Skip to main content

Moving FSMO Roles

400 words 2 min
Windows Server PowerShell Active Directory

Why is it necessary to move FSMO roles?

In an Active Directory environment, not all Domain Controllers (DCs) are the same. Although most tasks are replicated multidirectionally, there are five critical roles called FSMO (Flexible Single Master Operation) that can only be run by one server at a time to prevent write conflicts and corruption in the ntds.dit database.

Moving these roles is not just an administrative whim; It is an operational necessity in the following scenarios:

Server Maintenance or Decommissioning: If you plan to permanently shut down an old domain controller (as part of a migration from Windows Server 2012 to 2022), you must transfer the FSMO roles to a new server before running Uninstall-ADDSDomainController.

Topology Optimization: To improve response speed, the PDC Emulator role (which manages password changes and time synchronization) should be on the server with the best connectivity and hardware.

Business Continuity (Disaster Recovery): If the server holding the roles physically fails and cannot be recovered, it is mandatory to seize the roles to a healthy domain controller so that the domain continues to function correctly.

The 5 Roles In Play:

  • Schema Master: Controls forest schema updates (vital for Exchange installations).

  • Domain Name Master: Manages the addition or removal of domains in the forest.

  • PDC Emulator: The “boss” of time and password synchronization.

  • RID Master: Distributes blocks of IDs so that DCs can create new users or groups.

  • Infrastructure Master: Handles GUID/SID translation between domains.

Checking Roles

netdom query fsmo

alt text

Move-ADDirectoryServerOperationMasterRole -Identity "mxlitdc01" -OperationMasterRole 0,1,2,3,4

alt text

In this command:

  • 0 corresponds to the PDC Emulator.

  • 1 corresponds to the RID Master.

  • 2 corresponds to the Infrastructure Master.

  • 3 corresponds to the Schema Master.

  • 4 corresponds to the Domain Naming Master.

This approach is valid and much faster because it uses the FSMO role numbers instead of manually typing each role name. It’s a concise and efficient way to move all FSMO roles at once.

Details:

  • 0, 1, 2, 3, 4: These numbers correspond to the FSMO roles in the following order:
  1. 0 = PDC Emulator
  2. 1 = RID Master
  3. 2 = Infrastructure Master
  4. 3 = Schema Master
  5. 4 = Domain Naming Master

For more details about each role, see here FSMO Role Functions

If the numbers are omitted, the command will not move the FSMO roles completely, so it is important to include all the numbers you want to move.

Complete example:

Move-ADDirectoryServerOperationMasterRole -Identity "mxlitdc01" -OperationMasterRole 0,1,2,3,4

alt text