How to transfer or seize Flexible Single Master Operations (FSMO) roles

As you probably know, when you promote the first domain controller in a forest, is granted five Operations Master or Flexible Single Master Operations (FSMO) roles, pronounced “fizz-moe”. Two of the roles are forest wide and the rest of them are domain specific, meaning if you have multiple domains, every domain will get the three domain specific roles. The two forest wide roles never change and they are barley used in the environment as you’ll see later. So if you have a forest with two domains this will mean a total of eight FSMO roles; Two forest wide and six domain wide; three for every domain.

The five FSMO roles that I’m talking about are:

Schema Master – controls updates and modifications to the schema. Once the schema is modified or updated, it will replicate to all domain controllers in the forest. As the best example of schema modification is Exchange, if you are familiar with the product. Before you install Exchange you need to extend the schema, and once is extended new tabs will appear on every user account, besides other things. There can be only one schema master in the whole forest. This role is necessary only when schema modifications are being
made, meaning it can remain offline indefinitely until schema changes are necessary.

Domain Naming Master – controls the addition and removal of domains in the forest. There can be only one domain naming master in the whole forest. This role is only necessary when you add or remove a domain in the forest. The rest of the times the domain naming master role can remain offline for an indefinite period of time.

Infrastructure Master – when multiple domain exists in your forest, this role takes care of objects that reference objects in other domains. For example you can have a group in one domain that includes users from another domain. If members of that group are moved or renamed, the Infrastructure Master’s job is to identify those changes and update the group membership. The Infrastructure Master role needs to run on a domain controller that is not a Global Catalog (GC), or it will stop updating object information, since the Global Catalog server holds a partial replica of every object in the forest. Another way to eliminate this issue is to make all domain controllers a GC. There is an Infrastructure Master in every domain and is held by only one domain controller in that domain. If it fails users will not be affected, but it will be noticeable to administrators.

PDC Emulator –  or Primary Domain Controller Emulator is a domain role that performs critical functions of a domain, like:

Password changes – when a user password is reset or changed, those changes are immediately replicated to the PDC emulator.

Backward compatibility – it gives a chance to those people who are still using Windows NT 4.0, to be able to locate a writable domain controller, since the domain controller that holds the PDC emulator registers itself as a PDC and performs all of the functionality that a Windows NT 4.0 Server performs for Windows NT 4.0 based clients.

Group Policy Objects –  every time you open for editing a GPO, is alway done from the SYSVOL folder of a PDC emulator. This is to avoid situations where two administrators might edit the same GPO at the same time on different domain controllers. Without a PDC emulator the two GPO versions could not be reconciled.

Time synchronization –  every PDC emulator in each domain synchronizes its time with the forest root PDC emulator so critical service like Active Directory,  DFS-R, File Replication Service (FRS) function correctly.

Master Browser – acts as a domain master browser for the domain, and when clients browse the Windows Network, a list of computers, domain and servers will appear in that list.

There is a PDC emulator in every domain and is held by only one domain controller in that domain. If it fails, all normal operations and users will be immediately impacted. This role must be available at all times.

RID Master –  or Relative ID (RID) Master is responsible for processing RID pool requests from domain controllers for security principals like users, groups and computers. The RID Master allocates a pool of RIDs to domain controllers, then those domain controllers generate SIDs by assigning a unique RID to the domain SID. The SID of every security principal must be unique. There is a RID Master in every domain and is held by only one domain controller in that domain. In case the RID master is not available the impact is not immediately noticeable, but when the RID pool is exhausted you will not be able to create objects in AD anymore.

These roles can all sit o a single domain controller (in small environments you will find this very often), or they can be spread out to multiple domain controllers. Now, as the title says, FSMO roles can be transferred or seized.

 

Transferring FSMO roles

You usually transfer FSMO roles when you have multiple domain controllers and you don’t want them all to sit on one box (safety precautions) or when you are upgrading your domain controllers using a swing migration. Best practices dictate that the forest roles should be put on one DC and the domain roles on another one.

 

Transferring the schema master

Transferring the schema master is a little bit different than the other roles because the Active Directory Schema snap-in must be connected to the schema master in order to perform this procedure.

[important]To be able to transfer the schema master role you must be a member of the Schema Admins group.[/important]

To start, open a Run command and type regsvr32 schmmgmt.dll then press Enter.

