yes button to move role.
In 2008 or 2012 server:
1. Type “transfer naming master”
2. Click Yes button to move role.
The Role is transferred

 RID Master

1. Type “transfer rid master”

2. Click “Yes” button to move role.

The role is Transferred

  PDC Emulator Master

3. Type “transfer pdc”

4. Click “Yes” button to move role.

The role is Transferred

 INFRASTRUCTURE Master

1. Type “transfer infrastructure master”

2. Click “Yes” button to move role.
The role is transferred

Note - In multi-domain environment where not all Domain Controllers are Global Catalogs,
Infrastructure master has to be placed on a non-Global Catalog Domain Controller to prevent
conflicts between them.

8. Type “quit”
9. Type “quit”
All FSMO roles have been transferred

You need to only verify if there are in place where you wanted to. Open command-line and
type: “netdom query fsmo” to check that

Transfer FSMO Role using from One DC to Other DC or ADC using GUI Mode.
First of all you need to connect to Domain Controller or Additional domain controller to
which you want to transfer FSMO roles.
First Check FSMO Roles on which DC.

 PDC Emulator Master, RID and INFRASTRUCTURE Master – For transferring

PDC, RID and INFRASTRUCTURE Master, we have to open AD users and
computer of ANANTA-DC.
a. Click on “Server Manager” and go to “Tool” and open “AD users and computer”.
b. And then right click on AD Users and Computers [ANANTA-DC.apsc.org] and
then click on “Change Domain Controller”.

c. On “Change Directory Server” select the DC to which you want to transfer the
role. Here, we have selected “ANANTA_ADC.apsc.org” and then click on ok.
d. Right click on Domain (apsc.org) and then click on “Operation Masters” to
transfer the FSMO roles.

e. From here, we can transfer only RID, PDC, and Infrastructure master. Click on
PDC tab, here we can see the Domain Controller currently owning this role and
the Additional Domain Controller to which we have to transfer PDC. Click on
Change to transfer the role.
f. A Dialog box appears regarding the confirmation of transfer the PDC, RID and
Infrastructure click on yes to confirm and accept and ADDS Dialog box appears
regarding the acknowledgment of successful transfer of PDC operation master.
 g. Open command prompt and type “netdom query fsmo” to verify if PDC, RID
and Infastructure Master is transferred to ANANTA-ADC or not.

 Naming Master – For transferring PDC, RID and INFRASTRUCTURE Master, we

have to open AD users and computer of ANANTA-DC.
a. Click on “Server Manager” and go to “Tool” and open “AD users and computer”.
b. And then right click on AD Users and Computers [ANANTA-DC.apsc.org] and
then click on ALL Task and then click on “Opeational Master”
c. On “Operations Master console“, we can see the significance of RID, PRD and
Infrastructure , the current owner of this role and the name of server to which it
can be transferred but not able to see domain naming master.

d. Schema Master - To change Schema Master from GUI, we have to open MMC
console by typing “MMC” on the run.
e. Click on File then “Add/Remove Snap-in” to add console of schema master.

f. On Add/Remove Snap-ins console, we will not be able to see the Active

Directory Schema in Available Snap-in. Cancel the snap-in.
g. Open Run and type “regsvr32 schmmgmt.dll“, it will register the
“Schmmgmt.dll” file and add the Active Directory Schema in Add/Remove
Snap-ins option of the MMC console.

h. A dialog box appears regarding the success of regsvr32 schmmgmt.dll.

i. Now again open MMC console and click on the file then Add\remove snap-in.
Select “Active Directory Schema” and click on Add. Click on OK.

j. Now right click on Active Directory Schema [Ananta-ADC.apsc.org] and then

click on “Change Active Directory Domain Controller” to open the console of
ANANTA-ADC and On Change Directory Server console select ANANTA-
ADC.apsc.org and click on OK to continue.
k. Right click on “Active Directory Schema [ANANTA-ADC.apsc.org]” and then
click on Operations Master.