How can I transfer some or all of the FSMO Roles from one DC to another?

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.

Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in this article.

The transfer of an FSMO role is the suggested form of moving a FSMO role between domain controllers and can be initiated by the administrator or by demoting a domain controller. However, the transfer process is not initiated automatically by the operating system, for example a server in a shut-down state. FSMO roles are not automatically relocated during the shutdown process - this must be considered when shutting down a domain controller that has an FSMO role for maintenance, for example.

In a graceful transfer of an FSMO role between two domain controllers, a synchronization of the data that is maintained by the FSMO role owner to the server receiving the FSMO role is performed prior to transferring the role to ensure that any changes have been recorded before the role change.

However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a different DC is called Seizing, and is described in the Seizing FSMO Roles article.

You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools:

• Active Directory Schema snap-in
• Active Directory Domains and Trusts snap-in
• Active Directory Users and Computers snap-in

To transfer the FSMO role the administrator must be a member of the following group:

FSMO Role	Administrator must be a member of
Schema	Schema Admins
Domain Naming	Enterprise Admins
RID	Domain Admins
PDC Emulator
Infrastructure

Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUI

To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles:

1. Open the Active Directory Users and Computers snap-in from the Administrative Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Users and Computers and press Connect to Domain Controller.
3. Select the domain controller that will be the new role holder, the target, and press OK.
4. Right-click the Active Directory Users and Computers icon again and press Operation Masters.
5. Select the appropriate tab for the role you wish to transfer and press the Change button.
6. Press OK to confirm the change.
7. Press OK all the way out.

Transferring the Domain Naming Master via GUI

To Transfer the Domain Naming Master Role:

1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Domains and Trusts and press Connect to Domain Controller.
3. Select the domain controller that will be the new role holder and press OK.
4. Right-click the Active Directory Domains and Trusts icon again and press Operation Masters.
5. Press the Change button.
6. Press OK to confirm the change.
7. Press OK all the way out.

Transferring the Schema Master via GUI

To Transfer the Schema Master Role:

1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:

regsvr32 schmmgmt.dll

1. Press OK. You should receive a success confirmation.
2. From the Run command open an MMC Console by typing MMC.
3. On the Console menu, press Add/Remove Snap-in.
4. Press Add. Select Active Directory Schema.
5. Press Add and press Close. Press OK.
6. If you are NOT logged onto the target domain controller, in the snap-in, right-click the Active Directory Schema icon in the Console Root and press Change Domain Controller.
7. Press Specify .... and type the name of the new role holder. Press OK.
8. Right-click right-click the Active Directory Schema icon again and press Operation Masters.
9. Press the Change button.
10. Press OK all the way out.

Transferring the FSMO Roles via Ntdsutil

To transfer the FSMO roles from the Ntdsutil command:

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.

Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp.  C:\WINDOWS>ntdsutil ntdsutil:

1. Type roles, and then press ENTER.

ntdsutil: roles fsmo maintenance:

Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.

1. Type connections, and then press ENTER.

fsmo maintenance: connections server connections:

1. Type connect to server , where is the name of the server you want to use, and then press ENTER.

server connections: connect to server server100 Binding to server100 ... Connected to server100 using credentials of locally logged on user. server connections:

1. At the server connections: prompt, type q, and then press ENTER again.

server connections: q fsmo maintenance:

1. Type transfer . where is the role you want to transfer.

For example, to transfer the RID Master role, you would type transfer rid master:

Options are:

Transfer domain naming master Transfer infrastructure master Transfer PDC Transfer RID master Transfer schema master

1. You will receive a warning window asking if you want to perform the transfer. Click on Yes.
2. After you transfer the roles, type q and press ENTER until you quit Ntdsutil.exe.
3. Restart the server and make sure you update your backup.

What is FSMO Roles?(Flexible Single Master Operations)

There are times when you may need to change the Domain Controller which holds one of the 5 FSMO roles. Either you could be facing a disaster recovery, where you have lost the first Windows 2003 Domain Controller, or you are organized and want to get the most out of your Active Directory Forest. Although you rarely need to deal with Microsoft's FSMO, there is the feeling that knowledge of these Operation Masters gives you power over your Windows 2003 Servers.

Background of Operations Masters

For most Active Directory operations, Windows 2003 uses the multiple master model. The benefit is you can add a computer, or change a user's password on any domain controller. For example, if you have three domain controllers, you can physically create a new computer account in the NTDS.dit database on any of the three. Within five minutes (15 seconds in Windows 2003), the new computer object will be replicated to the other two domain controllers.

Technically, the Microsoft multiple master model uses a change notification mechanism. Occasionally problems arise if two administrators perform duplicate operations before the next replication cycle. For example, you created an OU called Accounts last week, today at the same instant you create new users in that OU, another administrator on another DC, deletes that OU. Active Directory does it's best to obey both administrators. It deletes the OU and creates the Users, but as it cannot create the Users in the OU because it was deleted, the result is the users are added to the orphaned objects in the 'LostAndFound' folder. You can troubleshoot what has happed by locating the 'LostAndFound' folder in Active Directory Users and Computers.

