Transferring FSMO Roles To Another Active Directory Controller

With virtualization continuing to grow into the small and medium business marketplace, it is now affordable for many IT administrators to implement many common best practices such as having a minimum of two domain controllers. Virtualization also has many transitioning/upgrading to operating much easier.

When considering doing an upgrade for Active Directory for small to medium businesses, in many cases all five Flexible Single Master Operation (FSMO) roles can be held on one domain controller. In cases where an old primary domain controller will be decommissioned, it becomes imperative that a new primary is assigned for these roles. This article describe how to transfer all five FSMO roles from the Windows GUI to a Windows 2012R2 Active Directory Controller.

 

How to Transfer FSMO Roles

To transfer FSMO roles via the Windows GUI, you will need access to the following three Active Directory snap-ins:

  • Active Directory Schema (Schema Master Role) Note: The snap-in is not enabled by default. Instructions provided below.
  • Active Directory Domains and Trusts (Domain Naming Master Role)
  • Active Directory Users and Computers (RID, PDC and Infrastructure Roles)

Enabling Active Directory Schema Snap-In

To enable the Active Directory Schema Snap-In, open up a command prompt and select Run as administrator.

Run as Administrator

In the command prompt, type in regsvr32 schmmgmt.dll.

A window will pop up displaying DllRegisterServer in schmmgmt.dll succeeded.

Regsvr32 schmmgmt.dll

Accessing Snap-ins and Microsoft Management Console

The easiest way to gain access to all three Active Directory Snap-ins is to go through the Microsoft Management Console. In most cases, I log onto the server which I want to house all the roles so the Snap-in’s will automatically connect to the local machine. To do this, type in mmc in the run command.

MMC

Once MMC has opened up, the necessary Snap-ins can be added.

Note: the Active Directory Schema does not appear under administrative tools by default and must be accessed through MMC.

By default, the snap-in will authenticate to whatever server it has been opened from. If you are already on the new domain controller, see the screenshots below on where to right click to be able to modify the Operations Master via the GUI. Otherwise, you will need to select Change Active Directory Domain Controller and type in the new domain controller.

Operations Master

Active Directory Domains and Trusts

Active Directory Users and Computers

Although each Operations Master window displays different text, each one will show the “Current Operations Master” and will also display something similar to “To transfer the X master role to the targeted FSMO folder, click Change.”

Operations Master RID

Once change has been clicked, a confirmation should appearing showing the “New Operations Master.”

New Operations Master

Once the new Operations Master has been confirmed, the same process can be repeated for the other remaining four FSMO roles.

Once all FSMO roles have been transferred off the 2003 and 2008 servers, the older severs can now be removed off the domain (Note: this assuming that your domain controller is not running any other functions such as DHCP). To do this, the servers will need to be properly decommissioned.