Active Directory has five special roles which are vital for its smooth running as a multimaster system. Some functions of AD require there is an authoritative master to which all Domain Controllers can refer to. These roles are installed automatically and there is normally very little reason to move them, however if you demoting a DC and DCPROMO fails to run correctly or have a catastrophic failure of a DC or you are Installing a new DC that is a lot more powerful than your old DC, you will need to know about these roles to recover or transfer them to another DC.

The Five FSMO roles are divided in two Categories as shown in Image below

FSMOThe Roles

There are five FSMO roles, two per forest, and three in every Domain.

Forest Wide Roles:

 

  • Schema Master

The schema is shared between every Tree and Domain in a forest and must be consistent between all objects. The schema master controls all updates and modifications to the schema.

  • Domain Naming

When a new Domain is added to a forest the name must be unique within the forest. The Domain naming master must be available when adding or removing a Domain in a forest.

Domain Wide Roles:

  • Relative ID (RID) Master

Allocates RIDs to DCs within a Domain. When an object such as a user, group or computer is created in AD it is given a SID. The SID consists of a Domain SID (which is the same for all SIDs created in the domain) and a RID which is unique to the Domain.

When moving objects between domains you must start the move on the DC which is the RID master of the domain that currently holds the object.

  • PDC Emulator

The PDC emulator acts as a Windows NT PDC for backwards compatibility, it can process updates to a BDC.

It is also responsible for time synchronizing within a domain.

It is also the password master (for want of a better term) for a domain. Any password change is replicated to the PDC emulator as soon as is practical. If a logon request fails due to a bad password the logon request is passed to the PDC emulator to check the password before rejecting the login request.

  • Infrastructure Master

The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The global catalogue is used to compare data as it receives regular updates for all objects in all domains.

Any change to user-group references are updated by the infrastructure master. For example if you rename or move a group member and the member is in a different domain from the group the group will temporarily appear not to contain that member.

Important Note:

Unless there is only one domain in Forest Infrastructure role should not be on the DC that is hosting the global catalogue. If they are on the same server the infrastructure master will not function, it will never find data that is out of date and so will never replicate changes to other DCs in a domain.

If all DCs in a domain also host a global catalogue then it does not matter which DC has the infrastructure master role as all DCs will be up to date due to the global catalogue.

How to Check which server have the FSMO Roles-

Open the Command Prompt and Type- “netdom query fsmo” and press enter.

This Command will tell you the server which have the FSMO Roles.

 

fsmo15

Transfer FSMO roles-

There are 2 ways to Transfer FSMO roles-

First one is using GUI and second is using the Command line Interface.

 

Let’s first discuss the GUI Based Method-

Step 1: Transferring the RID master, PDC emulator and Infrastructure Master Roles

As the first step let’s look how we can transfer these 3 roles over to new server.

  1. Log in to the windows server as domain administrator
  2. Click on Server Manager > Tools > Active Directory Users and Computers

 

fsmo3

  1. In MMC, right click on the domain name then click on Operation Masters

fsmo4

 

  1. In next window it will show the 3 FSMO roles. The default is RID. In there it shows the current RID holder. Then it is asking if need to change it to new windows DC_2.arsh.com click on Change

.

fsmo5.1

 

5. Click Yes to continue

fsmo6

 

 

fsmo7.1

 

Now you can see in the above screenshot the Operation Master is changed from “Server2008.arsh.com” to “DC-2.arsh.com

Same Process goes with the other 2 i.e. PDC and Infrastructure.

fsmo8

fsmo13

 

fsmo11

fsmo13

Now In the Following Screenshot we can see that the FSMO roles are transferred.

fsmo14

 

 

Transfer FSMO roles using Command Line Interface-

  1.  Log on to a Windows Server or domain controller that is located in the forest where FSMO roles are being transferred. We recommend that you log on to the domain controller that you are assigning FSMO roles to.
  2. Open the CMD Prompt, type ntdsutil in the Open box, and then click OK.
  3. Type roles, and then press ENTER.

Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type? And then press ENTER.

  1. Type connections, and then press ENTER.
  2. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to.
  3. At the server connections prompt, type q, and then press ENTER.
  4. Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type? At the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article.
  5. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

 

 

Seize FSMO roles

To seize the FSMO roles by using the Ntdsutil utility, follow these steps:

  1. Log on to a Windows Server-based or Windows member Server based computer or domain controller that is located in the forest where FSMO roles are being seized. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain.
  2. Open the Cmd Prompt, type ntdsutil in it, and then click OK.
  3. Type roles, and then press ENTER.
  4. Type connections, and then press ENTER.
  5. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
  6. At the server connections prompt, type q, and then press ENTER.
  7. Type seize role, where role is the role that you want to seize. Or a list of roles that you can seize, { type? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.}
  8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

Hope this article helps you understand a little something about FSMO roles and you are able to use the guide to transfer or seize the roles as needed.  Feel free to report new issues on our forum to seek help with or submit a paid incident to us for immediate support here

The following two tabs change content below.

Arshdeep Singh

A computer science  engineer by profession and a tech geek at heart. Love to get my hands dirty with upcoming technologies. A positive thinker with high creativity, always looking for new Challenges, keen to find the key for every lock. 

Latest posts by Arshdeep Singh (see all)

%d bloggers like this: