jump to navigation

How to move FSMO Roles between Domain Controllers January 4, 2010

Posted by General Zod in Advice, Microsoft, Tech.
trackback

A long time time ago (back when a Windows 2000 domain was still considered relatively new tech), I was doing some freelance support for various organizations.  During this time, I was presented with the following message from a client:

I’ve been moved into the “Domain Administrator” job at my company.  I’ve been trying to learn as I go, but I have one task that I need to get done before the end of the week.  My manager has asked that I shutdown one of our domain controller servers.  He made a point of telling me to move the fizzmoe roles before I do so, but I have no idea what he’s talking about.  Can you assist me?

Greg C.
Round Hill, VA

Usually when I’m asked for technical assistance, I usually respond with a strictly technical answer.  However, in this case, I thought it best to offer Greg some advice as well.  The following is what I sent to him…

Greg,

Honestly, your message scares me a bit.  I can tell you how to handle this; but since you are new to this position the first thing I would recommend is that you go to your boss and explain that you do not have the proper technical experience.  I know that it is difficult to admit you do not know how to do something, but it’s better than having your boss discover this fact later after something breaks due to your inexperienced actions.

It is entirely possible that your boss could be testing you.  He might be looking to see if you either know what you are doing… or… to see if you will ask for help.  From what you’ve said, it seems that your boss knows what he’s talking about… so I must assume the latter.  If you think you are fooling him, then think again.  Ask for his help… he’ll respect you more for it.

However, if you are dead set on performing this task on your own, then I will help out as best I can.

FSMO stands for “Flexible Single Master Operation”.  I have noticed that many admin-types have taken to calling then “Operations Masters”.

From your original letter, I’m assuming that you have multiple domain controllers in your environment.  If this is not true, then STOP!  If you only have one DC, then do NOT turn it off.  Instead, go directly to your manager and discuss the impact of performing this operation!

However, moving forward with the assumption that you have multiple DCs, you are going to need to figure out which DC houses each of your FSMO Roles.  There are 5 FSMO Roles for you to concern yourself with.

  • Schema Master manages Active Directory changes and it’s replication across the DCs.
  • Domain Naming Master manages the add/remove/change operations for domains.
  • Relative ID Master (or RID Master) allocates security RIDs to DCs to assign to users, groups, and computer objects in AD.
  • Infrastructure Master maintains Security IDs (or SIDs), Globally Unique Identifiers (or GUIDs), and Distinguished Names (or DNs) for objects in AD.
  • PDC Emulator is the favored DC for password authentication and replication across the DCs.  It emulates the old-style WinNT4 PDC.

I’m going to recommend that you read Microsoft Article # 197132 for additional information.

If you have XP on your desktop, you can use the NETDOM command to find out which of your DCs house the FSMO Roles.  (If you are using Windows 2000 Professional, then I believe you can download the NETDOM command as part of the Windows 2000 SP4 Support Tools pack… but don’t quote me.)

Invoke this command (substituting <domain_name> with the appropriate information):

NETDOM QUERY FSMO /DOMAIN:<domain_name>

And you should get output that resembles this:

Schema owner                  dcserver1.domain.com
Domain role owner           dcserver1.domain.com
PDC role                          dcserver1.domain.com
RID pool manager            dcserver1.domain.com
Infrastructure owner         dcserver1.domain.com
The command completed successfully.

In this example, you see all the FSMO Roles are on the same server.  If you can’t get NETDOM working, then fear not.  As you’ll soon see, there are other ways for you to determine which DC houses each of the FSMO roles.

I’m going to talk you though moving each role using the MMC GUI interface.  When you get more experienced, then you will find other (and easier) ways to do this.  I’m going to assume that your sharp enough to follow some abridged instructions (rather than me having to type out “Click This -> Type That –> Press [Enter]”.  So try to keep up, and email me if you have any specific questions.

