FSMO (Flexible Single Master Operations) roles are critical components of Active Directory. Sometimes, you may need to transfer these roles to another domain controller. This guide simplifies the process, providing step-by-step instructions using PowerShell
Why Transfer FSMO Roles?
FSMO roles are automatically assigned to the first domain controller in the forest root domain. However, transferring these roles might be necessary for several reasons:
- Upgrading the operating system
- Changing domain controller IP addresses
- Demoting a domain controller
- Performing maintenance or taking the domain controller offline
- Addressing performance issues
It is important to transfer FSMO roles only when the current role holder is operational and accessible on the network. For a complete list of considerations, see Microsoft’s article Transfer or seize FSMO Roles in Active Directory Services.
Step 1: Identify Current FSMO Role Holders
Before transferring FSMO roles, determine which domain controllers currently hold them.
PowerShell Commands to Check FSMO Roles:
Run the following commands:
Domain-Level FSMO Roles:Get-ADDomain | Select InfrastructureMaster, PDCEmulator, RIDMasterForest-Level FSMO Roles:Get-ADForest | Select DomainNamingMaster, SchemaMaster
For example, in a domain setup, the output might show:
- InfrastructureMaster: DC1
- PDCEmulator: DC2
- RIDMaster: DC2
- DomainNamingMaster: DC1
- SchemaMaster: DC1
Alternative command for CMD as an admin
netdom query fsmo
In this guide, we’ll move all FSMO roles from DC2 to DC1.
Step 2: Transfer FSMO Roles
Using PowerShell
PowerShell provides the easiest and fastest way to transfer FSMO roles.
- Log in to the domain controller to which you want to transfer roles (e.g., DC1).
- Use the following PowerShell commands:
- Transfer PDCEmulator:
Move-ADDirectoryServerOperationMasterRole -Identity "DC1" PDCEmulator - Transfer RIDMaster:
Move-ADDirectoryServerOperationMasterRole -Identity "DC1" RIDMaster - Transfer InfrastructureMaster:
Move-ADDirectoryServerOperationMasterRole -Identity "DC1" InfrastructureMaster - Transfer DomainNamingMaster:
Move-ADDirectoryServerOperationMasterRole -Identity "DC1" DomainNamingMaster - Transfer SchemaMaster:
Move-ADDirectoryServerOperationMasterRole -Identity "DC1" SchemaMaster
- Transfer PDCEmulator:
- Verify the changes by rerunning the commands to list FSMO roles..
You will want to change or update “DC1” to the new servers hostname. Now if you run step one again you will see the new server you change the roles listed on the FSMO query.
Summary
Transferring FSMO roles is a straightforward task, whether you choose PowerShell or the GUI. PowerShell is the recommended method for its simplicity and efficiency, but the GUI works well for those less comfortable with command-line tools.
Key points to remember:
- Only transfer FSMO roles when the current role holder is operational.
- Double-check role assignments after completing the transfer.
By following these steps, you’ll ensure a seamless transition of FSMO roles to your desired domain controller.