Transferring or seizing FSMO roles in Active Directory Domain Services

Applies to: Windows Server, version 2004, all editionsWindows Server, version 1903, all editionsWindows Server 2019, all editions

Summary


This article describes when and how to transfer or seize Flexible Single Master Operations (FSMO) roles. 

More information


Within an Active Directory Domain Sevices (AD DS) forest, there are specific tasks that must be performed by only one domain controller. The DCs that are assigned to perform these unique operations are known as flexible single operations master (FSMO) role holders. The following table lists the FSMO roles, and their placement in Active Directory.

Role
Scope
Naming context (Active Directory partition)
Schema master Forest-wide CN=Schema,CN=configuration,DC=<forest root domain>
Domain naming master Forest-wide CN=configuration,DC=<forest root domain>
RID master Domain-wide DC=<domain>
PDC emulator Domain-wide DC=<domain>
Infrastrucure master Domain-wide DC=<domain>
 

For more information about the FSMO role holders and recommendations for placing the roles, see FSMO placement and optimization on Active Directory domain controllers

When a DC that has been acting as a role holder starts to run (for example, after a failure or a shutdown), it does not immediately resume behaving as the role holder. The DC waits until it receives inbound replication for its naming context (for example, the Schema master role owner waits to receive inbound replication of the Schema partition).

The information that the DCs pass as part of Active Directory replication includes the identities of the current FSMO role holders. When the newly started DC receives the inbound replication information, it verifies whether it is still the role holder. If it is, it resumes typical operations. If the replicated information indicates that another DC is acting as the role holder, the newly-started DC relinquishes its role ownership. This behavior reduces the chance that the domain or forest will have duplicate FSMO role holders.

For more information, see the following Knowledge Base article:

305476 Initial synchronization requirements for Windows Server operations master role holders

 

Determine when to transfer or seize roles

Under typical conditions, all five roles must be assigned to “live” DCs in the forest. When you create an Active Directory forest, the Active Directory Installation Wizard (Dcpromo.exe) assigns all five FSMO roles to the first DC that it creates in the forest root domain. When you create a child or tree domain, Dcpromo.exe assigns the three domain-wide roles to the first DC in the domain.

DCs continue to own FSMO roles until they are reassigned by using one of the following methods:

  • An administrator reassigns the role by using a GUI administrative tool.
  • An administrator reassigns the role by using the ntdsutil /roles command.
  • An administrator gracefully demotes a role-holding DC by using the Active Directory Installation Wizard. This wizard reassigns any locally-held roles to an existing DC in the forest.
  • An administrator demotes a role-holding DC by using the dcpromo /forceremoval command.
  • The DC shuts down and restarts. When the DC restarts, it receives inbound replication information that indicates that another DC is the role holder. In this case, the newly-started DC relinquishes the role (as described previously).

If an FSMO role holder experiences a failure or is otherwise taken out of service before its roles are transferred, you must seize and transfer all roles to an appropriate and healthy DC.

We recommend that you transfer FSMO roles in the following scenarios:

  • The current role holder is operational and can be accessed on the network by the new FSMO owner.
  • You are gracefully demoting a DC that currently owns FSMO roles that you want to assign to a specific DC in your Active Directory forest.
  • The DC that currently owns FSMO roles is being taken offline for scheduled maintenance, and you have to assign specific FSMO roles to “live” DCs. You may have to transfer roles to perform operations that affect the FSMO owner. This is especially true for the PDC Emulator role. This is a less important issue for the RID master role, the Domain naming master role, and the Schema master roles.

We recommend that you seize FSMO roles in the following scenarios:

  • The current role holder is experiencing an operational error that prevents an FSMO-dependent operation from completing successfully, and you cannot transfer the role.
  • You use the dcpromo /forceremoval command to force-demote a DC that owns an FSMO role.
  • The operating system on the computer that originally owned a specific role no longer exists or has been reinstalled. 


Identifying a new role holder

The best candidate for the new role holder is a DC that meets the following criteria:

  • It resides in the same domain as the previous role holder.
  • It has the most recent replicated writable copy of the role partition.

