This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Scenario: a large, multiple site, enterprise with over 10 domain controllers and a single domain controller holding all of the FSMO.
Question: Is there any benefit to moving the FSMO to another domain controller prior to patching a domain controller that holds all of the FSMO roles?
Is there any benefit or reduction in risk?
Ideally it would be good to hear from Microsoft. I'm seeking an authoritative answer.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Not really, active directory is now multi-master, in a worst case you can seize roles to another healthy one.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
The brief answer you offered was reasonable and the same as all of my team members. You may actually find this interesting and a little bit ironic. Another person offered an answer and admitted it was from chatGPT. A machine offered a more concise and detailed answer. I would love to have the sources cited for the answer but it's probably a culmination of many sources in its database. This is the world we live in now. In any case, thanks for your response. - Lance (Regards from Stuttgart, Germany)
Subject: Patching domain controllers in a large environment
I have a Microsoft multiple site enterprise with over 10 domain controllers
and a single domain controller holding all of the FSMO roles. Does it make
sense to move the FSMO role to another server before patching the domain controller?
When it comes to patching a domain controller (DC) in a Microsoft multiple-
site enterprise with over 10 domain controllers and a single DC holding all
of the Flexible Single Master Operations (FSMO) roles, it's generally
recommended to move the FSMO roles to another domain controller before
patching.
The FSMO roles are crucial for the proper functioning of Active Directory,
and they control various operations within the domain, such as schema
updates, domain naming, and more. By moving the FSMO roles before patching,
you minimize the potential impact on the operations of your domain and
reduce the risk of any issues during the patching process.
Moving the FSMO roles involves transferring them to another domain
controller using the appropriate administrative tools provided by
Microsoft, such as the Active Directory Users and Computers console or the
NTDSUTIL command-line tool. Once the roles have been successfully
transferred, you can proceed with patching the domain controller without
worrying about disruptions to the FSMO operations.
It's worth mentioning that while it's generally recommended to move FSMO
roles before patching, there might be scenarios where the risk or impact of
patching a domain controller is low enough that it can be done without
transferring the roles. However, as a best practice, especially in larger
enterprise environments, it's advisable to err on the side of caution and
move the FSMO roles to ensure smooth operations during the patching process.
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more