Active Directory operates with a multi-master replication model, but certain operations are single-master by design. These are handled by the FSMO roles (Flexible Single Master Operations), sometimes called “Operations Masters.” In a single-domain environment, there are five FSMO roles:
- Schema Master – one per forest
- Domain Naming Master – one per forest
- PDC Emulator – one per domain
- RID Master – one per domain
- Infrastructure Master – one per domain
Your FSMO roles are likely all sitting on one or more of your old Windows Server 2016 DCs. To fully migrate to the new DCs, we need to transfer these roles to a Windows Server 2025 DC. This is a planned, graceful transfer—not a seize—and has no downtime. We’ll use PowerShell for this process.
Deciding Role Placement
Determine which new DC will hold which roles. In smaller environments, it is common to place all FSMO roles on one DC. In our scenario, we’ll move all FSMO roles to DC2025-1.
Key Guidelines:
- PDC Emulator: Should be on a reliable, well-connected DC (typically a Global Catalog).
- Infrastructure Master: Should not be on a Global Catalog unless all DCs are GCs.
- RID Master and PDC Emulator: Can be co-located.
- Schema and Domain Naming Masters: Typically reside on the first DC, but can be moved anywhere.
Transferring FSMO Roles via PowerShell
Identify Current FSMO Role Holders (Optional):
netdom query FSMO
Run the FSMO Transfer Command:
Move-ADDirectoryServerOperationMasterRole -Identity "DC2025-1" `-OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster #To skip confirmation prompts: Move-ADDirectoryServerOperationMasterRole -Identity "DC2025-1" `-OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster -Confirm:$false #If successful, the roles will be transferred gracefully without any errors.
Verify Role Transfer:
netdom query FSMO Get-ADDomain | Select PDCEmulator, InfrastructureMaster, RIDMaster Get-ADForest | Select SchemaMaster, DomainNamingMaster
Check Event Logs (Optional):
- New FSMO holder will log events like Event ID 1458.
- Old PDC logs Event ID 1459 when relinquishing the role.
Time Service Adjustment (PDC Emulator)
Once the PDC Emulator moves to DC2025-1, it becomes the domain’s time source. It may still point to the old PDC until NTP settings are reconfigured, which will be covered in Part 8.
Global Catalog Check (Infrastructure Master)
If all DCs are Global Catalogs, the usual rule about placing the Infrastructure Master is moot. In our case, all new DCs are GCs, so placing the Infrastructure Master on a GC is fine.
Role Function Overview:
- Schema Master: Handles schema extensions like ADPREP or Exchange setup.
- Domain Naming Master: Adds/removes domains in the forest.
- PDC Emulator: Preferred for Group Policy, password syncs, time source.
- RID Master: Allocates RID pools to DCs.
- Infrastructure Master: Maintains cross-domain object references.
All these role transfers are metadata changes and do not impact users.
Real-World Insight
Allow replication to occur after transferring roles. Confirm all DCs recognize the new FSMO holders before decommissioning the old ones. Force replication if necessary:
repadmin /syncall /e /P
Cleaning Up After FSMO Transfer
You may see logs on the old FSMO holder indicating it relinquished roles—this is normal.
DNS SRV Record Check:
Ensure DC2025-1 is now listed in the _ldap._tcp.pdc._msdcs.contoso.com SRV record. If not:
net stop netlogon net start netlogon
This forces DNS registration.
Confirm in GUI (Optional):
Check the PDC tab in Active Directory Users and Computers > Operations Masters.
By completing the FSMO role transfer, DC2025-1 is now the primary DC. The legacy DCs are demoted in function and ready for removal in later steps. Parts 6 and 7 will cover DNS migration and cleanup. For now, celebrate the milestone—your core AD roles are now on Windows Server 2025!
Cristal Kawula, Checkyourlogs.net
