Transferring FSMO roles from command-line

When you demoting the old Domain Controller which holds any of Single Master Operation Roles or simply known as Flexible Single Master Operation roles (FSMO), you may wish to manually transfer them into another Domain Controller.

This is not necessary because during DC decommission process, they would be transferred automatically to any other DC within network but it’s nice to control this process.

FSMO roles should be placed in well-connected, reliable location to prevent disruption in access to them.

There are 2 ways of transferring FSMO roles. You can do that using graphical consoles available on a DC or any server/workstation with Administrative Tools / Remote Server Administration Tools installed or using command-line tool called ntdsutil.

    Transferring FSMO roles using command-line tool

There are five FSMO roles. Two of them are Forest-wide and three are Domain-wide roles. That means, the Forest-wide FSMO roles are common for entire forest and by default are held on the first Domain Controller within forest-root domain.

These roles are:

  • Schema master
  • Domain Naming master
other three Domain-wide roles are:

  • Relative Identifier (RID) master
  • PDC Emulator master
  • Infrastructure master
and they are separate for each domain within the forest.

To be able to transfer any of them, it’s necessary to use ntdsutil tool and choose a Domain Controller for them.

In this scenario, we transfer FSMO roles from the old Windows Server 2003 to the new one, based on Windows Server 2008 R2.

Important! Before you will start transferring FSMO roles, it’s good to check your forest/domain condition using: dcdiag and repadmin tools to be sure that there is no problem with replication or Domain Controller(s) functionality.

Open command-line console and type: ntdsutil

You will see command prompt. To get help you have to use ? “question mark” and press enter

ntdsutil
First of all you need to connect to Domain Controller to which you want to transfer FSMO roles. To do that you have to type:

ntdsutil: roles (enter)

fsmo maintenance: connections (enter)

server connections: connect to server <DC-Name> (enter)

server connections: quit (enter)

fsmo maintenance:

and now you will be able to transfer FSMO roles to selected Domain Controller.

  • Schema master
fsmo maintenance: transfer schema master (enter)

click “Yes” button to move role.

Role transfer confirmation

the role is transferred

Role transfer confirmation

  • Domain Naming master
To transfer Domain Naming master, you need to know small syntax difference between ntdsutil in 2003 and 2008.

In 2003 server:

fsmo maintenance: transfer domain naming master (enter)

In 2008 server:

fsmo maintenance: transfer naming master (enter)

click “Yes” button to move role.
Role transfer confirmation
the role is transferred

Role transfer confirmation

  • RID master
fsmo maintenance: transfer rid master (enter)

click “Yes” button to move role.

Role transfer confirmation
the role is transferred

Role transfer confirmation
  • PDC Emulator master
fsmo maintenance: transfer pdc (enter)

click “Yes” button to move role.

Role transfer confirmation

the role is transferred

Role transfer confirmation
  • Infrastructure master
Important! In multi-domain environment where not all Domain Controllers are Global Catalogs, Infrastructure master has to be placed on a non-Global Catalog Domain Controller to prevent conflicts between them.

fsmo maintenance: transfer infrastructure master (enter)

click “Yes” button to move role.

Role transfer confirmation

the role is transferred

Role transfer confirmation

fsmo maintenance: quit (enter)

ntdsutil: quit (enter)

All FSMO roles have been transferred!

 You need to only verify if there are in place where you wanted to. Open command-line and type: netdom query fsmo to check that

FSMO roles verification

To summarize ntdsutil commands:

ntdsutil (enter)

ntdsutil: roles (enter)

fsmo maintenance: connections (enter)

server connections: connect to server <DC-Name> (enter)

server connections: quit (enter)

fsmo maintenance: transfer schema master (enter)

2003 server: fsmo maintenance: transfer domain naming master (enter)

2008 server: fsmo maintenance: transfer naming master (enter)

fsmo maintenance: transfer rid master (enter)

fsmo maintenance: transfer pdc (enter)

fsmo maintenance: transfer infrastructure master (enter)

fsmo maintenance: quit (enter)

ntdsutil: quit (enter)

It’s done.

Ensure that your new primary domain controller is also a global catalog server:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
  2. Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available.
  3. Open the Servers folder, and then click the domain controller.
  4. In the domain controller's folder, double-click NTDS Settings.
  5. On the Action menu, click Properties.
  6. On the General tab, view the Global Catalog check box to see if it is selected.