OK, here we go…

Setup the MMC:

  1. Start -> Run -> regsvr32 schmmgmt.dll
  2. Start -> Run -> mmc /a
  3. Click File -> Add/Remove Snap-In -> [Add]
  4. Select Active Directory Domains and Trusts –> [Add]
  5. Select Active Directory Schema -> [Add]
  6. Select Active Directory Users and Computers -> [Add]
  7. Click [Close] -> [OK]

Schema Master:

  1. Right-click the AD Schema object -> Select Change Domain Controller.  (Note the “Current DC” field indicates where the Role is currently housed.)
  2. Select Specify name -> Enter the Hostname of the DC which is to take over the Schema Master role -> [OK].
  3. RC the AD Schema object -> Select Operations Master.
  4. Verify the Source and Target Server Hostnames.
  5. Click [Change].  (NOTE:  If the [Change] button is inaccessible, then your user account needs to be added to the Schema Admins group.)
  6. Confirm the Change -> [OK] -> [Close]

Domain Naming Master:

  1. RC on the AD Domains and Trusts object -> Select Connect to Domain Controller.
  2. Enter the Hostname of the TARGET domain controller -> [OK]
  3. RC on the AD Domains and Trusts object again -> Select Operations Master.  (Note the “Domain Naming Operations Master ” field indicates where the Role is currently housed.)
  4. Verify the Source and Target Server Hostnames.
  5. Click [Change] -> Confirm the Change -> [OK] -> [Close]

RID Master, Infrastructure Master, and PDC Emulator:

  1. RC on the AD Users and Computers object -> Select Connect to Domain Controller.
  2. Enter the Hostname of the TARGET domain controller -> [OK]
  3. RC on the AD Users and Computers object again -> Select All Tasks -> Operations Master.  (Note the “Operations Master” field that indicates where each Role is currently housed.)
  4. Select the tab appropriate to the Role that is to be moved (RID, PDC, or Infrastructure).
  5. Verify the Source and Target Server Hostnames.
  6. Click [Change] -> Confirm the Change -> [OK] -> [Close]

Now that you have moved all of your roles, you are ready to retire your domain controller.  However, do NOT simply turn off your domain controller.  You NEED to demote it from a domain controller to a member server!  Go to the server you wish to retire, and run throguh these steps:

  1. Start -> Run –> DCPROMO
  2. When prompted, enter the local Administrator password.
  3. The demotion will begin.  Do NOT interrupt this process.  It may take several minutes to complete.
  4. Reboot the server upon completion.

BTW… if you have forgotten to migrate one of your FSMO Roles prior to demoting the domain controller, then DON’T PANIC!  During the demotion process, any FSMO Roles on the DC are AUTOMATICALLY moved to another randomly selected domain controller.  However, I find it’s best if you move them before you attempt to run the demotion.  (Problems have been known to happen.)

I hope this helps.

Zod

Comments»

1. Mery - January 23, 2010

Nice blog man !

2. How to Delete a Failed Domain Controller from Active Directory « Useful Glyphs - February 10, 2010

[…] the rest of your domain.  Did the failed DC hold any of the 5 FSMO roles?  If so… relocate them to a functional DC immediately.  Was the failed DC a global catalog server?  Do you need to promote another to a global […]

3. Subramanian - July 30, 2010

Nice man, Given clear picture.

Thanks a lot

4. anuj - August 16, 2010

thanks for such nice Post
Regards
Anuj
http://www.winservers.co.in

5. Kris Turner - May 10, 2011

Thanks for a very clear and easy to follow post!

6. S> Moinul Hossain - February 9, 2012

That’s a great effort. Excellent !!!!!!!

7. Brad Martin - June 14, 2012

Clearest explanation on the web. Thanks G. Zod!

8. ZipZang - June 27, 2012

how to find which servers have the GC?

9. General Zod - June 27, 2012
10. suresh - October 23, 2012

relay is very good explain this things.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: