I needed to move our FSMO roles to a centralised server today, the main cause for this was firewall ruling (cannot add rules mid-week) and an urgent requirement for Domain controllers in our Azure Production environment.
We were unable to dcpromo our Azure server and after 2 days of troubleshooting, wiresharking and several work-a-rounds – we decided to move the FSMO roles yet again. Now, I know for a fact that continuously moving the FSMO roles is NOT HEALTHY for a domain environment, I was totally against it, but I bit the bullet and did as I was told.
They are now in their new home, On-Premise Site A, and will not be moved again. However, due to Microsoft best practice, we will split the Schema master and Domain Naming Master off to DC2 once all firewall rules are in place.
On AWS: Schema master, Domain naming master
On Prem Site B: RID master, PDC emulator, Infrastructure master
On Prem Site A: RID master, PDC emulator, Infrastructure master, Schema master, Domain naming master
Now, you need to be a Domain Admin to be able to move all but the Schema Master, so either, get someone who is a member of the AD group Schema Admins to move that OR, add yourself to the AD group Schema Admins