AD DS: The schema master role and the domain naming master role should be owned by the same domain controller in the forest

Updated: August 31, 2012

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).

Operating System

Windows Server 2008 R2

Windows Server 2012

Product/Feature

Active Directory Domain Services (AD DS)

Severity

Warning

Category

Configuration

Issue

The schema operations master role and the domain naming operations master role (also known as flexible single master operations (FSMO) roles) are owned by different domain controllers in the forest.

Impact

When the schema master role and the domain naming master role are held by the same domain controller, administration of these roles is simplified. However, this is not a strict rule, and you can move these roles to different domain controllers if you prefer.

Resolution

Consider consolidating the schema master role and the domain naming master role onto a single domain controller. Keep the domain controller in a secure environment.

At the forest level, the schema master and the domain naming master roles should be placed on the same domain controller. These operations master roles are rarely used and should be tightly controlled. You can use the following procedures to transfer the schema master role or the domain naming master role if the domain controller that currently hosts the role is inadequate, has failed, or is being decommissioned.

Membership in Schema Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To transfer the schema master role by using Active Directory PowerShell

  1. Open Active Directory PowerShell. To open Active Directory PowerShell, click Start, click Administrative Tools, and then click Active Directory PowerShell.

  2. To transfer the schema master role, at the Active Directory PowerShell command prompt, type the following cmdlet, and then press ENTER:

    Move-ADDirectoryServerOperationMasterRole -Identity <ADDirectoryServer> -OperationMasterRole <ADOperationMasterRole []>

    For example, to transfer the schema master role to a domain controller named FABRICAM-DC1, type the following cmdlet, and then press ENTER:

    Move-ADDirectoryServerOperationMasterRole -Identity FABRIKAM-DC1 -OperationMasterRole SchemaMaster

Note

For a full explanation of the parameters that you can pass to Move-ADDirectoryServerOperationMasterRole, at the Active Directory PowerShell command prompt, type Get-Help Move-ADDirectoryServerOperationMasterRole –detailed, and then press ENTER.

To transfer the schema master role by using the Active Directory Schema snap-in

  1. Open the Active Directory Schema snap-in.

  2. In the console tree, right-click Active Directory Schema, and then click Change Active Directory Domain Controller.

  3. In the Change Directory Server dialog box, under Change to, click This domain Controller or AD LDS instance.

  4. In the list of domain controllers, click the name of the domain controller to which you want to transfer the schema master role, and then click OK.

  5. In the console tree, right-click Active Directory Schema, and then click Operations Master. The Change Schema Master box displays the name of the server that is currently holding the schema master role. The name of the targeted domain controller appears in the second box.

  6. Click Change. Click Yes to confirm your choice. The system confirms the operation. Click OK again to confirm that the operation succeeded.

  7. Click Close to close the Change Schema Master dialog box.

To transfer the domain naming master role by using Active Directory PowerShell

  1. To open Active Directory PowerShell, click Start, click Administrative Tools, and then click Active Directory PowerShell.

  2. To transfer the domain naming master role, type the following cmdlet, and then press ENTER:

    Move-ADDirectoryServerOperationMasterRole -Identity <ADDirectoryServer> -OperationMasterRole <ADOperationMasterRole []>

    For example, to transfer the domain naming master role to a domain controller named FABRICAM-DC1, type the following cmdlet, and then press ENTER:

    Move-ADDirectoryServerOperationMasterRole -Identity FABRIKAM-DC1 -OperationMasterRole DomainNamingMaster

Note

For a full explanation of the parameters that you can pass to Move-ADDirectoryServerOperationMasterRole, at the Active Directory PowerShell command prompt, type Get-Help Move-ADDirectoryServerOperationMasterRole –detailed, and then press ENTER.

To transfer the domain naming master role by using the Active Directory Domains and Trusts snap-in

  1. Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts. If the User Account Control dialog box appears, provide Enterprise Admins credentials (if required) and then click Continue.

  2. In the console tree, right-click Active Directory Domains and Trusts, and then click Change Active Directory Domain Controller.

  3. Ensure that the correct domain name is entered in Look in this domain.

    The available domain controllers from this domain are listed.

  4. In the Name column, click the domain controller to which you want to transfer the domain naming master role, and then click OK.

  5. At the top of the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.

  6. The name of the current domain naming master appears in the first box. The domain controller to which you want to transfer the domain naming master role should appear in the second box. If this is not the case, repeat steps 1 through 4.

  7. Click Change. To confirm the role transfer, click Yes. Click OK again to close the message box indicating that the transfer took place. Click Close to close the Operations Master dialog box.

Additional references

For more information, see FSMO placement and optimization on Active Directory domain controllers (https://go.microsoft.com/fwlink/?LinkID=19807).