Windows OS Hub
  • Windows
    • Windows 11
    • Windows 10
    • Windows Server 2025
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
    • Proxmox
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows 10
    • Windows Server 2025
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
    • Proxmox
  • PowerShell
  • Linux

 Windows OS Hub / Active Directory / Transfer/Seize FSMO Roles to Another Domain Controller in AD

September 30, 2025

Transfer/Seize FSMO Roles to Another Domain Controller in AD

In this article, we will review the purpose of domain controllers holding FSMO roles in Active Directory, how to identify the current FSMO role holders, how to transfer one or more Operation Master roles to another domain controller, and how to forcibly seize an FSMO role if the current role holder domain controller fails.

Contents:
  • Understanding FSMO Roles in Active Directory Domain
  • How to Check FSMO Role Owners in Active Directory
  • How to Transfer FSMO Roles with PowerShell
  • Using Ntdsutil.exe to Transfer Operation Masters Roles from CMD
  • Seizing FSMO Roles from an AD Domain Controller
  • Transferring FSMO Roles in AD using GUI

Understanding FSMO Roles in Active Directory Domain

Let’s take a quick look at the purpose of the FSMO (Flexible Single Master Operation) roles within an Active Directory domain.

Most standard operations in Active Directory, such as creating new users and security groups or joining computers to the domain, can be performed on any domain controller. The AD Replication Service is responsible for distributing these changes throughout the Active Directory. Various conflicts, such as the simultaneous renaming of a user on several domain controllers, are resolved according to the simple principle that the last action takes precedence. However, there are several operations for which a conflict would be unacceptable, such as creating a new child domain/forest or changing the AD schema. Operations that require mandatory uniqueness require domain controllers with FSMO roles. The main task of the FSMO roles is to prevent such conflicts.

A total of five FSMO roles can exist in an Active Directory domain. In this context, a domain controller with any of these roles is referred to as an Operations Master.

Two roles are unique for an AD forest:

  1. The Schema master is responsible for making changes to the Active Directory schema.  For example, when extending the AD schema using the adprep /forestprep command or adding new object attributes (managing the role requires Schema admins permissions)
  2. The Domain naming master – ensures that all created domains and application partitions in the AD forest have unique names. It is used to add or remove domains in the forest, establish trust relationships with other domains, or rename domains in AD (to manage this role, Enterprise admins privileges are required).

There are three roles for each domain (to manage them, your account must be a member of the “Domain Admins” group):

  1. The PDC emulator – is the Domain Master Browser used to show computers in the network environment, it handles user lockouts when entering wrong passwords (in accordance with the AD password policy settings), is a priority DC when changing (resetting) the user password, is the main NTP time source in the domain, it is used for compatibility with legacy clients running Windows 2000/NT, it is used by DFS root servers to update the namespace information; is the default connection point for the Domain Group Policy Editor (GPMC);
  2. The Infrastructure Master is responsible for updating the cross-domain object links (for example, when a user from one domain is added to a group in another domain)
  3. The RID Master is a server that distributes Relative Identifiers/ RIDs (in blocks of 500) to other domain controllers to create unique object identifiers (SIDs) for new objects.

How to Check FSMO Role Owners in Active Directory

How can you find out which domain controllers are FSMO role holders in your Active Directory forest?

To list all FSMO role owners in the AD, run the command:

netdom query fsmo

netdom query fsmo

Schema master dc01.test.com
Domain naming master dc01.test.com
PDC dc01.test.com
RID pool manager dc01.test.com
Infrastructure master dc01.test.com

You can view the FSMO roles for another domain.

netdom query fsmo /domain:woshub.com

In this example, all the FSMO roles are located on the DC01. When a new Active Directory forest is deployed, all the FSMO roles are assigned to the first domain controller. Any domain controller, except Read-Only Domain Controllers (RODCs), can be the owner of any FSMO role. A domain administrator can transfer any FSMO role to another domain controller.

You can also use the Get-ADDomainController PowerShell cmdlet to display information about FSMO roles (the RSAT Active Directory for PowerShell module must be installed):

Get-ADDomainController -Filter * | Select-Object Name, Domain, Forest, OperationMasterRoles |Where-Object {$_.OperationMasterRoles}

Or list the forest- or domain-level FSMO roles separately:

Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator
Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster

Get-ADDomain finf FSMO role holders using powershell

Here are the general Microsoft recommendations for FSMO role placement in the domain:

  • Place the forest-level roles (Schema master and Domain naming master) on the root domain
  • Place all three FSMO domain roles on a single domain controller that has sufficient performance.
  • All forest DCs must be Global Catalog servers since it improves AD reliability and performance. In this case, the Infrastructure Master role is not necessary. If you have a DC without the Global Catalog role, assign the Infrastructure Master role to it.
  • Unless necessary, it is not recommended to constantly move the FSMO role between domain controllers (for example, there is no need to transfer the role during a planned DC reboot after installing updates). If any of the FSMO owners are offline for a short period, this will not be noticed.

