Skip to main content

FSMO - Transfer Seize the roles to a new server

Old School Way: Using Graphical Tools (MMC)

  1. Check Current Roles: Run netdom query fsmo on any DC to see who holds them.
  2. Transfer Domain Roles (RID, PDC, Infrastructure):
    • Open Active Directory Users and Computers (ADUC).
    • Right-click the domain name and select Operations Masters.
    • Go to each tab (RID, PDC, Infrastructure) and click Change to move the role to the New DC.
  3. Transfer Schema Master Role:
    • Open MMC, then Add/Remove Snap-in.
    • Add Active Directory Schema, then register schmmgmt.dll first if needed (regsvr32 schmmgmt.dll).
    • Right-click Active Directory Schema and select Operations Master, then Change.
  4. Transfer Domain Naming Master Role:
    • Open Active Directory Domains and Trusts.
    • Right-click it and select Operations Master, then click Change to move it to the New DC.
    • Check Roles:
      1. (Get-ADDomain).PDCEmulator, (Get-ADDomain).RIDMaster, (Get-ADDomain).InfrastructureMaster
      2. (Get-ADForest).DomainNamingMaster, (Get-ADForest).SchemaMaster

New Age: Using PowerShell

  1. Check Roles:
    1. (Get-ADDomain).PDCEmulator, (Get-ADDomain).RIDMaster, (Get-ADDomain).InfrastructureMaster
    2. (Get-ADForest).DomainNamingMaster, (Get-ADForest).SchemaMaster
  2. Transfer All Roles: Run this command on the destination DC (or any admin machine with AD module).
  3. Replace "YourNewDCName" with the actual server name

You can use the following to move the FSMO roles

Move-ADDirectoryServerOperationMasterRole -Identity "YourNewDCName" -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster

Optional: The -Force parameter bypasses some prompts, use carefully

Move-ADDirectoryServerOperationMasterRole -Identity "YourNewDCName" -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster -Force

Important Notes

  1. Ensure the source DC is online for a clean transfer (Microsoft recommends this)
  2. Verify Active Directory replication is healthy before starting
  3. Only seize roles (using ntdsutil or PowerShell with -Force) if the old DC is permanently offline

Back to top