How to Transfer FSMO Roles in Active Directory

The Flexible Single Master Operation (FSMO) roles in Active Directory are a set of five critical operations that must be handled by a single domain controller at any given time. These roles ensure the consistency and integrity of the Active Directory database.

Sometimes, you may need to transfer one or more of these FSMO roles to another domain controller. For example, if you’re decommissioning an old domain controller that currently holds FSMO roles, or if you want to redistribute the roles for load balancing purposes.

To check which domain controller currently holds the FSMO roles, you can use the netdom query fsmo command. This will list the current role holders.

To transfer the roles, you’ll use the ntdsutil command-line utility along with the roles and connections options. Here are the steps:

1. Open a command prompt on the domain controller you want to transfer the roles to.
2. Run ntdsutil to start the utility.
3. Run roles to enter the roles context.
4. Run connections to switch to the connections context.
5. Run connect to server servername.domain.com to specify the remote domain controller you want to transfer roles from.
6. Run quit to go back up a level.
7. For each role you want to transfer, run one of the following commands:
   • transfer infrastructure master
   • transfer naming master
   • transfer PDC
   • transfer RID master
   • transfer schema master
8. Run quit again to exit ntdsutil.

Finally, run netdom query fsmo again to verify that the roles have been transferred successfully.

It’s important to carefully plan any FSMO role transfers, as they can impact Active Directory operations if not done correctly. Always make sure to follow best practices and have a rollback plan.