Editor's note: Adam Bertram originally wrote this article, and Liam Cleary has expanded it.

Flexible Single Master Operation roles are specialized tasks in an Active Directory forest that only one domain controller can perform at a time. These roles are required for proper functioning and managing an AD environment.

Several scenarios can require migrating or transferring FSMO roles in AD from one domain controller to another. Here are a few examples:

Server upgrade or replacement. If an organization needs to upgrade or replace a domain controller, transferring the FSMO roles to the new server might be necessary to ensure that the AD environment continues functioning correctly.

Site consolidation. An organization might need to consolidate multiple AD sites into one. It could involve moving FSMO roles from various domain controllers to a single domain controller in the new site.

Load balancing. Some domain controllers can become more heavily loaded over time. Transferring FSMO roles to other domain controllers might be necessary to balance the load and improve performance.

Disaster recovery. To ensure the AD environment continues functioning, you must transfer the FSMO roles held by a failed domain controller to another domain controller.

In all of these scenarios, transferring FSMO roles is necessary to ensure the availability and reliability of the AD environment. Planning and executing the transfer is essential to minimize the effect on users and applications.

Before you get started To find and move FSMO roles using PowerShell, you must take the following steps: If you're using Windows 10, you can either install Remote Server Administration Tools (RSAT), including the required AD module, or add the required features using Optional features within the control panel. Select 'RSAT: Active Directory Domain Services and Lightweight Directory Services Tools' in optional features. If you use Windows 11, you can enable the component by adding the RSAT: Remote Access Management Tools feature. Ensure your computer meets the following prerequisites: The computer must run PowerShell. The computer needs domain joining. Ensure you have the appropriate permissions to move FSMO roles.

Types of FSMO roles There are five FSMO roles in an AD forest, each with a specific purpose: Schema master. This role controls the AD forest schema modifications. The schema defines the structure and rules for objects and attributes stored in AD, so this role ensures that changes to the schema synchronize with all domain controllers in the forest. Domain naming master. This role controls adding or removing domains from the AD forest. It ensures that there are no naming conflicts when adding new domains and that the names are unique. Infrastructure master. This role updates references to group-to-user mappings within a domain. It ensures that changes to group memberships synchronize across all domain controllers. Relative identifier (RID) master. This role allocates a pool of unique RIDs to each domain controller in a domain. RIDs get mapped to security principals, such as user accounts, groups and computer accounts. Primary domain controller (PDC) emulator. This role provides backward compatibility for older clients and manages password changes. It's responsible for time synchronization across the domain, which is critical for Kerberos authentication. AD assigns each FSMO role to a specific domain controller. The roles must distribute and function correctly to maintain a healthy AD environment.

How to transfer FSMO roles Now that you have checked where the FSMO roles reside, you can move them by calling Move-ADDirectoryServerOperationMasterRole, setting the domain controller and the role to move. $domainController = "WIN2019BDC"

Move-ADDirectoryServerOperationMasterRole `

-Identity $domainController `

-OperationMasterRole PDCEmulator The PowerShell command also accepts the use of splatting: $params = @{

Identity = $domainController

OperationMasterRole = "RIDMaster"

}

Move-ADDirectoryServerOperationMasterRole @params Once executed, you can then check the location of the FSMO roles. Use PowerShell functions to retrieve FSMO role holders at the domain and forest levels. Finding the FSMO role holders before moving them is unnecessary, but knowing the state before making these significant changes is helpful.