How to Transfer Active Directory FSMO Roles Using Ntdsutil

Posted on by

Introduction

In an Active Directory (AD) environment, the FSMO roles are critical for the proper functioning and maintenance of the domain. When you introduce a new domain controller into an existing domain or need to move these roles to another domain controller, there are several methods you can use to accomplish this. In my experience, the easiest method is to use the ntdsutil program for this taks. Here is a step-by-step guide on how to do that.

Prerequisites

You must have a new domain controller already installed and joined to the domain.
You should be logged in with an account that is a member of the Domain Admins group or Enterprise Admins group.

Step 1: Open Command Prompt with Administrative Privileges

To start the process, open a Command Prompt with administrative privileges on the domain controller to which you want to transfer the FSMO roles.

Step 2: Accessing ntdsutil

Ntdsutil is a command-line tool designed for managing Active Directory. To access it, follow these steps:

Type ntdsutil in the Command Prompt and press Enter.
Type roles and press Enter.
Type connections and press Enter.

Step 3: Connect to the Domain Controller

Now, you need to connect to the domain controller you want to transfer the FSMO roles to:

Type connect to server <NewDomainControllerName> and press Enter.
(Replace <NewDomainControllerName> with the actual name of the new domain controller.)

Type q and press Enter to return to the previous menu

Step 4: Transferring FSMO Roles

With the connection established to the new domain controller, you can now proceed to transfer the FSMO roles. There are five FSMO roles, and we will transfer them one by one. Run each of the following commands, pressing ENTER after each one, and clicking to confirm each one when prompted:

transfer schema master
transfer naming master
transfer rid master
transfer pdc
transfer infrastructure master

Step 5: Verifying FSMO Role Transfer

After transferring all the roles, you can verify the transfer to ensure it was successful. To do this:

Type q and press Enter to exit the FSMO role management.
Type q again and press Enter to exit ntdsutil.

Step 6: Confirm that the roles have been transferred

Now, let’s confirm that the new domain controller has become the owner of the transferred FSMO roles:

Open a Command Prompt with administrative privileges on the new domain controller.
Type netdom query fsmo and press Enter.
This command will display the current FSMO role owners, and you should see the new domain controller listed as the owner for each role.