Migrating FSMO Roles – Primary Domain Controller Migration

In Active Directory (AD) any Domain Controller (DC) can create, modify and delete AD objects because each DC has writable copy of the domain partition. Once change happens, it is synchronized with the reminder of the DCs.

In single DC domain, the single DC would hold all the FSMO role (Flexible Single Master Operations), but in a multi DCs domain, there could be potential tug of war when each DC would fight to have authority to make changes to object.

In the past Microsoft, had one DC with the exclusive rights to make changes and every other DC just did authentication. However, it presented a single point of failure. Today that right has become a role, so that any DC can potential be given the role, and it can be passed on if any DC holding that role goes offline.

There are 5 Roles, 3 of which are domain specific and 2 are forest specific.

1.       Relative ID (RID) Master (Domain Level) – one in each domain, responsible for assigning RID pools to each DCs in a domain, each pool has SID which can be assigned on objects in AD. A domain can function if the RID Master goes offline but only until the pool each DC has is depleted, after that no new objects can be made.

2.       Primary Domain Controller (PDC) Emulator (domain level) – one in each domain. Responsible for Time sync for all workstations and servers, in forest the root domain would be the timekeeper. PDCE also provides updated DFS namespace request info to the DFS server. Additional responsibilities include Password Authentication/Changes, account lockout status, Group Policy Objects updates, and other legacy functionality.

3.       Infrastructure Master (domain level) – one in each domain. Responsible for handling cross domain object referencing in a multi domain forest, in the case of inter-domain trust. It will be translate/update SID and Distinguished Names (DNs) and GUIDS. Along with cleaning up stale objects in its domain coming from other domains. If this role were to go offline cross domain object link names will not resolve but the group membership such as trust will still function. In single domain environment this role would not be of any relevance.

4.       Domain Naming Master (forest level) – one in each forest. One DC that can add new domains and partitions to the forest or remove existing ones from a forest. Since this is a infrequent operation, the Domain naming master role going offline for sometime would have very little impact on operations.

5.       Schema Master (forest level) – one in each forest. Responsible for defining object classes (user, groups, computers etc) and their attributes that can existing in AD database. In some cases, the schema may need to change, in which case to prevent overlapping and conflict update one DC with this role can process the change to the AD schema and replicate to all other DCs. Since scheme changes are infrequently done, example can include the process of upgrading AD, integrating some type of software, raising functional level of a forest or OS upgrades.

Check Current Status

To see which DC, in a single domain AD environment, holds the FSMO role issue this command on PowerShell.

netdom query FSMO        

To see which DC, in a multi-domain AD environment or forest, holds the FSMO role issue these commands on PowerShell.

Get-addomain | select InfrastructureMaster, PDCEmulator, RIDMaster        

Get-ADForest | select DomainNamingMaster, SchemaMaster        

Migration

Before migrating any roles ensure that both source and destination DC (the old DC forfeiting the role and new DC receiving the role) is receiving AD replications and initiating replications without fail to all DCs, and you have backed up all DCs.

Migration typically happens during OS upgrades, changing IPs for DC, demoting DC, offline-ing a DC for maintenance and or performance issues.

On the destination DC issue the following on PowerShell. Replace the “dc1” with the name of the destination DC.

Move-ADDirectoryServerOperationMasterRole -Identity "dc1" PDCEmulator        

Move-ADDirectoryServerOperationMasterRole -Identity "dc1" RIDMaster        

Move-ADDirectoryServerOperationMasterRole -Identity "dc1" Infrastructuremaster        

Move-ADDirectoryServerOperationMasterRole -Identity "dc1" DomainNamingmaster        

Move-ADDirectoryServerOperationMasterRole -Identity "dc1" SchemaMaster        

The same can be done using GUI, open AD Users and Computers on the destination DC, right click your domain > click “Operations Masters”, for each role in each tab (RID, PDC, Infrastructure) you can click change.

For Domain Naming Operation Role, do the same steps from above on the destination DC, under Active Directory Domain and Trusts.

For the Scheme Master Role, open start menu and search for "Run" on the destination DC and enter following command on "Run"

regsvr32 schmmgmt.dll        

then open MMC and add the AD Schema snap-in. Once opened, right click your domain > click “Operations Masters”, and hit change.

Validation

To Validate changes are made correctly. Simply issue the following command for any DC in the domain (or forest for forest role changes).

netdom query FSMO        

Get-addomain | select InfrastructureMaster, PDCEmulator, RIDMaster        

Get-ADForest | select DomainNamingMaster, SchemaMaster        

Graphically the same can be validated under “Operations Master” under the AD users and Computers, Active Directory Domains and Trusts or Active Directory Schema Master.