There are two possible scenarios for moving FSMO roles between domain controllers.:

  • Role transfer– a voluntary transfer of the FSMO role, in which both the previous and new operation master owners are online. It is used in AD infrastructure optimization scenarios, such as when decommissioning a domain controller, or during scheduled maintenance when the current FSMO role owner is expected to be offline for a long time, such as for the whole working day or several days.
  • Role seize – the forced transfer of the FSMO role if the previous owner fails and cannot be restored within a reasonable timeframe.

There are several tools available in Active Directory for transferring (or seizing) FSMO roles:

  • PowerShell
  • ntdsutil.exe console tool
  • Graphical MMC AD management snap-ins (they are rarely used and only for voluntary movement of FSMO roles between domain controllers; don’t support forced seizure of FSMO roles.

How to Transfer FSMO Roles with PowerShell

The easiest way to transfer FSMO roles in a domain is to use the Move-ADDirectoryServerOperationMasterRole PowerShell cmdlet.

You can transfer one or more FSMO roles at a time. The following command will move two roles to the specified DC02:

Move-ADDirectoryServerOperationMasterRole -Identity dc03 -OperationMasterRole PDCEmulator, RIDMaster

Move-ADDirectoryServerOperationMasterRole - powershell command to transfer FSMO Roles

In the OperationMasterRole argument, you can specify either the name of the FSMO role or its index according to the following table.

Operation master roleRole indexPermissions required
PDCEmulator0Domain Admins
RIDMaster1
InfrastructureMaster2
SchemaMaster3Schema Admins
DomainNamingMaster4Enterprise Admins

To transfer all FSMO roles at once to the additional domain controller, run this command:

Move-ADDirectoryServerOperationMasterRole -Identity dc03 -OperationMasterRole 0,1,2,3,4

If you receive an Access denied error when running the Move-ADDirectoryServerOperationMasterRole command, make sure that your account has been added to the relevant administrative group.

Using Ntdsutil.exe to Transfer Operation Masters Roles from CMD

Important. Use the ntdsutil tool with caution and ensure you fully understand each step before proceeding, as improper use can severely damage your Active Directory domain!
  1. Open a command prompt on a domain controller and run: ntdsutil
  2. Switch into FSMO roles maintenance mode: roles
  3. List DCs: connections
  4. Connect to the DC to which you want to transfer the FSMO roles: connect to server <servername>
  5. Type q and press Enter;
  6. To transfer an FSMO role, use this command: transfer <role> , where <role> is the role name. For example: transfer schema master, transfer RID, etc;
    transfering fsmo roles using ntdsutil
  7. Confirm the FSMO role transfer
    confirm fsmo role transfer
  8. When it is done, press q and then Enter to quit ntdsutil.exe
  9. Restart the domain controller.

Seizing FSMO Roles from an AD Domain Controller

If a DC with one of the FSMO roles has been broken and cannot be restored, it is possible to forcefully seize any of the FSMO roles. However, it is critical to ensure that the server from which the FSMO role was seized will never (!!!) appear in the network; otherwise, you risk encountering issues with the Active Directory, even if the domain controller is later restored from an AD backup.

If you want to return the broken DC into the domain, the only proper procedure is to remove its computer account from AD, perform a clean Windows Server install with a new hostname, install the ADDS role, and promote the server to the domain controller.

To forcefully seize the FSMO role using the Move-ADDirectoryServerOperationMasterRole cmdlet, you need to add the -Force parameter.

For example, to seize the PDCEmulator role and force its transfer it to DC02, run the command:

Move-ADDirectoryServerOperationMasterRole -Identity DC2 -OperationMasterRole PDCEmulator –Force

You can also seize FSMO roles from one DC and assign them to another using the ntdsutil.exe tool. A role seizure is similar to a common transfer. Use the following commands:

ntdsutil
roles
connections

connect to server DC02 (the DC name to which you want to transfer the role)
quit(exit the server connections prompt)

To seize different FSMO roles, use these commands:

seize schema master
seize naming master
seize rid master
seize pdc
seize infrastructure master
quit
 quit the fsmo maintenance prompt

q (exit ntdsutil)

Transferring FSMO Roles in AD using GUI

Standard Active Directory graphical snap-ins can be used to transfer FSMO roles between DCs. Ideally, the transfer operation should be performed from a DC that currently owns the FSMO role. If the server console is unavailable, use the Change Domain Controller option and select Connect to in the MMC snap-in.

