How to Transfer FSMO Roles
To transfer FSMO roles via the Windows GUI, you will need access to the following three Active Directory snap-ins:
- Active Directory Schema (Schema Master Role)
Note: The snap-in is not enabled by default. Instructions provided below. - Active Directory Domains and Trusts (Domain Naming Master Role)
- Active Directory Users and Computers (RID, PDC and Infrastructure Roles)
Enabling Active Directory Schema Snap-In
To enable the Active Directory Schema Snap-In, open up a command prompt and select Run as administrator.
In the command prompt, type in regsvr32 schmmgmt.dll.
A window will pop up displaying DllRegisterServer in schmmgmt.dll succeeded.
Regsvr32 schmmgmt.dll
Accessing Snap-ins and Microsoft Management Console
The easiest way to gain access to all three Active Directory Snap-ins is to go through the Microsoft Management Console. In most cases, I log onto the server which I want to house all the roles so the Snap-in’s will automatically connect to the local machine. To do this, type in mmc in the run command.
Once MMC has opened up, the “Active Directory Schema” Snap-ins can be added.
Note: the Active Directory Schema does not appear under administrative tools by default and must be accessed through MMC.
By default, the snap-in will authenticate to whatever server it has been opened from. If you are already on the new domain controller, see the screenshots below on where to right click to be able to modify the Operations Master via the GUI.
Otherwise, you will need to select Change Active Directory Domain Controller and type in the new domain controller. Then right click the Active directory Schema, or Active directory Domains and trusts, or Active directory users and computers, point to All tasks , Operations masters… and then click change.
Although each Operations Master window displays different text, each one will show the “Current Operations Master” and will also display something similar to “To transfer the X master role to the targeted FSMO folder, click Change. Once change has been clicked, a confirmation should appearing showing the “New Operations Master.”
Once the new Operations Master has been confirmed, the same process can be repeated for the other remaining four FSMO roles.
Powershell command
With powershell, you can move all these roles to one DC at a time, go to the server manager, click tools, choose Active Directory Module for Windows PowerShell.
Move-ADDirectoryServerOperationMasterRole -identity "dest_DC" -operationMasterRole 0,1,2,3,4
Or
Move-ADDirectoryServerOperationMasterRole -Identity “dest_DC” –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster
Seize FSMO role
If your FSMO owners are down or broken for some reason. you may want to seize the role to a normal domain controller.
To seize the FSMO roles by using Ntdsutil, follow these steps:
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.
- On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
- Type roles, and then press ENTER.
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.
- Type connections, and then press ENTER.
- Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER.
- At the server connections: prompt, type q, and then press ENTER again.
- Type seize <role>, where <role> is the role you want to seize. For example, to seize the RID Master role, you would type seize rid master:
Options are:
- You will receive a warning window asking if you want to perform the seize.