«

»

Aug
18

Transferring FSMO Roles in Windows Server 2003 and 2008

by

Introduction

This article will provide step-by-step instructions describing the process for transferring one or more FSMO (Flexible Single Master Operation) roles from one server to another in Active Directory.  This is a necessary step during a server migration, reorganization of an existing domain or a handful of other situations in which the needs or level of access to a server change within an organization’s Active Directory infrastructure.

Background:  About FSMO Roles

There are five FSMO roles; three roles that are associated directly with the Active Directory domain, and two that deal directly with the Active Directory forest.  The lists below provide a quick overview.

Domain FSMO Roles

  • The PDC Emulator role – This role does just what it says: it emulates the old Windows NT PDC (Primary Domain Controller).  The server that holds this role is primarily responsible for processing authentication events such as login  failures, password changes, account status, etc.  This role also maintains backward compatibility with older Windows NT-era clients and applications that depend on this architecture.
  • The Infrastructure Master role – This role is responsible for ensuring that security identifiers from “this” domain are properly referenced from outside the domain.
  • The RID Master role – The server holding this role is charged with allocating RIDs (Relative IDs) to domain controllers when creating new objects in Active Directory.

Forest FSMO Roles

  • The Domain Naming Master role – Just as the title suggests, the server holding this role is responsible for keeping track of the names of all domains in the forest.  This role  is required in any transaction that creates or deletes a domain.
  • The Schema Master role – This is the big one.  The server that holds this role maintains the Active Directory schema for the entire forest.

Which Server Holds Each Role?

Before transferring roles all around Active Directory, it is a good idea to know who the current role-holders are for each of the FSMO roles.  Honestly, it is a good idea to check on this even if no changes are planned.  Why?  Many organizations have upgraded, replaced and/or added several servers to their Active Directory Forest over the years.  If the system admins were sloppy, it is quite possible that a server that no longer exists holds one or more FSMO roles.  A typical scenario is that a company with a single server wants to upgrade and replace it, so the admin installs the new server and runs dcpromo, transfers all of the data, unplugs the old server and destroys the hard drives before selling it/donating it.  Whoops!  Should have grabbed those FSMO roles first!  Or maybe the server is still active on the domain but was moved to another office across a slow WAN/VPN link and suddenly certain AD operations are slow or unreliable.  Chances are, you landed on this page because you are either dealing with this sort of problem or trying to prevent it from happening.

To find out which servers currently hold roles on your network, type the following command at a command prompt:

netdom query fsmo

It will return a simple table that shows each role and the current owner of that role.

Transferring Roles – Current Role-Owner is Still Online

If both the current owner and future owner of the FSMO role to be transferred are online and healthy, transferring these roles is pretty simple.  This is the preferred method of transferring roles.  There are three places to go to change all five roles:

(Make sure that these steps are performed on the server that the roles will be transferred TOOtherwise, use the “Connect to Domain Controller” or “Change Domain Controller” option in the top-level right-click menu of the following tools.)

  1. Active Directory Users and Computers MMC snap-in.  From this snap-in, the domain-based roles (RID, PDC and Infrastructure) can all be transferred by right-clicking the domain name and selecting “Operations Masters…”.  There will be a tab for each role, and a button to “Change…”.
  2. Active Directory Domains and Trusts MMC snap-in.  By right-clicking “Active Directory Domains and Trusts”, then selecting “Operations Master…”, the owner of the Domain Naming Master role may be changed.
  3. Schema Management MMC snap-in.  This one is a little trickier because Schema Management is not listed as an option in Administrative Tools.  To access it, first run the following command:regsvr32 schmmgmt.dll

    Click “Ok” on the box telling you that registration succeeded.  Next, run “mmc” to open a blank MMC console.  Click “File -> Add/Remove Snap-in…” and click “Add…” in the box that follows.  Select “Active Directory Schema” from the list and click “Add”,  “Close” then “OK”.  Right-click “Active Directory Schema” and select “Operations Master…”.  This is where the Schema Master role can be changed.

Transferring Roles – Current Role-Owner is Gone and Never Coming Back

This method, called seizure is not the preferred method of transferring roles, but must be used in certain situations.  If the server holding one or more FSMO roles has been removed from the network and cannot be reconnected, if it has suffered a catastrophic failure that prevents it from running, or it it has been otherwise forcefully removed from Active Directory, this is the only way to transfer the roles that it held to another domain controller.  We will use ntdsutil utility to seize the roles.

Note:  Once roles have been seized from a server it is very important that the server is never allowed to communicate on the network again!

(Make sure that these steps are performed on the server that the roles will be transferred TOThe logged-on user should be a member of the Enterprise Administrators group and the Domain Administrators group.)

These steps and additional information regarding the use of ntdsutil with roles can be found at this Microsoft KB article:  http://support.microsoft.com/kb/255504

  1. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
  2. Type roles, and then press ENTER.
  3. Type connections, and then press ENTER.
  4. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
  5. At the server connections prompt, type q, and then press ENTER.
  6. Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
  7. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

Conclusion and Testing

At this point all roles should be gracefully transferred or forcefully seized to a functioning server that actually exists on the network.  To check the status of all roles, run the same command that we used in the beginning:

netdom query fsmo

Make sure that the results match up to your expectations.

-n

Related content:

  1. How To: Time Sync Across Windows Network
  2. Group Policy: Applying Different User Policies to the Same User for Workstations and Terminal Server
  3. Group Policy Not Applied To Remote VPN Users

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.