Active Directory: Transfer of FSMO (Flexible Single Master Operations) roles

10 December 2020 Off By Rached CHADER
Contenus masquer
1 Overview of FSMO roles
1.1 NTDSUTIL.exe
1.2 PowerShell
1.3 Graphic assistant
1.4 Migration verification

Overview of FSMO roles

Flexible Single Master Operation  ”.

There are 5 Flexible Single Master Operation roles, two roles are unique in the forest and the other three are unique in a domain.

A domain controller can have zero or more FSMO roles.

To view FSMO roles, the following command must be run on a Domain Controller.

netdom query fsmo

 

Master of Domain Name Assignment

The operation master is unique within the forest, and it is the only one authorized to distribute domain names to domain controllers, when creating a new domain.

Schema Controller

The schema designates the structure of the Active Directory, It is unique in the forest, it manages the Active Directory schema which contains all the objects that can be created and the attributes. Only he can modify the scheme.

RID Master

It distributes an RID pool to each domain controller to ensure that each SID issued by a DC will be unique

Primary domain controller (PDC) emulator

It is unique within the domain, it is responsible for synchronizing the time between the different servers and computers and modifying passwords as well as locking accounts.

Master infrastructure

It is unique within the domain, its role is to manage inter-domain references.

You can transfer a single role or several, you can transfer FSMO roles using the command line utility Ntdsutil.exe, PowerShell or using the graphical wizard

To transfer the FSMO role, the administrator must be a member of the following group:

NTDSUTIL.exe

 

To do this, simply go to Start, Execute then type “ ntdsutil.exe “.

  • Type ”  roles ” and press Enter.
  • Type ”  connections ” and press Enter.
  • Type ”  connect to server ‘server name’ ” and press Enter. “The server name must match the server that receives the roles
  • Type ”  quit ” and press Enter.

We will transfer the FSMO roles one by one with the corresponding command as appropriate. After each entry appears a confirmation window. Just click Yes to continue.

  • For Schema Master tape ”  transfer schema master ” and press Enter.
  • For RID Master tape ”  transfer rid master ” and press Enter.
  • For Domain Naming Master tape ”  transfer naming master ” and press Enter.
  • For PDC Emulator tape ”  transfer pdc ” and press Enter.
  • For Infrastructure Master tape ”  transfer infrastructure master ” and press Enter.

Once the role transfer is complete, type ”  quit  ” to quit NTDSUTIL

 

PowerShell

 

To do this, simply open a PowerShell console as an administrator.

Graphic assistant

 

  • Go to Active Directory Users and Computers
  • In Action => Operation master, there is a tab for each FSMO master that can be transferred. (RID, CDP for PDC emulator and Infrastructure)
  • Finally, it remains to migrate the schema master. To do this, you have to open a command prompt and register the necessary DLL:

  • Now open a new MMC console
  • Then go to File => Add / Remove snap-in,
  • Choose Active Directory Schema.
  • In Active => Operation master, you will find the interface to migrate the role: schema master.

Migration verification

To check that the roles have been migrated, we use the command seen previously

netdom query fsmo

Visits: 2070

CategoryActive Directory Windows 2003 Windows 2008 Windows 2012 Windows 2016 Windows servers
TagsActive Directory FSMO roles