For example, assume that you have to transfer the Schema master role. The Schema master role is part of the schema partition of the forest (cn=Schema,cn=Configuration,dc=<forest root domain>). The best candidate for a new role holder is a DC that also resides in the forest root domain, and in the same Active Directory site as the current role holder.

For more information, see the following resources:


Seizing or transferring FSMO roles

You can use Windows PowerShell or Ntdsutil to seize or transfer roles. For information and examples of how to use PowerShell for these tasks, see Move-ADDirectoryServerOperationMasterRole.

To seize or transfer the FSMO roles by using the Ntdsutil utility, follow these steps:

  1. Sign in to a member computer that has the AD RSAT tools installed, or a DC that is located in the forest where FSMO roles are being transferred.
  2. Select Start > Run, type ntdsutil in the Open box, and then select OK.
  3. Type roles, and then press Enter.
  4. Type connections, and then press Enter.
  5. Type connect to server servername, and then press Enter
  6. At the server connections prompt, type q, and then press Enter.
  7. Do one of the following:
    • To transfer the role: Type transfer <role>, and then press Enter.
    • To seize the role: Type seize <role>, and then press Enter.
    For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.

    To see a list of roles that you can transfer or seize, type ? at the fsmo maintenance prompt, and then press Enter, or see the list of roles at the start of this article.
  8. At the fsmo maintenance prompt, type q, and then press Enter to gain access to the ntdsutil prompt. Type q, and then press Enter to quit the Ntdsutil utility.


Considerations when repairing or removing previous role holders

If it is possible, and if you were able to transfer the roles instead of seizing them, fix the previous role holder. If you cannot fix the previous role holder, or if you seized the roles, remove the previous role holder from the domain.

To return the repaired computer to the forest as a DC

  1. Do one of the following:
    • Format the hard disk of the former role holder, and then reinstall Windows on the computer.
    • Forcibly demote the former role holder to a member server.
  2. On another DC in the forest, use Ntdsutil to remove the metadata for the former role holder. For more information, see To clean up server metadata by using Ntdsutil.
  3. After you clean up the metadata, you can repromote the computer to a DC, and transfer a role back to it.

To remove the computer from the forest after seizing its roles

  1. Remove the computer from the domain.
  2. On another DC in the forest, use Ntdsutil to remove the metadata for the former role holder. for more information, see To clean up server metadata by using Ntdsutil.


Considerations when reintegrating replication islands

When part of a domain or forest cannot communicate with the rest of the domain or forest for an extended time, the isolated sections of domain or forest are known as replication islands. DCs in one island cannot replicate with the DCs in other islands. Over multiple replication cycles, the replication islands fall out of sync. If each island has its own FSMO role holders, you may have problems when you restore communication between the islands.

The following table identifies the FMSO roles that can cause problems if a forest or domain has multiple role-holders for that role:

Role
Potential conflicts between multiple role-holders?
Schema master

Yes

Domain naming master Yes
RID master Yes
PDC emulator No
Infrastrucure master No
 

This issue does not affect the PDC Emulator master or the Infrastructure master. These role holders do not persist operational data. Additionally, the Infrastructure master does not make changes often. Therefore, if multiple islands have these role holders, you can reintegrate the islands without causing long-term issues.

The Schema master, the Domain Naming master, and the RID master can create objects and persist changes in Active Directory. Each island that has one of these role holders could have duplicate and conflicting schema objects, domains, or RID pools by the time that you restore replication. Before you reintegrate islands, determine which role holders to keep. Remove any duplicate Schema masters, Domain Naming masters, and RID masters by following the repair, removal, and cleanup procedures that are mentioned in this article.

References


The following related articles are available in the Microsoft Knowledge Base:

  • 197132 Active Directory FSMO roles in Windows
  • 223346 FSMO placement and optimization on Active Directory domain controllers
  • 223787 Flexible Single Master Operation transfer and seizure process
  • 305476 Initial synchronization requirements for Windows Server operations master role holders
  • 816099 HOW TO: Use Ntdsutil to find and clean up duplicate security identifiers in Windows Server
  • 2001093 Troubleshoot DNS Event ID 4013: The DNS server was unable to load AD integrated DNS zones
  • 2694933 DCPROMO demotion fails if unable to contact the DNS infrastructure master

The following articles are available in the Microsoft Online Documentation: