Do you need to transfer FSMO roles to another domain controller?
No problem, it is very is to do.
In this tutorial, I’ll show you step-by-step instructions to transfer the FSMO roles from one domain controller to another. I’ll show you two methods: the first is using PowerShell and the second is using the ADUC GUI.
Why Transfer FSMO roles?
By default, when Active Directory is installed all five FSMO roles are assigned to the first domain controller in the forest root domain. Transferring FSMO roles is often needed for several reasons including:
- Upgrading the operating system
- Changing IP addresses on a domain controller
- Demoting a domain controller
- Taking a domain controller offline for maintenance
- Performance issues
It is recommended to only transfer FSMO roles when the current role holder is operational and is accessible on the network. For a complete list of considerations see the MS article Transfer or seize FSMO Roles in Active Directory Services.
Step 1: List Current FSMO Role Holders
Before moving the FSMO roles it is a good idea to check which domain controllers hold which roles.
You can list which domain controllers hold FSMO roles with these two PowerShell commands:
Get domain level FSMO roles
get-addomain | select InfrastructureMaster, PDCEmulator, RIDMaster
Get forest level FSMO roles
Get-ADForest | select DomainNamingMaster, SchemaMaster
Below is a screenshot of the results in my domain.
List of installed roles in my domain:
- InfrastructureMaster is on DC1
- PDCEmulator is on DC2
- RIDMaster is on DC2
- DomainNamingMaster is on DC1
- Schemamaster is on DC1
I want to move all the roles from DC2 to DC1, I’ll demonstrate this below.
Step 2: Transfer FSMO Roles
I’ll first demonstrate transferring roles with PowerShell, it is by far the easier option of the two (in my opinion).
You want to log into the server that you will be transferring the roles to, in my case it is DC1.
To move a role with PowerShell you will use the Move-ADDirectoryServerOperationMasterRole cmdlet, then the hostname of the server to transfer to.
Transfer PDCEmulator
Move-ADDirectoryServerOperationMasterRole -Identity "dc1" PDCEmulator
Transfer RIDMaster
Move-ADDirectoryServerOperationMasterRole -Identity "dc1" RIDMaster
Transfer InfrastrctureMaster
Move-ADDirectoryServerOperationMasterRole -Identity "dc1" Infrastructuremaster
Transfer DomainNamingMaster
Move-ADDirectoryServerOperationMasterRole -Identity "dc1" DomainNamingmaster
Transfer SchemaMaster
Move-ADDirectoryServerOperationMasterRole -Identity "dc1" SchemaMaster
Here is a screenshot of when I moved PDCEmulator and RIDMaster to DC1.
Now if I re-run the commands to list the FSMO roles I should see them all on DC1.
Yes, I have confirmed all the roles are now on DC1. As you can see moving FSMO roles with PowerShell is very easy to do.
Now let’s see how to transfer FSMO roles using the Active Directory Users and Computers GUI.
Transfer FSMO Roles Using ADUC GUI
Just like PowerShell you need to log into the server that you will be transferring to. I’m transferring from DC2 to DC1 so I’ll log into DC1.
Open the Active Directory Users and Computers console, then right-click on the domain and click on operations masters.
You should now see a screen with three tabs (RID, PDC, and Infrastructure).
To transfer one of these roles just click on the change button. You can’t select which domain controller to transfer the role to, that is why you need to log into the server that you want to transfer to. if I wanted to transfer the RID role to DC3 I would log into that server.
To transfer the domain naming operations master role you will need to open Active Directory Domains and Trusts. Right-click on “Active Directory Domains and Trusts” and select “Operations Master”.
Now click change to transfer the role to another DC.
To transfer the schema master role follow these steps.
Note: You need to be a member of the “Schema Admins” group to transfer the schema master role.
Open a command line and run the command regsvr32 schmmgmt.dll
Next, you need to open an MMC console. To do this click on start then type mmc. and click the icon.
Next, click File, then Add/Remove Snap-in
Add “Active Directory Schema” from the list and click ok.
Right click on “Active Directory Schema” and change the domain controller to the server you want to transfer the role to.
In this example, I’ll change the domain controller to DC2.
Now you can right-click on Active Directory schema and select “Operations Master” to transfer the schema master role.
Confirm the role is changing to the correct DC and click the “change” button.
As you can see transferring FSMO roles with the GUI takes a lot of extra steps and that is why I prefer to use PowerShell. But if you are not into Powershell then the GUI works just fine.
Summary
Moving FSMO roles to another server is not a daily task but is necessary at times. Microsoft recommends the server be online when moving roles. The steps in this tutorial should help you when it comes time to move roles.
You probably want to collapse the entire Step 1 into running just a single command
netdom query fsmo
You may want to leave the PDC Emulator segment for the last of the 5 if you’re doing this. And these should be done one at a time obviously to avoid any issues. But great document overall. I had to migrate FSMO roles today for the first time and feedback from this article is actually going to be listed as an internal document. Thanks so much for your help with this topic!
May want to add that you need to be a member of the Schema Admins group to transfer the Schema master role
Thanks. I have updated the article.
Following the steps provided above, I successfully moved all 5 FSMO from the primary DC on server 2012 to the secondary/new DC at server 2022. The DHCP server and static IP are also correctly moved and updated at the new DC (server 2022). Question: How come all the workstations still see the old DC (on 2012) as the DNS? Is that because I’ve not raised the domain and forest functional levels (from DC at 2012 server) to the new DC at server 2022? If yes, could you show me the steps for doing so? Thanks,
Workstations IP settings would not change until they release and renew. If you reboot one, does it get the correct IP settings?
We have a Parent domain (five FSMO roles) and a child domain with holding three roles (PDC, RID and IM). I am planning to move FSMO roles on parent domain to a new domain controller, so do I need anything to do or check on child domain controllers before I move the roles on parent? Any expected issue after FSMO roles move on child domain?
Hi Robert.
Thanks it was very helpful and useful article
You’re life safer
Thanks for the feedback.
Hi… if i do via power shell.. i need to follow any order?
I’m not sure if order matters. Looking at Microsoft’s documentation this is the order they have.
1. Schema Master
2. Domain Naming Master
3. RID
4. PDC
5. Infrastructure
order does not matter
Hi Robert
Many thanks for this perfect guide. I upgraded a windows server 2008 DC to windows 2019 by your incredible article without facing any major issue.
thanks again.
You are welcome.
Quick question … prior to doing this, was the Server that “will be” the new DC promoted as a domain controller.
For example, ours current DC is a 2008R2 physical server, old and getting away from it. We built a new virtual Server 2022, and installed all the ADDS, DNS, DHCP, etc .. roles. Do we promote to domain controller FIRST before we begin the above steps?
You will need to add a new domain controller and then you can transfer the roles.
Thank you. Huge! Appreciate y our response
In reference to Transferring Roles from old DC to new DC … will the client computers get NEW profiles, or will they keep the same desktop profiles? Would hate to do all this, and when logging into new domain, we have to redo everything. Trying to avoid this.
Also, how does this affect the user data on the server? The map drives will all have the old location, unless resigning into the new domain rewrites the maps?
Computers will keep the same profiles. If the old DC is running other services or apps (file server, print server, DHCP) you will need to migrate them to another server before shutting it down.
Got it! Thank you!! Again .. your step by steps are right on!!
Youre awesome with this!! Thank you
Hello? Do you even reply?
Thank you Allen, My question is, we have DC01 with Windows Server 2012R2 in Azure, using that all our Office Local DCs was configured (Promoted using Azure DC01), due to AAD sync issue, we have configured another DC in Azure DC02 with windows Server 2016 and Promoted using Azure DC01 and configured AAD Connector.
Now, we have move FSMO from Azure DC01 to Azure DC02 and then Shut down Azure DC01.
when we doing this, how did our Local Office DC will automatically take Root DC as Azure DC02 or we have to demote all Local DCs from Azure DC01 and again Promote using Azure DC02? This is my Question, Please clarify. Thank You.
When the roles are moved, the other active domain controllers within the domain/forest will see the changes. And it doesn’t matter which DC you used to promote new ones, once they are part of the domain, they’re all equals.
Back in the day I had to seize the FSMO roles from a crashed domain controller and the remaining active ones happily accepted the DC that seized the roles as the new FSMO role holder.
when we change FSMO to DC1, how to handle Local AD Servers which already Promoted using DC02, it’s all automatically sync with DC02 or we need to demote and promote with using DC01
Are you asking how to demote or remove DC02 after transferring the FSMO roles? I’ve got a complete guide on demoting a domain controller. https://activedirectorypro.com/demote-domain-controller/
The schema master GUI instruction is incorrect.
You need to change Active Directory Domain Controller first and then to the Operations Master moving step.
Thanks, I have updated it.