What are the 5 FSMO roles and which ones do I need to transfer?

The five FSMO roles are: Schema Master (forest-wide), Domain Naming Master (forest-wide), PDC Emulator (per domain), RID Master (per domain), and Infrastructure Master (per domain). When decommissioning a domain controller, you must transfer all FSMO roles it holds to another DC before demoting it. The PDC Emulator is the most time-sensitive role to transfer since it handles password changes, time sync, and Group Policy.

What is the difference between transferring and seizing FSMO roles?

Transferring is the graceful method where the current role holder communicates with the new holder and hands off the role cleanly. Seizing is the forced method used only when the current role holder is permanently offline or unrecoverable. A seized role holder should never be brought back online. Always try transferring first.

Do I need to run dcpromo on modern Windows Server?

No. The dcpromo command was deprecated in Windows Server 2012. On Server 2012 and later, use the AD DS Installation Wizard in Server Manager or the Install-ADDSDomainController PowerShell cmdlet to promote a server to a domain controller. For demotion, use Uninstall-ADDSDomainController.

How to transfer your AD domain from one server to another?

Migrating an Active Directory domain from one server to another is a critical operation that requires transferring FSMO (Flexible Single Master Operations) roles, ensuring proper replication, and cleanly decommissioning the old domain controller. This guide walks through the complete process, from understanding the FSMO roles to performing the transfer and cleaning up afterward.

Understanding FSMO Roles

Active Directory uses a multi-master replication model where most changes can be made on any domain controller. However, five specific operations require a single authoritative server to prevent conflicts. These are the FSMO roles.

Forest-Wide Roles (One per Forest)

Role	Purpose
Schema Master	Controls all schema modifications (adding attributes, classes). Only one DC can modify the schema at a time.
Domain Naming Master	Controls the addition and removal of domains in the forest. Must be available when creating or deleting domains.

Domain-Wide Roles (One per Domain)

Role	Purpose
PDC Emulator	Handles password changes, account lockouts, time synchronization, and Group Policy updates. The most critical role for day-to-day operations.
RID Master	Allocates pools of Relative IDs (RIDs) to domain controllers. Every security object (user, group, computer) needs a unique RID.
Infrastructure Master	Updates cross-domain references (e.g., when a user from one domain is a member of a group in another domain).

Identifying Current FSMO Role Holders

Using PowerShell (recommended):

# Show all FSMO role holders for the domain
Get-ADDomain | Select-Object InfrastructureMaster, PDCEmulator, RIDMaster

# Show forest-wide role holders
Get-ADForest | Select-Object SchemaMaster, DomainNamingMaster

# Quick view of all roles
netdom query fsmo

Using the GUI:

Schema Master: Open the Schema snap-in (register schmmgmt.dll first with regsvr32 schmmgmt.dll), right-click “Active Directory Schema” > Operations Master
Domain Naming Master: Active Directory Domains and Trusts > right-click the root > Operations Master
PDC Emulator, RID Master, Infrastructure Master: Active Directory Users and Computers > right-click the domain > Operations Masters

Step-by-Step Migration Process

Step 1: Prepare the New Server

Install the new Windows Server and configure:

Static IP address and correct DNS settings (pointing to the current DC)
Server hostname
Windows Updates applied

Step 2: Promote the New Server to a Domain Controller

Windows Server 2012 and later (AD DS Installation Wizard):

Open Server Manager > Add Roles and Features
Select Active Directory Domain Services
After installation, click the notification flag and select Promote this server to a domain controller
Choose Add a domain controller to an existing domain
Enter the domain name and credentials
Configure DNS and Global Catalog options
Complete the wizard and restart

Using PowerShell:

# Install the AD DS role
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

# Promote to domain controller
Install-ADDSDomainController `
    -DomainName "corp.example.com" `
    -InstallDns:$true `
    -Credential (Get-Credential) `
    -SiteName "Default-First-Site-Name" `
    -DatabasePath "C:\Windows\NTDS" `
    -LogPath "C:\Windows\NTDS" `
    -SysvolPath "C:\Windows\SYSVOL" `
    -NoGlobalCatalog:$false `
    -Force:$true

Legacy: dcpromo (Windows Server 2008 R2 and earlier):

dcpromo /ReplicaOrNewDomain:Replica /ReplicaDomainDNSName:corp.example.com /ConfirmGc:Yes /UserName:CORP\admin /Password:*

Step 3: Verify Replication

Before transferring roles, ensure AD replication is healthy between the old and new DCs:

# Check replication status
repadmin /replsummary

# Show replication partners
repadmin /showrepl

# Force replication
repadmin /syncall /AdeP

# Check replication with PowerShell
Get-ADReplicationPartnerMetadata -Target "newdc01.corp.example.com"

Wait until replication shows no errors before proceeding.

