Operations master rolesThis is a well-known subject among Active Directory administrators.Even before Windows 2012, there was no lack of choice in the methods allowing us to transfer the FSMO roles:
If there were only two domain controllers, we could simply demote one with DCPROMO. If the domain controller to be demoted held the FSMO roles, the demotion process would transfer the roles to the other domain controller.
If there were more than one domain controller, we could transfer the roles with various graphic interfaces…
Transferring roles with the graphic interface
- Active Directory Users and Computers for the PDCe, RID Master and Infrastructure Master roles
- Active Directory Domains and Trusts for the Domain Naming Master
- Active Directory Schema – after registering a certain dll…
1. Connect to ADUC, right-click on the domain and select “Operations Masters” in the menu:
2. Attempt to change the Operations Master and observe the error message:
If we happen to be connected to the current role holder, we must first target the domain controller to which the roles will be transferred.
3. This time, select “Change Domain Controller”:
4. Connect to the domain controller to which you intend to transfer the roles:
5. Now go back to the menu (as illustrated above) and select “Operations Masters”.
6. We’ll use the RID Master as an example below. Note that the other domain controller is now the “target” as opposed to the same domain controller. Click on “Change” and confirm. Repeat the same operations for the PDCe and the Infrastructure Master.
8. For the Schema Master, we need to register a .dll file and then create add “Active Directory Schema to a Microsoft Management Console (mmc). We then would proceed as we did for the other roles above.
Note: there should be a confirmation message (which can be closed – not shown above) indicating that the registration was successful. I’ll assume the reader knows how to add “snap-ins” to a MMC. If not, please search for instructions online.
We can confirm the new owner (or “holder”) of the roles in the graphic interfaces themselves or use the concise “netdom query fsmo” command
BEFOREPS C:\> netdom query fsmo
Schema master                DC-001.machlinkit.biz
Domain naming master  DC-001.machlinkit.biz
PDCÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â DC-001.machlinkit.biz
RID pool manager         DC-001.machlinkit.biz
Infrastructure master    DC-001.machlinkit.biz
AFTER
PS C:\> netdom query fsmo
Schema master                DC-004.machlinkit.biz
Domain naming master  DC-004.machlinkit.biz
PDC Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â DC-004.machlinkit.biz
RID pool manager        DC-004.machlinkit.biz
Infrastructure master     DC-004.machlinkit.biz
Of course, this command could also be used to confirm successful transfers after using the command line to move the roles from one domain controller to another.
Transferring roles with NTDSUTIL (command line interface)
We can transfer the roles at the command line using ndtsutil as shown below.
But first some notes:
Since Windows Server 2008, we must activate an “instance” of ntds with the command…
activate instance ntds
This was not necessary with Windows 2003.
Second, the syntax for the Domain Naming master has changed.
With Windows 2003, we would enter:
transfer domain naming master
Since Windows 2008, we must enter
transfer naming master
Having clarified those points, let’s enter the sequence of commands that transfers the roles (I will double space for readability – the text in bold represents the commands to enter):
PS C:\> ntdsutil
C:\Windows\system32\ntdsutil.exe: activate instance ntds
Active instance set to “ntds”.
C:\Windows\system32\ntdsutil.exe: roles
fsmo maintenance: connections
server connections: connect to server DC-004
Binding to DC-004 …
Connected to DC-004 using credentials of locally logged on user.
server connections: quit
Note: at this point, depending on the role we want to transfer, we enter all or any of the following:
fsmo maintenance: transfer schema master
fsmo maintenance: transfer naming master
fsmo maintenance: transfer rid master
fsmo maintenance: transfer pdc
fsmo maintenance: transfer infrastructure master
fsmo maintenance: transfer schema masterServer “DC-004” knows about 5 roles
Schema – CN=NTDS Settings,CN=DC-004,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz
Naming Master – CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz
PDC – CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz
RID – CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz
Infrastructure – CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz
In this case, we can see (if we look carefully) that DC-004 is now the Schema Master but DC-001 still holds the other operations roles.
Transferring roles with Powershell
Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole
PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster
Or the number that represent the roles:
- PDCEmulator = 0
- RIDMaster = 1
- InfrastructureMaster = 2
- SchemaMaster = 3
- DomainNamingMaster = 4
So if we wanted to transfer all the roles to domain controller DC-001, we would enter this:
PS C:\>Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole 0,1,2,3,4
Despite the rather long cmdlet (of which we only need to type the first 8 letters or so, and then tab), the rest of the complete command can be rather concise if we use (and know) the numbers.
This cmdlet works quite nicely as we can see here.
At first, DC-004 holds the roles:
PS C:\> netdom query fsmo
Schema master                DC-004.machlinkit.biz
Domain naming master    DC-004.machlinkit.biz
PDCÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â DC-004.machlinkit.biz
RID pool manager           DC-004.machlinkit.biz
Infrastructure master       DC-004.machlinkit.biz
We transfer them to DC-001…
PS C:\> Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole 0,1,2,3,4
Move Operation Master Role
Do you want to move role ‘PDCEmulator’ to server ‘DC-001.machlinkit.biz’ ?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “Y”): A
We confirm the transfers with…
PS C:\> netdom query fsmo
Schema master                 DC-001.machlinkit.biz
Domain naming master   DC-001.machlinkit.biz
PDCÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â DC-001.machlinkit.biz
RID pool manager           DC-001.machlinkit.biz
Infrastructure master       DC-001.machlinkit.biz
Transferring the roles by domain controller demotion
Lastly, if we only have two domain controllers or have no preference for the new/future FSMO holder, we can demote the current holder and the roles will be transferred to another domain controller automatically. I will not detail the demotion of a domain controller here but this is what netdom query fsmo shows after the process:
PS C:\> netdom query fsmo
Schema master                    DC-004.machlinkit.biz
Domain naming master       DC-004.machlinkit.biz
PDCÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â DC-004.machlinkit.biz
RID pool manager              DC-004.machlinkit.biz
Infrastructure master           DC-004.machlinkit.biz
So after demoting DC-001, the FSMO roles are automatically transferred to DC-004. No manual intervention was necessary.