How can I see and transfer FSMO roles?
When you create a new Active Directory domain, by default all FSMO roles are assigned to the first domain controller in the forest. You can transfer FSMO roles from one DC to another using both the Active Directory graphics snap-ins and the PowerShell command prompt. Show There are several tools to manage FSMO roles in an AD domain: MMC snap-ins, Ntdsutil.exe command-line utility, and PowerShell. In our opinion, PowerShell is the most convenient way to manage AD FSMO roles today. The only drawbacks are the unusual syntax. Otherwise, there are only positive things, PowerShell allows you to transfer, or seize roles with just a single command. Active Directory Domain Services has 5 special roles for domain controllers called Flexible Single Master Operations (FSMO or Operations Master). The five FSMO roles are:
FSMO roles can be assigned to a single domain controller or spread across different DCs, depending on your requirement. You can move the FSMO role between domain controllers in one of the two ways:
Transfer FSMO roles using PowerShell cmdlets using the Active Directory PowerShell module has the following benefits:
Finding Active Directory FSMO Role Holders with PowerShellYou can identify domain controllers with the FSMO roles using the Active Directory snap-in GUI, but this can be quickly checked using the command prompt and PowerShell. Import Active Directory module to the current PowerShell session: Import-Module activedirectory
To get the forest level FSMO role holders in the specified domain (Domain Naming Master and Schema Master roles) use the following PowerShell command: Get-ADForest contoso.com| ft DomainNamingMaster, SchemaMaster To view domain-wide FSMO role owners (Infrastructure Master, PDC Emulator, and Relative Identifier Master roles): Get-ADDomain contoso.com | ft InfrastructureMaster, PDCEmulator, RIDMaster In this example, dc01.test.com holds all FSMO roles. Or you can get information about all roles in your AD using the following PowerShell one-liner: et-ADDomainController -Filter * | Select-Object Name, Domain, Forest, OperationMasterRoles | Where-Object {$_.OperationMasterRoles} To transfer FSMO roles between Active Directory domain controllers use the PowerShell cmdlet Move-ADDirectoryServerOperationMasterRole.The Move-ADDirectoryServerOperationMasterRole cmdlet allows moving one or more operations master roles to a new directory server. To use the Move-ADDirectoryServerOperationMasterRole cmdlet, your environment must meet the following requirements:
Check the current Active Directory schema version: Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion In this case, the AD objectVersion is 87. This corresponds to the version of the AD schema in Windows Server 2016, so we can transfer the FSMO roles from PowerShell. Unlike the Ntdsutil.exe utility, the Move-ADDirectoryServerOperationMasteRole cmdlet can be performed from any domain computer.
For example, to transfer the PDC Emulator role to a domain controller named dc2, use the command: Move-ADDirectoryServerOperationMasterRole -Identity "dc2" PDCEmulator You can run this command on any domain controller, including one that is neither the old nor the new role holder. It is possible to transfer several roles at once: Move-ADDirectoryServerOperationMasterRole -Identity “dc2” –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster
Thus, the last command can be replaced by a shorter one: Move-ADDirectoryServerOperationMasterRole “dc2” –OperationMasterRole 0,1,2,3,4
After entering the FSMO transfer command for all or several roles, a prompt appears asking whether you want to confirm your actions or cancel them. To transfer all roles press A > Enter. To skip confirmation, you can add the -Confirm:$false parameter to the previous command. You can move the forest-wide operations master roles to a directory server in a different domain in the same AD forest. If you want to execute the FSMO transfer command under another user account, you can use the -Credential parameter: $cred = Get-Credential Move-ADDirectoryServerOperationMasterRole -OperationMasterRole SchemaMaster -Identity AD -Verbose -Force -Credential $cred You can verify if the transfer task was completed successfully by running the Get-ADForest and Get-ADDomain cmdlets again. If you receive an “Access Denied” error when you run Move-ADDirectoryServerOperationMasterRole, make sure you are a member of the Enterprise Admins group. Add your account to this group, log out and log back in.
Seizing FSMO Roles Using PowerShellIf the current owner of one or all of the FSMO roles fails, you can receive the following error when trying to use the Move-ADDirectoryServerOperationMasterRole cmdlet:
In this case, you can force the transfer (seize) of FSMO roles using the -Force option: Move-ADDirectoryServerOperationMasterRole -Identity “dc2” –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster –Force Use the –force parameter when you face the error when moving the FSMO roles using the graphical snap-ins:
When transferring or seizing the FSMO roles, keep in mind the following restrictions:
To demote a domain controller after seizing FSMO roles, you need to clear the metadata in AD:
As you can see, PowerShell allows you to perform FSMO role management tasks much faster and easier than the Ntdsutil tools and the MMC snap-ins.
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion. What is the command to see all FSMO roles?Open and run the command prompt as admin on your domain controller. Enter the command: netdom query fsmo. The output will show all of the FSMO roles and which domain controller holds them.
Does FSMO roles transfer automatically?The transfer of an FSMO role is the suggested form of moving a FSMO role between domain controllers and can be initiated by the administrator or by demoting a domain controller, but is not initiated automatically by the operating system. This includes a server in a shut-down state.
|