In this tutorial, we will perform FSMO role migration for a domain controller. They are 5 in number and can be moved independently of each other.
However, before going further, it is important to understand the difference between the 5 roles.
What are the FSMO roles ?
Within a domain, domain controllers have write access to the Active Directory.
However, it is dangerous to allow changing data simultaneously on multiple domain controllers. To mitigate this risk, the FSMO role feature allows you to limit the modification of Active Directory data and is assigned to one or more servers. Each server that has one is called the operation master for the role it has.
Within a domain, there is only one operating master for the same FSMO role.
Roles located at the root of the forest
Domain naming Master
This role is unique within a forest. It is used to assign domain names to domain controllers when creating a new domain. It must be accessible when creating a new domain.
This unique role in a forest provides updates and schema changes. It also allows replication on all domain controllers. In a root domain of a forest, the schema master must be placed with the naming master and the PDC Emulator.
Roles at the root of the domain
It allows the maintenance of object references between the different domains. If a user of an X domain is added to a group of a Y domain, he will replicate the references across the entire Y domain.
It assigns each Active Directory object a unique security identifier, called SID. This operation master allocates identification blocks to each domain controller. Each domain controller then has a unique RID pool that it will assign to future objects.
Its structure is as follows:
- Revision number
- Domain Security Identifier (SID Domain)
- A RID (Relative Identifier)
It replicates passwords and acts as a time server. This allows clocks to be synchronized to provide Kerberos authentication that requires timestamping of authentication packets.
It assures 5 main roles
- Edit domain group policies
- Synchronize clocks on all domain controllers
- Manage account lockout
- Change passwords
- Ensures compatibility with Windows NT domain controllers
- Belong to the Schema Admins group to transfer the FSMO Schema Master role
In this procedure, we will move the 5 FSMO roles from the VM2K12EN01 domain controller to VM2K12EN02.
First, check the location of FSMO roles
Netdom query / domain:<DomainName> fsmo
Then, use the command ntdsutil.exe, which will open a new prompt. On this one, use the following commands:
Switch to fsmo maintenance mode:
Enter connection mode to link to the destination server
Make the connection with the destination server
Connect to server <ServerName>
Then, exit the connection mode using the
Transfer FSMO roles
Now, use the following commands to transfer the FSMO roles
Transfer schema master
Transfer naming master
Transfer RID master
Transfer infrastructure master
Then, you can view the location of FSMO roles from a PowerShell prompt
You are done. Your FSMO roles are now on one or more other servers. For more security, I advise you to remove the user from the schema admins group.