Lukas Beran
Lukas Beran

Welcome to my blog! If you're looking for tutorials, hints or tips for IT, you're right here. You will find mostly articles on Microsoft products and technologies - operating systems, servers, virtualization, networks, management, but also the cloud. Sometimes I add some other interesting things.

October 2016


Transfer and seize of FSMO roles

Lukas BeranLukas Beran

FSMO roles are five special roles on domain controller, which are vital for the smooth running of AD as a multimaster system, because some of Active Directory features require central authority to which can all domain controllers refer to.

These roles are installed automatically and there is normally very little reason to move them, however if you de-commission a DC and DCPROMO fails to run correctly or have a catastrophic failure of a DC you will need to know about these roles to recover or transfer them to another DC.

As I mentioned, there are five roles divided into two groups.

Forest Wide Roles

Schema Master

The schema Master controls all updates and modifications to the schema.

Domain Naming

The Domain Naming is for verification if a newly added domain name is unique within the forest.

Domain Wide Roles

Relative ID Master

The Relative ID Master is for allocation of relative IDs for domain controllers within a domain.

PDC Emulator

The PDC emulator is for backward compatibility and is also responsible for time synchronization.

Infrastructure Master

The Infrastructure Master is responsible for updating references from objects in its domain to objects in other domains.

Transfer FSMO roles

If you want to transfer FSMO roles, the domain controller which currently holds those roles has to be available and you need sufficient permissions.

FSMO roleRequired permission
Schema MasterSchema Admin
Domain NamingEnterprise Admin
Relative ID MasterDomain Admin
PDC Emulator
Infrastructure Master

If you meet the requirements, you can run ntdsutil (Windows – Run – ntdsutil) from a domain controller.

Instead of ServerName write name of server to which you want to transfer the roles.

Now you can write names of roles which you want to transfer. If you want to transfer all roles, enter

Then restart the server.

Seize FSMO roles

If the server with FSMO roles is not available, it’s not possible to transfer the roles. Open ntdsutil (Windows – Run – ntdsutil).

Instead of ServerName write name of server to which you want to seize the roles.

Now you can seize the roles

The seize process tries to transfer the role, but this ends by an error and the process continues with the seize.

Now restart the server.

My primary focus is the security of identities, devices and data in the cloud using Microsoft services, technologies and tools.

Comments 0
There are currently no comments.