FSMO (Flexible Single Master Operations)

Remember that in the acronym FSMO, the word Flexible means that you can move the role to a
more suitable domain controller. There are two scenarios for transferring the FSMO roles, the
first is a planned transfer where the original FSMO Operations Master is up and running.
Alternatively, if the original FSMO master has been stolen, corrupted or otherwise unavailable
then you need NTDSUTIL
Topics for Transferring the FSMO Master.
Planning the FSMO Transfer
Where to Find the 5 FSMO Operation Masters
Pull those Operations Masters
At Last - We get to Press the Change Button
NTDSUTIL
Summary - FSMO transfer
Planning the FSMO Transfer
As a matter of planning strategy, decide if this move is a short term fix, or part of a long term
transfer of role. Another consideration is do you want all the roles on the same Domain
Controller. The answer is probably not, for example, best practice suggests that the Infrastructure
master should not be on a Global Catalog.
If the Global Catalog server and Infrastructure Master are on the same server, the Global Catalog
no longer updates information. You can either just accept this peculiarity, or research why it
thinks it knows best and does not need to replicate. This is only a problem in a multi-domain
forest.
Your planning should also take into account the fact that each domain has its own RID, PDC and
Infrastructure Master, while there is only one Schema and one Domain Naming Master for the
entire Active Directory Forest.
Finally a minor consideration, have you the correct rights, for example, do you have access to an
account, which is and Enterprise Administrator and Schema Administrator.
Where to Find the 5 FSMO Masters
Three of the FSMO Operational Masters are found under the
domain in Active Directory Users and Computers. The FSMO
roles found here are: RID, PDC and Infrastructure masters. Right
click on the domain name (cp.com in diagram) then select
Operations Masters.
The Domain Naming Master is tucked away under the Active
Directory Domains and Trusts. While the hardest FSMO master to
find is the Schema Master, the reason being you first have to
register the schema snap in with the command: Start, Run Start,
regsvr32 schmmgmt.dll.
Now that you have located the 5 Operation Masters, the technique to transfer ownership is the
same in each case.

http://www.trainsignal.com/AffiliateWiz/aw.aspx?B=1&A=24&Task=Click&TargetURl=http%3
A%2F%2Fwww%2Etrainsignal%2Ecom%2Findex%2Easp%3FPageAction%3DVIEWPROD%
26ProdID%3D6

http://www.trainsignal.com/AffiliateWiz/aw.aspx?B=1&A=24&Task=Click&TargetURl=http%3
A%2F%2Fwww%2Etrainsignal%2Ecom%2Findex%2Easp%3FPageAction%3DVIEWPROD%
26ProdID%3D6More Information. As an MCT trainer, I can thoroughly endorse TrainSignal
because they deliver practical hands on training. In particular, I like the way that TrainSignal
cover all learning methods, instructor lead, video and of course text material. You can either take
one module, for example File Server or go for a combination of modules. See more about
Windows 2003 training here

Pull those Operations Masters

The key concept is Pull. Make sure that you are connected to the
destination server. This is really such a simple point but once you
have grasped the concept, the knack transferring FSMO roles will
be easy. Sorry to harp on, but unless you make the new FSMO
domain controller the focus for the MMC snap in, trust me, you
will be frustrated.
At Last - We get to Press the Change Button
Now that you have the 'focus' on the new Operations Master, your
transfer will proceed smoothly. After double checking that the server names are the correct way
around, just click on the Change Button.
Now it's on to the next Operations Master,
remember that there are 5 roles. Although some Forests
may have more than one RID, PDC and Infrastructure
master, usually you only need to take one server out of
commission at a time. However if you are taking the
opportunity to restructure your FSMO roles then you may
have to make more than 5 changes.
NTDSutil
NT directory service utility (NTDSutil) reminds me of
UNIX or mainframes. What you get with NTDSutil is
command line program with powerful verbs that can
dramatically affect the operating system. Rather like
ESEutil you should take every opportunity to practice with NTDSutil, so that when you have to
use it in anger you will know what you are doing. Even so backup because there are no safety
checks and the wrong command can wreak havoc.
When you are configuring FSMO with NTDSutil, the command that is,
Seize PDC (or Seize RID etc). However, as soon as you execute NTDSutil you realize how many
different jobs this utility has.
Make use of help at every NTDSutil prompt
Sample NTDSutil command session
ntdsutil, roles - help
connections - help
connect to server yourserver (change yourserver but include the word 'to')
seize pdc (or other FSMO Role)

C:\>ntdsutil
ntdsutil: roles
fsmo maintenance: help
? - Show this help information
Connections - Connect to a specific domain controller
Help - Show this help information
Quit - Return to the prior menu
Seize domain naming master - Overwrite domain role on connected server
Seize infrastructure master - Overwrite infrastructure role on connected server
Seize PDC - Overwrite PDC role on connected server
Seize RID master - Overwrite RID role on connected server
Seize schema master - Overwrite schema role on connected server
Select operation target - Select sites, servers, domains, roles and
naming contexts
Transfer domain naming master - Make connected server the domain naming master
Transfer infrastructure master - Make connected server the infrastructure master
Transfer PDC - Make connected server the PDC
Transfer RID master - Make connected server the RID master
Transfer schema master - Make connected server the schema master

fsmo maintenance: connections

server connections: help
? - Show this help information
Clear creds - Clear prior connection credentials
Connect to domain %s - Connect to DNS domain name
Connect to server %s - Connect to server, DNS name or IP address
Help - Show this help information
Info - Show connection information
Quit - Return to the prior menu
Set creds %s %s %s - Set connection creds as domain, user, pwd.
Use "NULL" for null password,
* to enter password from the console.
server connections: connect to server william
Binding to william ...
Connected to william using credentials of locally logged on user.
server connections: seize pdc

Additional ideas to troubleshooting FSMO

▫
Summary - FSMO transfer
Before you learn the knack of transferring the FSMO or Operations Master, take a minute to plan
which Domain Controllers should hold which roles. It is possible that existing servers have
inappropriate roles, for example if your forest has grown, the Schema master is best in the Root
domain.
(There is a also an important Global Catalog Role, however its not a FSMO as you can have
more than one Global Catalog. See more on Global Catalog Server)