Tuesday, December 24, 2013

Windows Server 2012 - Active Directory - FSMO role transfer


Transfering the "Flexible Single Master Operations" (FSMO) roles
 

Note: if you do not know what the "FSMO" roles are, or wish to know more, please see this link:

Operations master roles

This is a well-known subject among Active Directory administrators.

Even before Windows 2012, there was no lack of choice in the methods allowing us to transfer the FSMO roles:

If there were only two domain controllers, we could simply demote one with DCPROMO. If the domain controller to be demoted held the FSMO roles, the demotion process would transfer the roles to the other domain controller.

If there were more than one domain controller, we could transfer the roles with various graphic interfaces...


Transferring roles with the graphic interface

We need to use three different "tools" to transfer all the FSMO roles.
 
  • Active Directory Users and Computers for the PDCe, RID Master and Infrastructure Master roles
  • Active Directory Domains and Trusts for the Domain Naming Master
  • Active Directory Schema - after registering a certain dll...


We'll first transfer the PDC emulator, the RID Master and Infrastructure Master in Active Directory Users and Computers (ADUC).

1. Connect to ADUC, right-click on the domain and select "Operations Masters" in the menu:




2. Attempt to change the Operations Master and observe the error message:



If we happen to be connected to the current role holder, we must first target the domain controller to which the roles will be transferred.


3. This time, select "Change Domain Controller":




4. Connect to the domain controller to which you intend to transfer the roles:




5. Now go back to the menu (as illustrated above) and select "Operations Masters".


6. We'll use the RID Master as an example below. Note that the other domain controller is now the "target" as opposed to the same domain controller. Click on "Change" and confirm. Repeat the same operations for the PDCe and the Infrastructure Master.




7. For the Domain Naming Master, we need to perform the same type of operation but in the Active Directory Domains and Trusts MMC.




8. For the Schema Master, we need to register a .dll file and then create add "Active Directory Schema to a Microsoft Management Console (mmc). We then would proceed as we did for the other roles above.




Note: there should be a confirmation message (which can be closed - not shown above) indicating that the registration was successful. I'll assume the reader knows how to add "snap-ins" to a MMC. If not, please search for instructions online.


We can confirm the new owner (or "holder") of the roles in the graphic interfaces themselves or use the concise "netdom query fsmo" command


BEFORE

PS C:\> netdom query fsmo

Schema master                 DC-001.machlinkit.biz

Domain naming master   DC-001.machlinkit.biz

PDC                                 DC-001.machlinkit.biz

RID pool manager          DC-001.machlinkit.biz

Infrastructure master      DC-001.machlinkit.biz


AFTER

PS C:\> netdom query fsmo

Schema master                 DC-004.machlinkit.biz

Domain naming master   DC-004.machlinkit.biz

PDC                                DC-004.machlinkit.biz

RID pool manager         DC-004.machlinkit.biz

Infrastructure master      DC-004.machlinkit.biz


Of course, this command could also be used to confirm successful transfers after using the command line to move the roles from one domain controller to another.



Transferring roles with NTDSUTIL (command line interface)


We can transfer the roles at the command line using ndtsutil as shown below.

But first some notes:

Since Windows Server 2008, we must activate an "instance" of ntds with the command...

activate instance ntds

This was not necessary with Windows 2003.

Second, the syntax for the Domain Naming master has changed.

With Windows 2003, we would enter:

transfer domain naming master

Since Windows 2008, we must enter

transfer naming master


Having clarified those points, let's enter the sequence of commands that transfers the roles (I will double space for readability - the text in bold represents the commands to enter):

PS C:\> ntdsutil

C:\Windows\system32\ntdsutil.exe: activate instance ntds

Active instance set to "ntds".

C:\Windows\system32\ntdsutil.exe: roles

fsmo maintenance: connections

server connections: connect to server DC-004

Binding to DC-004 ...

Connected to DC-004 using credentials of locally logged on user.

server connections: quit

Note: at this point, depending on the role we want to transfer, we enter all or any of the following:

fsmo maintenance: transfer schema master

fsmo maintenance: transfer naming master

fsmo maintenance: transfer rid master

fsmo maintenance: transfer pdc

fsmo maintenance: transfer infrastructure master



Once the command is entered (and Enter is pressed), ntdsutil produces some rather verbose output indicating which domain controller holds which roles. In the case of the Schema Master we would see something like this:

fsmo maintenance: transfer schema master

Server "DC-004" knows about 5 roles

Schema - CN=NTDS Settings,CN=DC-004,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

Naming Master - CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

PDC - CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

RID - CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

Infrastructure - CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz


In this case, we can see (if we look carefully) that DC-004 is now the Schema Master but DC-001 still holds the other operations roles.



Transferring roles with Powershell

With Powershell version 3 (part of Windows Server 2012)  and version 4 (Windows Server 2012 R2), we can use the "Move-ADDirectoryServerOperationMasterRole" cmdlet to transfer or "move" the operations roles. We can either type the entire name of the role...
 

Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole
PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster

Or the number that represent the roles:

  • PDCEmulator = 0
  • RIDMaster = 1
  • InfrastructureMaster = 2
  • SchemaMaster = 3
  • DomainNamingMaster = 4


So if we wanted to transfer all the roles to domain controller DC-001, we would enter this:

PS C:\>Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole 0,1,2,3,4


Despite the rather long cmdlet (of which we only need to type the first 8 letters or so, and then tab), the rest of the complete command can be rather concise if we use (and know) the numbers.

This cmdlet works quite nicely as we can see here.

At first, DC-004 holds the roles:

PS C:\> netdom query fsmo

Schema master                 DC-004.machlinkit.biz
Domain naming master    DC-004.machlinkit.biz
PDC                                  DC-004.machlinkit.biz
RID pool manager            DC-004.machlinkit.biz
Infrastructure master        DC-004.machlinkit.biz

We transfer them to DC-001...

PS C:\> Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole 0,1,2,3,4

Move Operation Master Role
Do you want to move role 'PDCEmulator' to server 'DC-001.machlinkit.biz' ?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A

We confirm the transfers with...

PS C:\> netdom query fsmo

Schema master                  DC-001.machlinkit.biz
Domain naming master    DC-001.machlinkit.biz
PDC                                  DC-001.machlinkit.biz
RID pool manager            DC-001.machlinkit.biz
Infrastructure master        DC-001.machlinkit.biz


Move-ADDirectoryServerOperationMasterRole




Transferring the roles by domain controller demotion

Lastly, if we only have two domain controllers or have no preference for the new/future FSMO holder, we can demote the current holder and the roles will be transferred to another domain controller automatically. I will not detail the demotion of a domain controller here but this is what netdom query fsmo shows after the process:

PS C:\> netdom query fsmo

Schema master                     DC-004.machlinkit.biz
Domain naming master        DC-004.machlinkit.biz
PDC                                      DC-004.machlinkit.biz
RID pool manager                DC-004.machlinkit.biz
Infrastructure master            DC-004.machlinkit.biz

 

So after demoting DC-001, the FSMO roles are automatically transferred to DC-004. No manual intervention was necessary.

2 comments:

  1. Great guide!! Very complete and useful.

    ReplyDelete
  2. Thanks for the amazing article. My two cents about FSMO Roles and steps to transfer FSMO Roles.

    www.itingredients.com/what-is-fsmo-roles-flexible-single-master-operations/

    ReplyDelete