Transfer and seize FSMO-01     Transfer and seize FSMO-02

Once the span-in was successfully registered open a Run command again and type mmc. From the File menu go to Add/Remove Snap-in.

Transfer and seize FSMO-03

Select the Active Directory Schema snap-in then click Add and OK.

Transfer and seize FSMO-04     Transfer and seize FSMO-05

Now, if the console was opened on a different domain controller than the one you want transfer the schema master role on, you will have to right click the Active Directory Schema snap-in and choose Change Active Directory Domain Controller. From the list of domain controllers, select the target domain controller and click OK.

Transfer and seize FSMO-06   Transfer and seize FSMO-07

You will get an information message. Just click OK because we don’t want to modify the schema, we just want to transfer it to another domain controller.

Transfer and seize FSMO-09

You should now be connected to the target domain controller. Right-click the Active Directory Schema snap-in and choose Operations Master.

Transfer and seize FSMO-10

In the Change Schema Master window take another look to make sure the right domain controller is listed in the targeted schema FSMO holder box. If everything looks good, click the Change button then hit Yes on the warning message.

Transfer and seize FSMO-11     Transfer and seize FSMO-12

And the schema master role was transferred successfully.

Transfer and seize FSMO-13

 

Transferring the domain naming master

[important]In order to transfer the domain naming master role you must be a member of the Enterprise Admins group.[/important]

To transfer this role open Active Directory Domains and Trusts,

Transfer and seize FSMO-14

right-click the server name and choose Change Active Directory Domain Controller. Select the domain controller on which you want to transfer the role on and click OK. You need to do this only if you opened the console on a different domain controller than the target server.

Transfer and seize FSMO-15     Transfer and seize FSMO-16

Now right-click the server again and choose Operations Master.

Transfer and seize FSMO-17

To transfer the role just hit the Change button and click Yes on the warning message

Transfer and seize FSMO-18     Transfer and seize FSMO-19

and the role should transfer.

Transfer and seize FSMO-20

 

Transferring the PDC, RID and Infrastructure master

[important]To be able to transfer the domain roles you must be a member of the Domain Admins group.[/important]

Now it’s time to migrate the three domain roles, and this can be done using the Active Directory Users and Computers console. And yes, all three roles can be migrated from this one console. Just like before, if you are not doing this from the target domain controller you will need to change it in the console by right-clicking the server name and choose Change Domain Controller.

Transfer and seize FSMO-21

On the Change Directory Server window select the domain controller on which you want to transfer the domain FSMO roles and click OK.

Transfer and seize FSMO-22

Once connected on the target domain controller, right-click the domain name and choose Operations Masters.

Transfer and seize FSMO-23

And as before, all you have to do is click the Change button then Yes on the warning message to transfer the role. Repeat this operation for the other two roles.

Transfer and seize FSMO-24     Transfer and seize FSMO-25

And at the end they should show as transferred.

Transfer and seize FSMO-26

 

Transferring FSMO roles using the command line

All of the above worked out just great, but what if you don’t like clicking around and open all those different windows? Or maybe your domain controllers are running the Server Core edition. FSMO roles can all be transferred from the command line too using the ntdsutil command:

Type ntdsutil and press Enter.

C:\>ntdsutil

Type roles and Enter again.

ntdsutil: roles
fsmo maintenance:

Now type connections and press Enter.

fsmo maintenance: connections
server connections:

This is the part where you need to put in the command the target  domain controller. Type connect to server <server name> and press Enter. Where <server name> is the name of your target domain controller.

server connections: connect to server Server-DC2
Binding to Server-DC2 ...
Connected to Server-DC2 using credentials of locally logged on user.
server connections:

Once you get connected to the domain controller type q to quit and go up a level, in the fsmo maintenance section.

server connections: q
fsmo maintenance:
Now, depending on what role you want to transfer, type transfer <role>. For example, to transfer the schema master role, you would type transfer schema master.
Transfer naming master
Transfer infrastructure master
Transfer PDC
Transfer RID master
Transfer schema master

Transfer and seize FSMO-27Transfer and seize FSMO-28

Everything worked out great since all the domain controllers were up and running. But what if that’s not the case?

 

Seizing FSMO roles

You usually have to seize FSMO roles when the domain controller that was holding them fails or goes offline for a long period of time. If that happens you will get different error messages, depending on what role is offline. If the schema master is not reachable and you try to install Exchange server for example, you will get a lot of errors when you try to extend the schema. The messages might be different and it all depends on the application type you are trying to install and needs a schema extension/modification.

The Active Directory schema isn’t up-to-date, and this user account isn’t a member of the ‘Schema Admins’ and/or ‘Enterprise Admins’ groups.

Global updates need to be made to Active Directory, and this user account isn’t a member of the ‘Enterprise Admins’ group.

The local domain needs to be updated. You must be a member of the ‘Domain Admins’ group and ‘Organization Management’ role group, or ‘Enterprise Admins’ group to continue.

Setup encountered a problem while validating the state of Active Directory: Setup has determined that the schema master domain controller <your DC> is not available or cannot be contacted.  See the Exchange setup log for more information on this error.

Transfer and seize FSMO-33

Now if you try to add or remove a domain in/from the forest and the domain naming master is offline the following message will be displayed:

Verification of child domain inputs failed. You cannot create a new domain at this time because the domain naming master <your DC> is offline.

 

The operation failed because:
The wizard could not authenticate to Active Directory Domain Controller Server-DC2.vkernel.local using the supplied credentials.
“The RPC server is unavailable.”

Transfer and seize FSMO-34     Transfer and seize FSMO-35

And now the most used FSMO role, the PDC emulator. If this one is offline you will get a lot of messages when opening the Directory Services consoles.

Transfer and seize FSMO-36

If the RID master does not respond and the RID pool is exhausted on the rest of the domain controllers, you will not be able to create objects in Active Directory anymore. In the bellow example I disconnected the RID master from the network and then I used a script to create more than 500 user accounts in AD to deplete the RID pool from the other domain controller of mine. As you can see I started to get errors and not being able to create objects in AD anymore.

Transfer and seize FSMO-37

If you start to have any of the errors or symptoms mentioned above you should check the FSMO roles and see if they are online and working properly. If  is not, and the DC that were running on can’t be brought back online, you will need to seize the role(s).

[warning]The seizing operation should be performed only if you are absolutely sure the original FSMO role owner will not be brought back into the environment.[/warning]

The seizing process does not have a GUI so it has to be done from the command line using ntdsutil.

Type ntdsutil and press Enter.

C:\>ntdsutil

Type roles and Enter again.

ntdsutil: roles
fsmo maintenance:

Now type connections and press Enter.

fsmo maintenance: connections
server connections:

Here you have to put in the command the domain controller that will get the FSMO role(s). Type connect to server <server name> and press Enter. Where <server name> is the name of your target domain controller.

server connections: connect to server Server-DC
Binding to Server-DC ...
Connected to Server-DC using credentials of locally logged on user.
server connections:

Once you get connected to the domain controller type q to quit and go up a level, in the fsmo maintenance section.

server connections: q
fsmo maintenance:
Now, depending on what role you want to seize, type transfer <role>. For example, to seize the schema master role, you would type seize schema master.
Seize naming master
Seize infrastructure master
Seize PDC
Seize RID master
Seize schema master

You will get a message to confirm the action. If you are sure that you want to seize the role, press Yes.

Transfer and seize FSMO-30

It will take a few moments because the tool tries to contact the old owner of the FSMO role and after it fails to do that, then it will actually seize the role.

Transfer and seize FSMO-31    Transfer and seize FSMO-32

And is done, the FSMO role was seized successfully. Now let the replication do it’s magic. One important note to make here again, is to make sure you don’t put into the network the old domain controller (in case you make it work somehow) that had the same FSMO role you just seized, it will just mess up the topology.

As you see, transferring or seizing FSMO roles are not difficult processes but sometimes they are necessary. Also, knowing what each role does is important because that way you know what to expect and how to fix the problem.

Want content like this delivered right to your

email inbox?


6 thoughts on “How to transfer or seize Flexible Single Master Operations (FSMO) roles

  • 03/10/2017 at 07:52
    Permalink

    It’s so simple to understand.
    Very helpful.
    Thanks sir.

    Reply
  • 26/07/2017 at 22:15
    Permalink

    I love that you typoed “three” as “tree” in the midst of talking about “forest wide” roles in the first paragraph. Made me smile. Great article, appreciate the write-up.

    Reply
  • 16/02/2016 at 17:28
    Permalink

    This helped me out immensely.

    Thanks for posting.

    -Dano

    Reply

Leave a Reply to Adrian Costea Cancel reply

Your email address will not be published. Required fields are marked *

*

css.php