Runbooks Resources Tools About Consulting →
Home Runbooks How to Migrate FSMO Roles Safely
IT Projects FREE

How to Migrate FSMO Roles Safely

FSMO role transfers are routine — but doing them out of order or on an unhealthy DC causes lasting AD problems. This runbook covers the correct sequence, verification steps, and what to do when a DC is dead.

⌛ 9 min read· Updated 2026

What the 5 FSMO Roles Do

FSMO roles are AD functions that only one DC can perform at a time. Knowing what each does tells you how urgently to act if a role holder goes down.

  • Schema Master — Controls AD schema changes. Only matters when extending the schema. One per forest.
  • Domain Naming Master — Controls adding/removing domains. Only matters during domain operations. One per forest.
  • PDC Emulator — Handles time sync, password changes, account lockouts, and legacy client auth. Most impactful if lost. One per domain.
  • RID Master — Issues blocks of RIDs used to create object SIDs. Running out breaks object creation. One per domain.
  • Infrastructure Master — Manages cross-domain object references. Should not be on a Global Catalog server unless all DCs are GCs. One per domain.

Pre-Transfer Health Check

Never transfer FSMO roles to or from an unhealthy DC. Check first:

# Check overall AD health
dcdiag /test:FSMOCheck
dcdiag /test:Replications
dcdiag /test:Services

# Verify replication is current — no backlog
repadmin /replsummary

# Confirm both DCs can see each other
nltest /dsgetdc:corp.local
nltest /sc_query:corp.local
WarningIf replication has failures, fix those first. Transferring FSMO roles when replication is broken means the new DC may have a stale directory and is now authoritative for password changes and object creation.

Transfer via PowerShell

The cleanest method. Run on the destination DC as Domain Admin (or Enterprise Admin for forest-wide roles):

# Transfer all 5 roles to DC02
Move-ADDirectoryServerOperationMasterRole -Identity DC02 `
  -OperationMasterRole SchemaMaster,DomainNamingMaster,PDCEmulator,RIDMaster,InfrastructureMaster

# Or transfer specific roles one at a time
Move-ADDirectoryServerOperationMasterRole -Identity DC02 -OperationMasterRole PDCEmulator
Move-ADDirectoryServerOperationMasterRole -Identity DC02 -OperationMasterRole RIDMaster

You'll be prompted to confirm each transfer. Answer Y for each.

Transfer via NTDSUTIL (Alternative)

ntdsutil
roles
connections
connect to server DC02
quit
transfer PDC
transfer RID master
transfer infrastructure master
transfer schema master
transfer domain naming master
quit
quit

Verify Roles Moved

# Show current FSMO role holders
netdom query fsmo

# Verify with PowerShell
Get-ADDomain | Select PDCEmulator, RIDMaster, InfrastructureMaster
Get-ADForest | Select SchemaMaster, DomainNamingMaster

All roles should now show DC02.corp.local.

After transferring the PDC EmulatorUpdate NTP configuration on the new PDC. It should sync from an external time source; all other DCs sync from the PDC.
# Configure NTP on the new PDC Emulator (run on DC02)
w32tm /config /manualpeerlist:"time.windows.com,0x8 pool.ntp.org,0x8" /syncfromflags:manual /reliable:yes /update
net stop w32tm && net start w32tm
w32tm /resync /force

Seize Roles — When the DC is Dead

If the role holder has failed and cannot be recovered, you must seize rather than transfer. Seizure assumes the old DC is permanently gone.

CriticalIf the old DC ever comes back online, remove it from AD immediately — do not let it rejoin. It will believe it still holds the roles and cause a split-brain conflict.
ntdsutil
roles
connections
connect to server DC02
quit
seize PDC
seize RID master
seize infrastructure master
seize schema master
seize domain naming master
quit
quit

After seizing, delete the dead DC's computer account from AD Sites and Services, from ADUC, and remove its DNS records.

Related Runbooks
Decommissioning a Domain Controller Properly
IT Projects · FREE
AD Replication Errors: What the Event IDs Mean
Troubleshooting · FREE
Decommissioning a File Server Without Losing Anything
IT Projects · FREE