FSMO roleMMC snap-in
RID masterActive Directory Users and Computers snap-in (dsa.msc )
PDC Emulator
Infrastructure master
Domain naming masterActive Directory Domains and Trusts (domain.msc)
Schema masterActive Directory Schema

Change Domain Controller in AD mmc snap-in

How to Transfer RID Master, PDC Emulator, and Infrastructure Master Roles

The Active Directory Users and Computers (dsa.msc) MMC snap-in is used to transfer domain-level roles (RID, PDC Emulator, and Infrastructure Master)

  1. Open the Active Directory Users and Computers (ADUC) snap-in;
  2. Right-click your domain name and select Operations Master;
    transferring Operations Master roles with aduc
  3. A form containing three tabs (RID, PDC, Infrastructure) will appear. You can change the FSMO owner for each role by specifying a new DC and clicking the Change button on the corresponding tab.
    change RID role holder dc

How to Transfer Schema Master Role

The Active Directory Schema snap-in is used to transfer the forest-level Schema Master FSMO.

  1. First, register the schmmgmt.dll library using the command regsvr32 schmmgmt.dll regsvr32 schmmgmt.dll
  2. Type MMC in the command prompt
  3. From the menu, select File -> Add/Remove snap-in from the menu and add the Active Directory Schema console
    add Active Directory Schema
  4. Right-click the console root (Active Directory Schema) and select Operations Master;
  5. Enter the domain controller name to which you want to transfer the Schema Master role to, then click Change and OK. If the button is not available, make sure that your account is a member of the Schema Admins group.
    change Transfer Schema Master Role domain controller

How to Transfer Domain Naming Master FSMO

  1. To transfer the Domain Naming Master FSMO role, open the Active Directory Domains and Trusts snap-in
  2. Right-click the name of your domain and select Operations Master
  3. Click Change, enter the name of the domain controller, and click OK.
    move Domain Naming Master FSMO using Active Directory Domains and Trusts mmc
2 comments
8
Facebook Twitter Google + Pinterest
Active DirectoryPowerShellWindows Server 2022Windows Server 2025
previous post
How to Run Disk Cleanup (Cleanmgr.exe) on Windows Server
next post
Create & Manage DNS Zones and Records with PowerShell

Related Reading

How to Refresh (Update) Group Policy Settings on...

August 13, 2024

Get-ADDomainController: Getting Domain Controllers Info via PowerShell

July 8, 2022

Repairing the Domain Trust Relationship Between Workstation and...

May 16, 2024

Unable to Access SYSVOL and NETLOGON folders from...

May 10, 2023

Backing Up Active Directory with Windows Server Backup

November 26, 2024

Generating Strong Random Password with PowerShell

January 31, 2020

Configuring Proxy Settings on Windows Using Group Policy...

February 27, 2023

How to Find Inactive Computers and Users in...

March 11, 2024

2 comments

Shlomi March 29, 2020 - 8:04 pm

Amazing guide!! Thank you so much.
Keep the good work

Reply
Tim July 13, 2021 - 3:35 pm

Thanks much for the explanation — I’d been stuck with a DC that had been removed from the building before I got here that had all the roles on it, and I couldn’t seem to figure out how to seize them back until your article.

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • How to Get Windows 10 Extended Security Updates After End-Of-Life

    September 24, 2025
  • Blocking NTLM Connections on Windows 11 and Windows Server 2025

    September 23, 2025
  • Windows Stucks at ‘Getting Windows Ready, Don’t Turn Off Computer’

    September 15, 2025
  • Clean Up ETL Log Files in ProgramData

    September 9, 2025
  • Fix: Slow Startup of PowerShell Console and Scripts

    September 3, 2025
  • DPI Scaling and Font Size in RDP (RDS) Session

    August 27, 2025
  • Proxmox: Share a Host Directory with VMs via VirtioFS

    August 18, 2025
  • How to Find AD Users with Blank Passwords (Password-Not-Required)

    July 24, 2025
  • Run Elevated Commands with Sudo on Windows 11

    July 16, 2025
  • Find a Process Causing High Disk Usage on Windows

    July 15, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Using WMI Filters to Target Group Policies in Active Directory
  • Set Desktop Wallpaper and Logon Screen Background via Group Policy
  • Using Managed Service Accounts (MSA and gMSA) in Active Directory
  • How to Set a User Thumbnail Photo in Active Directory
  • How to Rename an Active Directory Domain
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top