AD DS: The RID master role and the PDC emulator master role should be owned by the same domain controller in the domain

Updated: August 31, 2012

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).

Operating System

Windows Server 2008 R2

Product/Feature

Active Directory Domain Services (AD DS)

Severity

Warning

Category

Configuration

Issue

The relative ID (RID) operations master role and the primary domain controller (PDC) emulator operations master role (also known as flexible single master operations (FSMO) roles) are owned by different domain controllers in the domain.

Impact

Because of the close interaction between the RID master and the PDC emulator, these two roles should be held by a single domain controller or, as an alternative, by two domain controllers that are well connected.

Resolution

If the RID master role and the PDC emulator master role are held by two different domain controllers, ensure that these two domain controllers are well connected or consider consolidating these roles onto a single domain controller.

It is easier to keep track of operations master roles if you cluster them on fewer computers. You can use the following procedures to transfer the RID master role or the PDC emulator master role if the domain controller that currently hosts the role is inadequate, has failed, or is being decommissioned.

Membership in Schema Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To transfer a domain-level operations master role using Active Directory PowerShell

  1. To open Active Directory PowerShell, click Start, click Administrative Tools, and then click Active Directory PowerShell.

  2. To transfer an operations master role, type the following cmdlet, and then press ENTER:

    Move-ADDirectoryServerOperationMasterRole -Identity <ADDirectoryServer> -OperationMasterRole <ADOperationMasterRole []>

    For example, to transfer the RID master role to a domain controller named FABRICAM-DC1, type the following cmdlet, and then press ENTER:

    Move-ADDirectoryServerOperationMasterRole -Identity FABRIKAM-DC1 -OperationMasterRole RIDMaster

    Or, to transfer the PDC master role to a domain controller named FABRICAM-DC1, type the following cmdlet, and then press ENTER:

    Move-ADDirectoryServerOperationMasterRole -Identity FABRIKAM-DC1 -OperationMasterRole PDCEmulator

Note

For a full explanation of the parameters that you can pass to Move-ADDirectoryServerOperationMasterRole, at the Active Directory PowerShell command prompt, type Get-Help Move-ADDirectoryServerOperationMasterRole –detailed, and then press ENTER.

To transfer a domain-level operations master role using the Active Directory Users and Computers snap-in

  1. Open Active Directory Users and Computers: On the Start menu, point to Administrative Tools, and then click Active Directory Users and Computers. If the User Account Control dialog box appears, provide Domain Admins credentials (if required) and then click Continue.

  2. At the top of the console tree, right-click Active Directory Users and Computers, and then click Change Active Directory Domain Controller.

  3. Ensure that the correct domain name is entered in Look in this domain.

    The available domain controllers from this domain are listed.

  4. In the Name column, click the name of the domain controller to which you want to transfer the role, and then click OK.

  5. At the top of the console tree, right-click Active Directory Users and Computers, and then click Operations Masters.

    The name of the current operations master role holder appears in the Operations master box. The name of the domain controller to which you want to transfer the role appears in the lower box.

  6. Click the tab for the operations master role that you want to transfer: RID or PDC. Verify the computer names that appear, and then click Change. Click Yes to transfer the role, and then click OK.

  7. Repeat steps 5 and 6 for each role that you want to transfer.

Additional references

For more information, see article 223346 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=19807).