Windows Server 2003 – How to Transfer FSMO Roles

FSMO (Flexible Single Master Operations)

Remember that in the acronym FSMO, the word Flexible means that you can move the role to a more suitable domain controller.  There are two scenarios for transferring the FSMO roles, the first is a planned transfer where the original FSMO Operations Master is up and running.  Alternatively, if the original FSMO master has been stolen, corrupted or otherwise unavailable then you need NTDSUTIL

Topics for Transferring the FSMO Master.

• Planning the FSMO Transfer
• Where to Find the 5 FSMO Operation Masters
• Pull those Operations Masters
• At Last – We get to Press the Change Button
• NTDSUTIL
• Summary – FSMO transfer

  ‡

Planning the FSMO Transfer

As a matter of planning strategy, decide if this move is a short term fix, or part of a long term transfer of role.  Another consideration is do you want all the roles on the same Domain Controller.  The answer is probably not, for example, best practice suggests that the Infrastructure master should not be on a Global Catalog.

If the Global Catalog server and Infrastructure Master are on the same server, the Global Catalog no longer updates information.  You can either just accept this peculiarity, or research why it thinks it knows best and does not need to replicate.  This is only a problem in a multi-domain forest.

Your planning should also take into account the fact that each domain has its own RID, PDC and Infrastructure Master, while there is only one Schema and one Domain Naming Master for the entire Active Directory Forest.

Finally a minor consideration, have you the correct rights, for example, do you have access to an account, which is and Enterprise Administrator and Schema Administrator.

Where to Find the 5 FSMO Masters

Three of the FSMO Operational Masters are found under the domain in Active Directory Users and Computers.  The FSMO roles found here are: RID, PDC and Infrastructure masters.  right-click on the domain name (cp.com in diagram) then select Operations Masters.

The Domain Naming Master is tucked away under the Active Directory Domains and Trusts.  While the hardest FSMO master to find is the Schema Master, the reason being you first have to register the schema snap in with the command: Start, Run Start, regsvr32 schmmgmt.dll.

Now that you have located the 5 Operation Masters, the technique to transfer ownership is the same in each case.

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM) v12

SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

Perhaps the NPM’s best feature is the way it suggests solutions to network problems.  Its second best feature is the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.

Download your free trial of SolarWinds Network Performance Monitor.

Pull those Operations Masters

The key concept is Pull.  Make sure that you are connected to the destination server.  This is really such a simple point but once you have grasped the concept, the knack transferring FSMO roles will be easy.  Sorry to harp on, but unless you make the new FSMO domain controller the focus for the MMC snap in, trust me, you will be frustrated.

At Last – We get to Press the Change Button

Now that you have the ‘focus’ on the new Operations Master, your transfer will proceed smoothly.  After double checking that the server names are the correct way around, just click on the Change Button.

Now it’s on to the next Operations Master, remember that there are 5 roles.  Although some Forests may have more than one RID, PDC and Infrastructure master, usually you only need to take one server out of commission at a time.  However if you are taking the opportunity to restructure your FSMO roles then you may have to make more than 5 changes.

NTDSutil

NT directory service utility (NTDSutil) reminds me of UNIX or mainframes.  What you get with NTDSutil is command line program with powerful verbs that can dramatically affect the operating system.  Rather like ESEutil you should take every opportunity to practice with NTDSutil, so that when you have to use it in anger you will know what you are doing.  Even so backup because there are no safety checks and the wrong command can wreak havoc.

When you are configuring FSMO with NTDSutil, the command that is,
Seize PDC  (or Seize RID etc).  However, as soon as you execute NTDSutil you realize how many different jobs this utility has.

  Make use of help at every NTDSutil prompt

Sample NTDSutil command session

ntdsutil, roles  –  help
connections – help
connect to server yourserver (change yourserver but include the word ‘to’)
seize pdc (or other FSMO Role)

Additional ideas to troubleshooting FSMO

Summary – FSMO transfer

Before you learn the knack of transferring the FSMO or Operations Master, take a minute to plan which Domain Controllers should hold which roles.  It is possible that existing servers have inappropriate roles, for example if your forest has grown, the Schema master is best in the Root domain. 

(There is a also an important Global Catalog Role, however its not a FSMO as you can have more than one Global Catalog.  See more on Global Catalog Server)

More Windows Server 2003 topics:

• Global Catalog Server   •Exchange Global Catalog Server  • Schema Admin

• FSMO Roles   • FSMO Advice   • FSMO Transfer  • FSMO Transfer Example