SysAdmin Talk

When you configure the first Domain Controller for your organization using the Active Directory Installation Wizard (or dcpromo for short), it is configured with all five FSMO roles by default. Here I will cover how you can view and transfer the specific FSMO roles of various Domain Controllers in your domain. As this is a short how-to article, I won’t go into the specific details of when you would need to transfer roles, but in short you may want to take a certain domain controller down for maintenance one day and may find it necessary to transfer some, or all of these roles.

To start with you will obviously require more than one Domain Controller in your Windows domain. In my case I have a “Primary” and “Secondary” domain controller called “NOOBS-DC1″ and “NOOBS-DC2″.

Transferring roles

RID, PDC or Infrastructure roles:

Start by opening Active Directory Users and Computers on the DC you want to change the role to. Right-click your domain name and select “Operation Masters” from the context menu.

Select the tab corresponding to the role you would like to transfer. Below this you should be able to see the name of the DC you are currently on, or connected to. Click the “Change” button to change the role over to the DC listed.

Confirm the change when asked, at which point you should receive a message stating that the procedure was successful.

Remember that this method can be used to transfer any of the RID (Relative ID), PDC (PDC Emulator) or Infrastructure roles. Just select the role you want to transfer by using the relevant tab.

Domain Naming Master role

Again, start on the DC that you would like to transfer this role to. Open Active Directory Domains and Trusts, then right-click the top level that reads “Active Directory Domains and Trusts” then select “Operations Master” from the context menu.

Check that the DC listed is the machine you would like to change the role to, then click “Change”.

Confirm the change – If all went well you should now receive a message stating the transfer was a success.

Note that you can also use the “Connect to Domain Controller” option in the context menu to connect to the DC you would like to transfer the role to. Access this by right-clicking “Active Directory Domains and Trusts” and then selecting the “Connect to Domain Controller” option. Here is what the Connect to Domain Controller window should look like:

Schema Master role

The Schema master role needs a little bit of extra work to change as the MMC snap-in you use is usually hidden. We will first need to register a .dll file before we are able to access this.

Again, start on the DC you would like the change the role to. Open a command prompt window and type in “regsvr32 schmmgmt.dll” then press Enter. You should receive a message stating the .dll was registered.

Now open a brand new MMC console. (Start -> Run -> type in “mmc” then press Enter). Select “File” then “Add/remove Snap-in” and click the “Add” button. You should see our newly added snap-in called “Active Directory Schema”. Select this option, then click “Add” and then “Close”. Click the “OK” button to go to back to your MMC.

Right-click “Active Directory Schema [your DC name]” and select “Change Domain Controller” if you are not already connected to the DC that you would like to inherit the role. Specify the DC’s name and confirm. In the screenshots below, I was defaulted to being connected to the DC1 server when loading the snap-in, but wanted to change to DC2 as this was the server that was going to be receiving the “Schema Master” role.

Right-click “Active Directory Schema [your DC name]” and select “Operations Master”. Finally, click the “Change” button to initiate the change. Confirm by click “Yes”, and you should receive a success message.

That should cover the basics of transferring your five FSMO roles between Domain Controllers. In the next part we’ll take a practical look at how to seize roles using the ntdsutil.exe command.