There are five flexible single master operations in windows domains that reside on only one domain controller. These are:
Schema master
This is responsible for updates to the Active Directory schema and is a forest wide role. The domain controller that holds this role is the only domain controller that can write updates to the schema
Domain naming master
Responsible of the addition and removal of domains and directory partitions in the forest. It is a forest wide role, so only one per forest.
RID master
A domain wide role that allocates relative Identifiers to each domain controllers. A domain controller uses these when assigning a global unique security identifier (SID) to each user, group, computer, etc. A SID for each object consists of the Domain SID and RID.
PDC emulator master
This is a domain wide role and is the definitive source of password information as it receives preferential replication of password changes. It is also the source of time if the PDC domain control in forest root.
Infrastructure master
Also a domain wide role and it’s main purpose is to update the group-to-user references whenever a group is renamed or modify.
FMSO roles can be transferred between Domain controllers. If a Domain Controller with the FSMO has permanently gone off, then the roles can be seized.
Transfer using GUI
Active Directory Users and Computers are used to transfer the RID, PDC emulator and Infrastructure master roles. Right click the domain in the console tree, and select Operations Masters to open the Operations Masters dialog box. This dialog box has three tabs, one each for RID, PDC, and Infrastructure.
(Image right click, and dialog box)
Active Directory Domains and Trust is use for transferring the Domain Naming Master, Right-click Active Directory Domains And Trusts and select Operations Master from the Action menu.
(Image)
To transfer the Schema master, the Active Directory Schema console is use. The Schema management DLL first needs to be registered to see the console.
To register the DLL, type regsvr32 schmmgmt.dll (image)
Open a mmc and add the Active Directory Schema console.
To transfer select Operation master from Action menu and click on change.
(Image)
Transfer using Ntdsutil.exe
This is the legacy way to transfer or seize roles, but will need be to used if FSMO roles is on a DC older then 2012.
Connect to the Domain Controller where you want to transfer the roles to and open a command prompt as administrator.
Type Ntdsutil > Roles > Connections
Type in Connect to domain company.local This binds to the domain and local server
Type in Quit to return to the FSMO maintenance prompt
Type Transfer PDC Typing in Transfer ? show the list of roles that can transfer
Then Quit
(image)
Transfer using Powershell
Beginning with 2012, powershell can be used to transfer or seize roles.
Move-ADDirectoryServerOperationMasterRole -Identity <ServerName> -OperationMasterRole PDC
-Force can be used to seize roles.
(image)