Flexible Single Master Operations roles – Transfer and Verify

Dec - 30 2022 | By

Microsoft’s page on how to Transfer FSMO (Flexible Single Master Operations)


To check what servers hold the FSMO roles

From Command line
type in
netdom query fsmo

From PowerShell
to determine SchemaMaster and DomainNamingMaster –
Get-ADForest domainname | Format-Table SchemaMaster,DomainNamingMaster

to determine PDC, RID and Infrastructure –
Get-ADDomain yourdomain | format-table PDCEmulator, RIDMaster,InfrastructureMaster

About the roles

Schema Master – the purpose of this role is to replicate schema changes to all other domain controllers in the forest. This is also the domain controller responsible for performing updates to the directory schema before they get replicated to the other domain controllers.

Domain Naming Master – the purpose of this role is the domain controller that is responsible for making changes to the forest-wide domain name space of the director.  This domain controller can add or remove a domain from the director as well as add or remove cross-references to domains in external directories.

RID Master – the purpose of this role is the domain controller that is responsible for processing RID Pool requests.  It is also responsible for moving an object from one domain to another during a inter-domain object move. When an object is added to a domain it attaches a unique SID to the object.  The SID is made up of a domain SID that is the same for all SIDs created in the domain and a relative ID (RID) that is unique for each SID created in the domain.

PDC Emulator – the purpose of this role is the primary domain controller (PDC) for each domain in a forest. This roll has the most functions and is the most used of all of the FSMO roles. The PDC Emulator is the domain source for time synchronization for all domain controllers. Password changes done by other domain controllers replicated to the primary domain controller. When a authentication failure occurs at a domain controller due to an incorrect password it is forwarded to the primary domain controller (PDC) before reporting the error to the user. Account lockouts are processed on the primary domain controller (PDC).

Infrastructure Master – the purpose of this role is to update an objects SID and distinguished name in a cross domain object reference. If a user is added to a security group of another domain the Infrastructure Master this is done correctly.