From the View Menu in Active Directory Users and Computer,
click: Advanced Features.

It was worth investigating how Active Directory handles orphaned objects because the point of FSMO is that a few operations are so critical that only one domain controller can carry out that process. Imagine what would happen if two administrators tried to make different changes to the same schema object - chaos. That is why administrators can only change the schema on one Domain Controller. Emulating a PDC is the most famous example of such a Single Master Operation; creating a new child domain would be another example.

The Five FSMO Roles

There are just five operations where the usual multiple master model breaks down, and the Active Directory task must only be carried out on one Domain Controller. FSMO roles:

1. PDC Emulator - Most famous for backwards compatibility with NT 4.0 BDC's. However, there are two other FSMO roles which operate even in Windows 2003 Native Domains, synchronizing the W32Time service and creating group policies. I admit that it is confusing that these two jobs have little to do with PDCs and BDCs.

2. RID Master - Each object must have a globally unique number (GUID). The RID master makes sure each domain controller issues unique numbers when you create objects such as users or computers. For example DC one is given RIDs 1-4999 and DC two is given RIDs 5000 - 9999.

3. Infrastructure Master - Responsible for checking objects in other other domains. Universal group membership is the most important example. To me, it seems as though the operating system is paranoid that, a) You are a member of a Universal Group in another domain and b) that group has been assigned Deny permissions. So if the Infrastructure master could not check your Universal Groups there could be a security breach.

4. Domain Naming Master - Ensures that each child domain has a unique name. How often do child domains get added to the forest? Not very often I suggest, so the fact that this is a FSMO does not impact on normal domain activity. My point is it's worth the price to confine joining and leaving the domain operations to one machine, and save the tiny risk of getting duplicate names or orphaned domains.

5. Schema Master - Operations that involve expanding user properties e.g. Exchange 2003 / forestprep which adds mailbox properties to users. Rather like the Domain naming master, changing the schema is a rare event. However if you have a team of Schema Administrators all experimenting with object properties, you would not want there to be a mistake which crippled your forest. So its a case of Microsoft know best, the Schema Master should be a Single Master Operation and thus a FSMO role.

How many FSMO Domain controllers in your Forest?

Three of the FSMO roles (1. 2. and 3.) are held in each domain, whilst two (4. 5.) are unique to the entire forest. Thus, if you have three domains there will be 3 PDC emulators, but only 1 Schema Master.

Checking which DC holds which FSMO role

RID, PDC, Infrastructure (1. 2. and 3.)

You can discover which server holds the Operation Master by opening Active Directory Users and Computers, Right click your Domain and select Properties, Operations Masters.

Domain Naming Master (4.)

To see the Domain Naming Master (4.), navigate to the little used, Active Directory Domains and Trusts, Right click your Domain and select Properties, Operations Masters.

Schema Master (5.)

The Schema Master (5.) is the most difficult FSMO to find. The reason is the Schema snap-in is hidden by default. Perhaps is this is Microsoft saying - don't mess with the object definitions. However, you can reveal the Schema and its FSMO settings thus:

1) Register the Schema Snap with this command, RUN regsvr32 schmmgmt.dll

2) Run MMC, File menu, Add\Remove Snap-in, click the Add button and select,
Active Directory Schema

3) Select Active Directory Schema, Right Click, Operations Master.

Assigning Multiple IP Address in Vista/XP/2000/2003

There are several ways to set up multiple IP addresses on a Computer

1. To have multiple network interface cards (NICs) on your computer and to assign a different IP address to each card.

2. To assign multiple IP addresses to a single NIC.

3. To combine 2 previous options: have multiple NICs with multiple IPs assigned to one or more of them.

By default, each network interface card (NIC) has its own unique IP address. However, you can assign multiple IP addresses to a single NIC.

How to assign multiple IP addresses to the same NIC

If you want to assign more than one IP address to a network card on Windows 2000/XP/Vista/2003, follow the steps below.

In Windows 2000

Right-click on My Network Places, choose Properties.

Right-click on the Local Area Connection, choose Properties.

In Windows XP

Right-click on My Network Places, choose Properties.

Right-click on the Local Area Connection, choose Properties.

In Vista

Click Start and click Control Panel.

Select Network and Internet, then Network and Sharing Center, and click Manage network connections from the list of tasks.

Right click your local area connection and click Properties.

In Windows 2003

Right-click on My Network Places, choose Properties.

Right-click on the Local Area Connection, choose Properties.

Highlight Internet Protocol (TCP/IP), click Properties.

If you use DHCP, you should disable it: click Use the following IP address and enter IP address, Subnet mask and Default ateway.Click Advanced… at the bottom.

Enter additional IP addresses: click the Add… button and enter a new IP address and Subnet mask.Repeat the procedure if there are additional IP Addresses to be added.

Click Add under “Default Gateways” and add the gateway addresses.I have entered My gateway address

Click OK 3 times to save the changes.

Test your IP Addresses

Open the command prompt (Start>Run>cmd) run the ipconfig command you can see multiple ip addresses on single network card