Transferring FSMO roles from GUI

 

When you demoting the old Domain Controller which holds any of Single Master Operation Roles or simply known as Flexible Single Master Operation roles (FSMO), you may wish to manually transfer them into another Domain Controller.

 This is not necessary because during DC decommission process, they would be transferred automatically to any other DC within network but it’s nice to control this process.

 FSMO roles should be placed in well-connected, reliable location to prevent disruption in access to them.

 There are 2 ways of transferring FSMO roles. You can do that using graphical consoles available on a DC or any server/workstation with Administrative Tools / Remote Server Administration Tools installed or using command-line tool called ntdsutil.

 Transferring FSMO roles using GUI consoles

 There are five FSMO roles. Two of them are Forest-wide and three are Domain-wide roles. That means, the Forest-wide FSMO roles are common for entire forest and by default are held on the first Domain Controller within forest-root domain.

These roles are:

  • Schema master
  • Domain Naming master

other three Domain-wide roles are:

  • Relative Identifier master (RID)
  • PDC Emulator master
  • Infrastructure master

and they are separate for each domain within the forest.

To be able to transfer any of them, it’s necessary to use appropriate console(s) and choose a Domain Controller for them.

In this scenario, we transfer FSMO roles from the old Windows Server 2003 to the new one, based on Windows Server 2008 R2.

Important! Before you will start transferring FSMO roles, it’s good to check your forest/domain condition using: dcdiag and repadmin tools to be sure that there is no problem with replication or Domain Controller(s) functionality.

  • Schema Master

This role can be transferred using Active Directory Schema snap-in. It’s possible only, when you register appropriate library within a system. By default AD Schema snap-in is not available in OS.

To do that, you need to run in command-line on a DC or a system with Administrative Tools / Remote Server Administration Tools installed this syntax

 regsvr32 schmmgmt.dll

Registration Active Directory Schema snap-in

When snap-in is registered, we can add it into MMC console. Open run box and type mmc to open empty console.

Running MMC

then add “Active Directory Schema” from menu “File -> Add/Remove snap-in”

Active Directory Schema snap-in

Now, we can select Domain Controller to which we want to transfer this role. Click right mouse button (RMB) on “Active Directory Schema” node and choose “Change Active Directory Domain Controller”. From the list select target Domain Controller for Schema Master role.

Choosing Domain Controller

You will be informed that you cannot do any schema changes on a DC which is not a Schema Master owner. Don’t worry, you won’t be modifying any schema object, we will change Schema owner only.

Warning

We are now connected to a DC to which we want to transfer Schema Master role. To finalize this operation click once again “Active Directory Schema” node by RMB and choose “Operations Master”. You will see two fields. The first is pointing to actual FSMO holder and the second shows to which the role can be transferred. Click on “Change” button

Schema master

confirm that you are sure you want to change Operation Master owner

Role transfer confirmation

and you will get information that it’s transferred

Role transfer information

Schema master changed

Close MMC console without saving changes.

  • Domain Naming Master

This role can be transferred using “Active Directory Domains and Trusts” console. It’s available on any DC or server/workstation with Administrative Tools / Remote Server Administrative Tools installed. Run the console and click RMB on “Active Directory Domains and Trusts”, choose “Change Active Directory Domain Controller” and select from the list this one to which you want to move role.

Domain Controller selection

Now, click root node once again, and choose “Operations Master” then click on “Change” button

Domain Naming master

confirm that you want to transfer role

Role transfer confirmation

Role transfer information

Close “Active Directory Domains and Trusts” console.

  • RID, PDC Emulator and Infrastructure Masters

These Domain-wide roles can be moved to another Domain Controller from common console. To do that, you need to run “Active Directory Users and Computers” console.

 Click root node and choose “Change Domain Controller”, select appropriate target DC.

Domain Controller selection

Select domain within console for which you want to transfer roles and choose “Operations Master”. You will see a windows with three tabs:

  • RID master
  • PDC master
  • Infrastructure master

On each of them you can move role to selected Domain Controller.

Select each tab separately and transfer particular roles to target DC(s).

Important! In multi-domain environment where not all Domain Controllers are Global Catalogs, Infrastructure master has to be placed on a non-Global Catalog Domain Controller to prevent conflicts between them.

  • RID master

Relative Identifier (RID) master

confirm role transfer

Role transfer confirmation

a window with information will appear

Role transfer information

  • PDC Emulator master

PDC Emulator master

confirm role transfer

Role transfer confirmation

a window with information will appear

Role transfer information

  • Infrastructure master

Infrastructure master

confirm role transfer

Role transfer confirmation

a window with information will appear

Role transfer information

All of FSMO roles have been transferred!

 It’s time to verify if all of them are in place where we wanted to. The most simple way is review each console and check “Operations Master” or use netdom a command-line tool. The last one method is very fast and shows output in one window.

 Open command-line and type: netdom query fsmo

FSMO roles verification

If you wish, you may also check the article about Transferring FSMO roles with PowerShell

It’s done.

Author: Krzysztof Pytko

Facebooktwittergoogle_plusredditpinterestlinkedinmail

8 responses to “Transferring FSMO roles from GUI”

  1. AnthonyCPSAdmin says :

    I am migrating from a 2003 (DC01) (current master of all roles), to a 2008 R2 (DC11).

    ISSUE: When I am looking at the first step, transferring the schema master using the “Active Directory Schema” mmc, the new domain controller DC11 shows as “Inactive” under status.

    When I run “netdom query dc”, it shows both domain controllers.

    When I check the dns entries on both servers, everything looks good and has both servers as (same as parent folder), also showing their normal computer records in both forward and reverse lookup

    Running “dcdiag” shows every single test passed. There was originally a frs issue, but i ran D4 & D2 resets to resolve that problem, it is working fine now.

    At this point, everything APPEARS to be ok, so I am unsure how to proceed from here.

     
    • iSiek says :

      So, everything seems to be fine. How do you use MMC console to transfer Schema Master role? Have you selected that Windows Server 2008R2 Domain Controller, first?

      What do you mean, saying “inactive”

      Thank you for more information in advance.

      Regards,
      Krzysztof

       
      • AnthonyCPSAdmin says :

        In your screen shot, when you have opened up MMC and connected to the Schema snap in, you show the 3 servers listed under “Change Directory Server”. You have “Online” listed under status for all 3 servers. My new domain controller, and the one I am even performing these tasks from, says “Unavailable”. Not sure why I wrote inactive in my first post, that was a slip of the brain.

        Interestingly, I continued with your steps anyways, and it appears to have worked, at least when I run “netdom query fsmo” it shows my new controller as the master. Every time I changed the domain controller it showed my new one as “Unavailable”, but let me select it anyways.

         
  2. Arshad Javed says :

    very informative

     
  3. Srinivas says :

    Thanks alot….

     
  4. Moe Besbo says :

    Thanks alot…

     

Trackbacks / Pingbacks

  1. The new server takes over | The Bleeding Edge - August 26, 2012

Leave a Reply

Your email address will not be published. Required fields are marked *