AD flexible single master operations

There are five flexible single master operations in windows domains that reside on only one domain controller.  These are:

Schema master

This is responsible for updates to the Active Directory schema and is a forest wide role. The domain controller that holds this role is the only domain controller that can write updates to the schema

Domain naming master

Responsible of the addition and removal of domains and directory partitions in the forest. It is a forest wide role, so only one per forest.

RID master

A domain wide role that allocates relative Identifiers to each domain controllers. A domain controller uses these when assigning a global unique security identifier (SID) to each user, group, computer, etc.  A SID for each object consists of the Domain SID and RID.

PDC emulator master

This is a domain wide role and is the definitive source of password information as it receives preferential replication of password changes.  It is also the source of time if the PDC domain control in forest root.

Infrastructure master

Also a domain wide role and it’s main purpose is to update the group-to-user references whenever a group is renamed or modify.


FMSO roles can be transferred between Domain controllers. If a Domain Controller with the FSMO has permanently gone off, then the roles can be seized.

Transfer using GUI

Active Directory Users and Computers are used to transfer the RID, PDC emulator and Infrastructure master roles. Right click the domain in the console tree, and select Operations Masters to open the Operations Masters dialog box. This dialog box has three tabs, one each for RID, PDC, and Infrastructure.

(Image right click, and dialog box)

Active Directory Domains and Trust is use for transferring the Domain Naming Master, Right-click Active Directory Domains And Trusts and select Operations Master from the Action menu.


To transfer the Schema master, the Active Directory Schema console is use. The Schema management DLL first needs to be registered to see the console.

To register the DLL, type regsvr32 schmmgmt.dll  (image)

Open a mmc and add the Active Directory Schema console.

To transfer select Operation master from Action menu and click on change.



Transfer using Ntdsutil.exe

This is the legacy way to transfer or seize roles, but will need be to used if FSMO roles is on a DC older then 2012.

Connect to the Domain Controller where you want to transfer the roles to and open a command prompt as administrator.

Type Ntdsutil > Roles > Connections

Type in Connect to domain company.local  This binds to the domain and local server

Type in Quit to return to the FSMO  maintenance prompt

Type Transfer PDC   Typing in  Transfer ?  show the list of roles that can transfer

Then Quit



Transfer using Powershell

Beginning with 2012, powershell can be used to transfer or seize roles.

Move-ADDirectoryServerOperationMasterRole -Identity <ServerName> -OperationMasterRole PDC

-Force can be used to seize roles.


Leave a Reply