SysAdmin Talk

When you configure the first Domain Controller for your organization using the Active Directory Installation Wizard (or dcpromo for short), it is configured with all five FSMO roles by default. Here I will cover how you can view and transfer the specific FSMO roles of various Domain Controllers in your domain. As this is a short how-to article, I won’t go into the specific details of when you would need to transfer roles, but in short you may want to take a certain domain controller down for maintenance one day and may find it necessary to transfer some, or all of these roles.

To start with you will obviously require more than one Domain Controller in your Windows domain. In my case I have a “Primary” and “Secondary” domain controller called “NOOBS-DC1″ and “NOOBS-DC2″.

In an Active Directory domain running at the Windows Server 2003 or higher functional level  the lastLogonTimestamp attribute can be used to find out if a user or computer has logged on to the domain recently.  This can be useful information for finding inactive user and computer accounts so that they can be removed from AD.