Migrate FSMO roles from 2008 to 2012 Server

Reading Time: 2 minutes

Take a system state backup of the DC’s which hold your FSMO roles, just incase. Always good practice to take a backup.

In this example, we are migrating FSMO roles from 2008 DC to 2012 DC

1) Locate where your FSMO roles are located. Logon to a DC, open command prompt and type, netdom query fmso
Depending on the size of your environment your FSMO roles may be split as show below:

The roles are:

Split 1
PDC
RID pool manager
Infrastructure Master

Split 2:
Domain Naming Master
Schema Master

Transfer: PDC, RID pool manager, Infrastructure Master

1) Logon to the DC2012 as domain administrator and ensure the account has schema admin rights, else when you get to the schema master migration, the button will be greyed out.
2) Launch Active Directory Users and Computers
3) Right click on yourdomain.local and click Operations Masters
4) Click on the PDC tab, click the change button to change the role to 2012DC
5) Click Yes to confirm when prompted
6) Confirm the text box now shows DC2012 as new owner of PDC role
7) Repeat the same steps above for RID and Infrastructure Roles

Transfer: Domain Naming Master

1) Logon to 2012DC as domain administrator. If you’re placing all roles on the same server you will already be logged onto this server. If you are separating Domain Naming Master and Schema Master role, logon to
DC2012_number2
2) Launch Active Directory Domains and Trusts
3) Right click on Active Directory Domains and Trusts and click Operations Masters
4) Click change and select new 2012 DC, click Yes to confirm.
5) Confirm the role has changed

Transfer: Schema Master

1) Logon to your 2012 DC as domain administrator
2) click run and type: regsvr32 schmmgmt.dll
3) Click ok and you should be prompted with ‘DllRegisterServer in schmmgmt.dll succeeded’
4) Click ok
5) Launch mmc from run (Click start, run, and type mmc, click ok)
6) Click Add/Remove Snap-In from file menu
7) Select to highlight Active Directory Schema and click the add button
8) Click OK
9) Right click Active Directory Schema and click Change Active Directory Domain Controller
10) Select New 2012 DC and click OK
11) An information box will appear including a message ‘Active Directory Schema snap-in is not connected to the schema operations master…..) Click OK to this message
12) Right click Active Directory Schema and click Operations Master
13) Click change and select new 2012 DC
14) Click Yes to confirm go ahead
15) Confirm schema server now showing as new 2012 DC

Run command netdom query fmso to confirm location of FSMO roles

It will take time for data to copy around so do not decom old DC straightaway.

Check Schema version via Registry

Reading Time: < 1 minute

HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\<Schema Version>

– Windows 2000 RTM with all Service packs = Schema version is 13
– Windows Server 2003 RTM with all Service packs = Schema version is 30
– Windows Server 2003 R2 RTM with all Service packs = Schema version is 31
– Windows Server 2008 RTM with all Service packs = Schema version is 44
– Windows Server 2008 R2 RTM with all Service packs = Schema version is 47
– Windows Server 2012 RTM = Schema version is 56

What are the five FSMO roles?

Reading Time: 3 minutes

This is a common question asked when going for an IT related job interview 🙂

The five FSMO roles are:

Schema master
Domain Naming master
RID master (Relative Identifier)
PDC Emulator master
Infrastructure master

Two of the roles are forest wide and three are domain wide roles. The Forest wide FSMO roles are common for the entire forest, and by default are held on the first Domain Controller within the forest root domain.

The Forest Wide roles are:
Schema master
Domain Naming master

The other three domain wide roles are:
RID master (Relative Identifier)
PDC Emulator master
Infrastructure master

About the roles:

Schema master
The schema master controls all updates and modifications to the schema. It’s shared between every tree and domain in a forest and must be consistent between all objects. If the server holding the schema role failed, in most cases the loss of this role will not affect network users but will affect admins if modifications to the schema were required.

Domain Naming
When a new domain is added to a forest the name must be unique within the forest and the domain naming master must be available when adding or removing a domain within a forest. Temporary loss of this role holder will not be noticeable to network users. Domain admins will only notice the loss if a domain is required to be added or removed within the forest.

RID master (Relative Identifier)
This role is in charge of allocating RIDs to DCs within a Domain. When objects such as a computer, user or group is created in AD (Active Directory) it is given a SID. The SID will consist of a domain SID (which is the same for all SIDs created in the domain) and a RID which is unique to the domain. When moving objects between domains you must start the move on the DC which is the RID master of the domain that currently holds the object.

If this role fell over, the chances are good that the existing DCs will have enough unused RIDs to last some time, unless you are building hundreds of users or computer objects per week. Ddomain admins will notice the loss if a domain they are creating objects in runs out of relative IDS (RIDs).

PDC Emulator master
The PDC emulator acts as a Windows NT PDC for backwards compatibility, it can process updates to a BDC. It is also responsible for time synchronising within a domain. Any password changes are replicated to the PDC emulator as soon as is practical. If a logon request fails due to a bad password the logon request is passed to the PDC emulator to check the password before rejecting the login request. This role will affect users if it was to go down.

Infrastructure master
The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The global catalogue is used to compare data as it receives regular updates for all objects in all domains. Any change to user group references are updated by the infrastructure master. For example, if you rename or move a group member and the member is in a different domain from the group, the group will temporarily appear not to contain that member.

Temporary loss of the Infrastructure master role holder will not be noticeable to network users. Administrators will not notice the role loss unless they are or have recently moved or renamed large numbers of accounts. Group memberships may be incomplete. If you only have one domain, then there should be no impact.

NOTE: In the event you need to seize the Infrastructure master role, do not seize it to a DC which is a global catalogue server, unless all DCs are global catalogue servers.