Step 4: Transfer FSMO Roles

Method A: Using PowerShell (Recommended)

# Transfer all five roles to the new DC
Move-ADDirectoryServerOperationMasterRole -Identity "NEWDC01" `
    -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster

# Confirm when prompted

To transfer roles individually:

Move-ADDirectoryServerOperationMasterRole -Identity "NEWDC01" -OperationMasterRole PDCEmulator
Move-ADDirectoryServerOperationMasterRole -Identity "NEWDC01" -OperationMasterRole RIDMaster
Move-ADDirectoryServerOperationMasterRole -Identity "NEWDC01" -OperationMasterRole InfrastructureMaster
Move-ADDirectoryServerOperationMasterRole -Identity "NEWDC01" -OperationMasterRole SchemaMaster
Move-ADDirectoryServerOperationMasterRole -Identity "NEWDC01" -OperationMasterRole DomainNamingMaster

Method B: Using ntdsutil (Command Line)

ntdsutil
roles
connections
connect to server NEWDC01.corp.example.com
quit
transfer schema master
transfer naming master
transfer pdc
transfer rid master
transfer infrastructure master
quit
quit

Each transfer command will prompt for confirmation.

Method C: Using the GUI

PDC Emulator, RID Master, Infrastructure Master:
1. Open Active Directory Users and Computers
2. Right-click the domain > Change Domain Controller > Select the new DC
3. Right-click the domain > Operations Masters
4. Transfer each role on its respective tab
Domain Naming Master:
1. Open Active Directory Domains and Trusts
2. Change the focus to the new DC
3. Right-click > Operations Master > Change
Schema Master:
1. Register the snap-in: regsvr32 schmmgmt.dll
2. Open an MMC and add the Active Directory Schema snap-in
3. Change the focus to the new DC
4. Right-click Active Directory Schema > Operations Master > Change

Step 5: Verify the Transfer

# Confirm new role holders
netdom query fsmo

# Should show NEWDC01 for all roles
Get-ADDomain | Select-Object PDCEmulator, RIDMaster, InfrastructureMaster
Get-ADForest | Select-Object SchemaMaster, DomainNamingMaster

Seizing FSMO Roles (Emergency Only)

If the old DC is permanently offline and cannot be brought back, you must seize the roles instead of transferring them:

ntdsutil
roles
connections
connect to server NEWDC01.corp.example.com
quit
seize schema master
seize naming master
seize pdc
seize rid master
seize infrastructure master
quit
quit

Or using PowerShell:

Move-ADDirectoryServerOperationMasterRole -Identity "NEWDC01" `
    -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster `
    -Force

Warning: A domain controller whose roles have been seized must never be reconnected to the network. This would cause conflicts in the directory.

Demoting the Old Domain Controller

Once all roles are transferred and verified:

Windows Server 2012 and later:

# Demote the old DC
Uninstall-ADDSDomainController -DemoteOperationMasterRole:$true -Force

# After reboot, remove the AD DS role
Uninstall-WindowsFeature AD-Domain-Services -IncludeManagementTools

Legacy (Windows Server 2008 R2 and earlier):

dcpromo /forceremoval

After Demotion

Verify the old DC no longer appears in Active Directory Sites and Services
Remove any DNS records pointing to the old DC
Check that SYSVOL and NETLOGON shares are working on the new DC

Metadata Cleanup

If the old DC was not properly demoted (crashed, forcibly removed), clean up its metadata:

ntdsutil
metadata cleanup
connections
connect to server NEWDC01.corp.example.com
quit
select operation target
list domains
select domain 0
list sites
select site 0
list servers in site
select server [number of old DC]
quit
remove selected server
quit
quit

Or use PowerShell to remove the computer account and DNS records:

# Remove the old DC's computer object
Get-ADDomainController -Identity "OLDDC01" | Remove-ADDomainController -Force

# Clean up DNS records manually
# Open DNS Manager and remove A, CNAME, SRV records for the old DC

DNS Considerations

DNS is tightly integrated with Active Directory. During migration:

Ensure the new DC is a DNS server — Install the DNS role during DC promotion.
Verify AD-integrated DNS zones are replicating to the new DC.
Update DHCP — If DHCP hands out DNS server addresses, update to point to the new DC.
Update client DNS settings — Machines using the old DC’s IP for DNS need to be updated.
Verify SRV records — Ensure _ldap._tcp, _kerberos._tcp, and other SRV records point to the new DC:
```
nslookup -type=srv _ldap._tcp.dc._msdcs.corp.example.com
```

Summary

Transferring an AD domain from one server to another involves promoting a new DC, verifying replication, transferring all five FSMO roles, and cleanly demoting the old DC. Use PowerShell’s Move-ADDirectoryServerOperationMasterRole for the easiest role transfer, and always verify with netdom query fsmo afterward. If the old DC is unrecoverable, seize the roles and perform metadata cleanup. Pay close attention to DNS throughout the process, as AD depends entirely on proper DNS configuration.