Lets learn something new

Cloud, Cybersecurity, DevOps, AI

General IAM

How to Transfer FSMO Roles in Active Directory

ByArnav Sharma

Feb 12, 2024 #IAM
Azure DTU

Last Updated on August 7, 2025 by Arnav Sharma

In the world of Windows Server and Active Directory, understanding the concept of FSMO roles and their transfer is crucial for any IT professional. FSMO, standing for Flexible Single Master Operations, comprises five distinct roles essential for the smooth functioning of an Active Directory (AD) domain. This blog dives into the details of transferring FSMO roles, covering the why, when, and how, with a focus on both GUI and PowerShell methods.

Understanding FSMO Roles

Before transferring FSMO roles that include domain naming master transfer infrastructure master, like the schema master role or the infrastructure master role, it’s relevant to completely understand what they entail. In a Windows Server Active Directory environment, certain roles are unique and can be held by only one domain controller at a time, hence the term “single master.” These roles are:

  1. Schema Master: Oversees all changes to the AD schema. The schema defines the structure of all objects in Active Directory (users, groups, computers, etc.). Before updating the schema, you must transfer this role to the DC where you’ll make the changes.
  2. The Domain Naming Master: Controls the addition and removal of domains in the forest.  If you need to create or delete a domain, this role must be held by the DC performing that operation.
  3. Infrastructure Master: Manages cross-domain object references. Ensures updates to object references across domains are maintained correctly. If an object (e.g., a user) in one domain is a member of a group in another domain, this role keeps that information up-to-date.
  4. Relative ID (RID) Master: Allocates blocks of unique Security Identifiers (SIDs) to each DC in the domain. SIDs are core to permissions and how objects interact in Active Directory. This role ensures no SIDs are duplicated.
  5. PDC Emulator: Vital for backward compatibility and various time-sensitive operations, requiring the transfer to another DC.

Why and When to Transfer FSMO Roles

Transferring FSMO roles is typically done during routine maintenance, like hardware upgrades or decommissioning of old domain controllers. It’s also necessary when the current role holder is malfunctioning or when you’re restructuring your AD environment.

Planning for Transfer

  • Assess which domain controller will be the new role holder.
  • Ensure proper trust relationships between the active directory domain controllers before you transfer the schema master role.
  • Verify that the target domain controller is properly synchronized and functional.

Transferring FSMO Roles Using GUI

  1. Active Directory Users and Computers (ADUC) facilitate FSMO role transfers, like the infrastructure master role.:

    • For transitioning roles such as the RID Master, Infrastructure Master, and PDC Emulator, you should prepare all requirements before you press enter.
    • Right-click the target active directory domain controller and select โ€œOperations Mastersโ€ to transfer these roles like the infrastructuremaster role.

  2. Active Directory Domains and Trusts play a crucial role in preparing to transfer FSMO roles to another domain controller.:

    • For the Domain Naming Master role.
    • Right-click the icon in the snap-in and select โ€œOperations Masterโ€ when you want to transfer the role.

  3. Active Directory Schema:

    • For the Schema Master role.
    • Use the โ€œSchema Masterโ€ option in the console after adding the AD Schema snap-in.

  4. MMC Console and NTDSUtil:

    • An alternative method for transferring roles using a graphical interface.

Transferring FSMO Roles Using PowerShell

PowerShell offers a more streamlined and scriptable approach. The cmdlet Move-ADDirectoryServerOperationMasterRole is used. For example, the process to transfer to another DC:

Move-ADDirectoryServerOperationMasterRole -Identity "Target_DC" -OperationMasterRole SchemaMaster, DomainNamingMaster

Replace “Target_DC” with the name of the domain controller you’re transferring the roles to and specify the roles you want to transfer.

Command Line (ntdsutil)

  • More powerful and used for seizing roles (explained below)
    1. Log into the DC where you want to transfer the role.
    2. Open a command prompt.
    3. Type ntdsutil and press Enter.
    4. Type roles and press Enter.
    5. Type connections and press Enter.
    6. Type connect to server <servername> (replace <servername> with the name of the target DC) and press Enter.
    7. Type q and press Enter.
    8. To transfer: Type transfer <role name> and press Enter (e.g., transfer schema master).

Seizing FSMO Roles (Caution!)

Seizing is a forceful method used only if the original role holder is permanently offline:

  1. Perform the command-line steps above.
  2. Instead of transfer, use seize <role name>.

Seizing FSMO Roles

In cases where the current role holder is offline or non-functional, you might need to “seize” the roles. This is a last-resort action taken using the ntdsutil command-line tool or through PowerShell using the -Force parameter. It’s crucial to demote and change the failed active directory domain controller in the AD environment after seizing FSMO roles to another server.

Role Verification

After transferring or seizing roles, verify that the new domain controller is functioning as the FSMO role holder. This transfer to another DC can be done through various GUI tools or PowerShell cmdlets.

Best Practices and Considerations

  • Always plan FSMO role transfers during periods of low activity.
  • Keep an up-to-date list of FSMO role holders, and ensure to know which holds the active directory domain controller.
  • Document each transfer or seizure for future reference.
  • Regularly monitor the health of FSMO role holders.
  • Consider the impact on users and services when transferring roles, especially the PDC Emulator, as part of the domain naming master transfer infrastructure master.

Transferring FSMO roles is a critical task that requires careful planning and execution. By understanding the roles, preparing the environment, and using the correct tools, you can ensure a smooth transition of FSMO roles within your Active Directory domain. Whether you’re using Windows Server 2016, 2019, or 2022, these principles remain the same, ensuring the stability and efficiency of your AD infrastructure.

Related Post

Artificial Intelligence DevOps General

WebAssembly Is Reshaping the Web

Dec 13, 2025 Arnav Sharma
General

Inside the Cloudflare Outage of Nov 18 2025

Nov 24, 2025 Arnav Sharma
General

Secure Online Transactions and Business Models in E-commerce and Marketplaces

Nov 8, 2025 Arnav Sharma

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You missed

Cybersecurity Updates

Vulnerabilities That Will Define 2026

January 3, 2026 Arnav Sharma
HashiCorp

That’s All for the HashiConf 2025 Keynote

December 22, 2025 Arnav Sharma
Cybersecurity

Top Cybersecurity Paths in 2026

December 19, 2025 Arnav Sharma
AI Artificial Intelligence

Why Do We Have LLM Hallucinations?

December 18, 2025 Arnav Sharma