ProComp Group

• home
• services
  • comprehensive IT
  • expert consulting
• about
  • company
  • team
  • community
• news
• library
• contact

• Client Center »
• Techs' Center »

Street Address

1306 NW Hoyt Street
Suite 300
Portland, OR 97209
Map it

Mailing Address

PO Box 12152
Portland, OR 97212

Phone

503-287-3332

.(JavaScript must be enabled to view this email address)

How-to: Transfer or seize FSMO roles

July 13 2010

Caution: Using the ntdsutil or adsiedit incorrectly may result in partial or complete loss of Active Directory functionality!

FSMO roles

• Schema master – forest-wide and one per forest
  • If roll is not available -- the schema cannot be extended however, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time
  • If this role is seized, the server from which it was taken must never be brought back onto the network – wipe and reload!
• Domain naming master – forest-wide and one per forest
  • If roll is not available -- unless you are going to run DCPROMO, then you will not miss this FSMO role
  • If this role is seized, the server from which it was taken must never be brought back onto the network – wipe and reload!
• RID master – domain-specific and one for each domain
  • If roll is not available -- chances are good that the existing DCs will have enough unused RIDs to last some time (unless you're building hundreds of users or computer object per week)
  • If this role is seized, the server from which it was taken must never be brought back onto the network – wipe and reload!
• PDC – PDC Emulator is domain-specific and one for each domain
  • If roll is not available -- will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem
  • If this role is seized, the server from which it was taken can be brought back online and the role transferred back
• Infrastructure master – Domain-specific and one for each domain
  • If roll is not available -- group memberships may be incomplete. If you only have one domain, then there will be no impact
  • If this role is seized, the server from which it was taken can be brought back online and the role transferred back

General Notes

• Place the RID and PDC emulator roles on the same domain controller. It is also easier to keep track of FSMO roles if you host them on fewer machines.
• If the load on the primary FSMO load justifies a move, place the RID and primary domain controller emulator roles on separate domain controllers in the same domain and active directory site that are direct replication partners of each other
• As a general rule, the infrastructure master should be located on a non-global catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site. Two exceptions to the "do not place the infrastructure master on a global catalog server" rule are
  • Single domain forest
  • Multi-domain forest where every domain controller in a domain holds the global catalog

Netdom (check for roles)

To find the roles on any DC with netdom (part of the windows support tools and assumes good AD replication and health), type netdom query /domain:< domain> fsmo

GUI Method

To find and/or transfer the RID Master, PDC Emulator, and Infrastructure Masters via GUI

1. Open the Active Directory Users and Computers
2. Right-click the domain in question and select Operation Masters
3. Select the appropriate tab for the role you wish to view
4. Click change if you wish to transfer the role

To find and/or transfer the Domain Naming Master via GUI (must be part of the Enterprise Admins group)

1. Open the Active Directory Domains and Trusts
2. Right-click the Active Directory Domains and Trusts icon again and select Operation Masters
3. Click change if you wish to transfer the role

To find and/or transfer the Schema Master via GUI (must be part of the Schema Admins group)

1. Register the Schmmgmt.dll library by pressing Start > RUN and typing regsvr32 schmmgmt.dll
2. From the run command open an mmc console by typing mmc
3. On the console menu, press add/remove snap-in
4. Press add then select active directory schema
5. Press add and then close then OK
6. Click the Active Directory Schema icon, after it loads right-click it and press Operation Masters
7. Click change if you need to transfer the role

NTDSUTIL

To find the roles of a specific server:

1. Type ntdsutil
2. Type roles
3. Type connections
4. Type connect to server <servername>
5. Type q
6. Type select operation target
7. Type list roles for connected server
8. Type q until exited

To seize the role -- only do this as a last option and if the DC will not be brought back onto the network – use extreme caution!

1. Identify which DC holds the most recent updates of AD (check for recently created objects such as users or groups or machine accounts – when removing a DC from the domain, any objects that only exist on this server will be lost)!
2. Run NTDSUTIL
1. Type ntdsutil
2. Type roles
3. Type connections
4. Type connect to server <servername> (this should be on the server you want to transfer the role to)
5. Type q
6. Type seize < role >
7. Repeat until all roles are seized as required
8. Type q until exited
3. If the DC has had its roles seized, it is probably best (and in some cased required) that the machine be removed from the domain – demote the DC!

← Back to main Library page