Active Directory – How to transfer FSMO roles

In this tutorial, we will perform FSMO role migration for a domain controller. They are 5 in number and can be moved independently of each other.

However, before going further, it is important to understand the difference between the 5 roles.

What are the FSMO roles ?

Within a domain, domain controllers have write access to the Active Directory.

However, it is dangerous to allow changing data simultaneously on multiple domain controllers. To mitigate this risk, the FSMO role feature allows you to limit the modification of Active Directory data and is assigned to one or more servers. Each server that has one is called the operation master for the role it has.

Within a domain, there is only one operating master for the same FSMO role.

Roles located at the root of the forest

Domain naming Master

This role is unique within a forest. It is used to assign domain names to domain controllers when creating a new domain. It must be accessible when creating a new domain.

Schema Master

This unique role in a forest provides updates and schema changes. It also allows replication on all domain controllers. In a root domain of a forest, the schema master must be placed with the naming master and the PDC Emulator.

Roles at the root of the domain

Infrastructure Master

It allows the maintenance of object references between the different domains. If a user of an X domain is added to a group of a Y domain, he will replicate the references across the entire Y domain.

RID Master

It assigns each Active Directory object a unique security identifier, called SID. This operation master allocates identification blocks to each domain controller. Each domain controller then has a unique RID pool that it will assign to future objects.

Its structure is as follows:

  • Revision number
  • Domain Security Identifier (SID Domain)
  • A RID (Relative Identifier)

PDC Emulator

It replicates passwords and acts as a time server. This allows clocks to be synchronized to provide Kerberos authentication that requires timestamping of authentication packets.

It assures 5 main roles

  • Edit domain group policies
  • Synchronize clocks on all domain controllers
  • Manage account lockout
  • Change passwords
  • Ensures compatibility with Windows NT domain controllers


  • Belong to the Schema Admins group to transfer the FSMO Schema Master role


In this procedure, we will move the 5 FSMO roles from the VM2K12EN01 domain controller to VM2K12EN02.

First, check the location of FSMO roles

Netdom query / domain:<DomainName> fsmo

Then, use the command ntdsutil.exe, which will open a new prompt. On this one, use the following commands:

Switch to fsmo maintenance mode:


Enter connection mode to link to the destination server


Make the connection with the destination server

Connect to server <ServerName>

Then, exit the connection mode using the q command.

Transfer FSMO roles

Now, use the following commands to transfer the FSMO roles

Transfer schema master

Transfer naming master

Transfer RID master

Transfer infrastructure master

Transfer PDC

Then, you can view the location of FSMO roles from a PowerShell prompt

You are done. Your FSMO roles are now on one or more other servers. For more security, I advise you to remove the user from the schema admins group.

Please follow and like us:
Microsoft engineer and Virtualization, I am at first computer-savvy. I share my time between this website, my engineering job and an intense sporting activity.