Transferring FSMO roles from GUI

When you demoting the old Domain Controller which holds any of Single Master Operation Roles or simply known as Flexible Single Master Operation roles (FSMO), you may wish to manually transfer them into another Domain Controller.

This is not necessary because during DC decommission process, they would be transferred automatically to any other DC within network but it’s nice to control this process.

FSMO roles should be placed in well-connected, reliable location to prevent disruption in access to them.

There are 2 ways of transferring FSMO roles. You can do that using graphical consoles available on a DC or any server/workstation with Administrative Tools / Remote Server Administration Tools installed or using command-line tool called ntdsutil.

    Transferring FSMO roles using GUI consoles

There are five FSMO roles. Two of them are Forest-wide and three are Domain-wide roles. That means, the Forest-wide FSMO roles are common for entire forest and by default are held on the first Domain Controller within forest-root domain.

These roles are:
  • Schema master
  • Domain Naming master

other three Domain-wide roles are:
  • Relative Identifier master (RID)
  • PDC Emulator master
  • Infrastructure master
and they are separate for each domain within the forest.

To be able to transfer any of them, it’s necessary to use appropriate console(s) and choose a Domain Controller for them.

In this scenario, we transfer FSMO roles from the old Windows Server 2003 to the new one, based on Windows Server 2008 R2.

Important! Before you will start transferring FSMO roles, it’s good to check your forest/domain condition using: dcdiag and repadmin tools to be sure that there is no problem with replication or Domain Controller(s) functionality.
  • Schema Master
This role can be transferred using Active Directory Schema snap-in. It’s possible only, when you register appropriate library within a system. By default AD Schema snap-in is not available in OS.

To do that, you need to run in command-line on a DC or a system with Administrative Tools / Remote Server Administration Tools installed this syntax

    regsvr32 schmmgmt.dll

Registration Active Directory Schema snap-in

When snap-in is registered, we can add it into MMC console. Open run box and type mmc to open empty console.

Running MMC

then add “Active Directory Schema” from menu “File -> Add/Remove snap-in”

Active Directory Schema snap-in

Now, we can select Domain Controller to which we want to transfer this role. Click right mouse button (RMB) on “Active Directory Schema” node and choose “Change Active Directory Domain Controller”. From the list select target Domain Controller for Schema Master role.

Choosing Domain Controller

You will be informed that you cannot do any schema changes on a DC which is not a Schema Master owner. Don’t worry, you won’t be modifying any schema object, we will change Schema owner only.

Warning

We are now connected to a DC to which we want to transfer Schema Master role. To finalize this operation click once again “Active Directory Schema” node by RMB and choose “Operations Master”. You will see two fields. The first is pointing to actual FSMO holder and the second shows to which the role can be transferred. Click on “Change” button

Schema master

confirm that you are sure you want to change Operation Master owner

Role transfer confirmation

and you will get information that it’s transferred

Role transfer information

Schema master changed

Close MMC console without saving changes.
  • Domain Naming Master
This role can be transferred using “Active Directory Domains and Trusts” console. It’s available on any DC or server/workstation with Administrative Tools / Remote Server Administrative Tools installed. Run the console and click RMB on “Active Directory Domains and Trusts”, choose “Change Active Directory Domain Controller” and select from the list this one to which you want to move role.

Domain Controller selection

Now, click root node once again, and choose “Operations Master” then click on “Change” button

Domain Naming master

confirm that you want to transfer role

Role transfer confirmation

Role transfer information

Close “Active Directory Domains and Trusts” console.
  • RID, PDC Emulator and Infrastructure Masters
These Domain-wide roles can be moved to another Domain Controller from common console. To do that, you need to run “Active Directory Users and Computers” console.

Click root node and choose “Change Domain Controller”, select appropriate target DC.

Domain Controller selection

Select domain within console for which you want to transfer roles and choose “Operations Master”. You will see a windows with three tabs:
  • RID master
  • PDC master
  • Infrastructure master
On each of them you can move role to selected Domain Controller.

Select each tab separately and transfer particular roles to target DC(s).

Important! In multi-domain environment where not all Domain Controllers are Global Catalogs, Infrastructure master has to be placed on a non-Global Catalog Domain Controller to prevent conflicts between them.
  • RID master

Relative Identifier (RID) master

confirm role transfer

Role transfer confirmation

a window with information will appear

Role transfer information
  • PDC Emulator master


PDC Emulator master
confirm role transfer

Role transfer confirmation

a window with information will appear

Role transfer information

  • Infrastructure master

Infrastructure master

confirm role transfer

Role transfer confirmation

a window with information will appear

Role transfer information

All of FSMO roles have been transferred!

It’s time to verify if all of them are in place where we wanted to. The most simple way is review each console and check “Operations Master” or use netdom a command-line tool. The last one method is very fast and shows output in one window.

Open command-line and type: netdom query fsmo

FSMO roles verification

It’s done.

Ensure that your new primary domain controller is also a global catalog server:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
  2. Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available.
  3. Open the Servers folder, and then click the domain controller.
  4. In the domain controller's folder, double-click NTDS Settings.
  5. On the Action menu, click Properties.
  6. On the General tab, view the Global Catalog check box to see if it is selected.