This morning one of my customers faced a major failure with the Domain Controllers that were hosting three of the five FSMO roles, as the servers were over the point of recovery I was forced to Seize the FSMO roles to other Domain Controllers that were still working correctly.
In the past to seize FSMO roles we used ntdsutil command line tool which was not the most intuitive or easy to use tool out there, thankfully since Microsoft released PowerShell even most of the tasks that were previously possible only through obscure tools or almost unknown commands can now be easily performed via PowerShell.
To seize FSMO roles on a Windows 2012 machine you use the following cmdlet:
Move-ADDirectoryServerOperationMasterRole -Identity <target_dc_name> -OperationMasterRole<name_of_role>
Refer to the following table to subsitute <name_of_role> with the correct Name:
|Operations Master Role Name||Operations Master Role Number|
The above command assumes that you already have imported ActiveDirectory module to your PowerShell session which can be performed with the following command:
Assuming you want to move the Schema Master FSMO role to a Domain Controller named DC01 you would use the following command:
Move-ADDirectoryServerOperationMasterRole -Identity DC01 -OperationMasterRole SchemaMaster
Of course you can also substitute the Operations Master Role Name with any of the corresponding numbers so the above example could be written as follows:
Move-ADDirectoryServerOperationMasterRole -Identity DC01 -OperationMasterRole 3
If you need to move multiple roles with a single command that would be possible with the following command:
Move-ADDirectoryServerOperationMasterRole -Identity DC01 -OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster
Again the above could be written for brevity with numbers in place of FSMO Names:
Move-ADDirectoryServerOperationMasterRole -Identity DC01 -OperationMasterRole 0,1,2,3,4
Any of the above commands will try to perform a graceful move of the FSMO roles but, as in the case I was following today, you need to seize the FSMO role from a defunct DC you would run the above command with -force switch like in the following example:
Move-ADDirectoryServerOperationMasterRole -Identity DC01 -OperationMasterRole 0,1,2,3,4 -Force
Finally if you want to find out if the above command ran correctly or are unsure which server is currently running FSMO roles you can run this set of commands to find out, for Forest Wide FSMO:
Get-ADForest helocheck.com |ft DomainNamingMaster, SchemaMaster -autosize
Which will produce an output similar to the following
DomainNamingMaster SchemaMaster ------------------ ------------ ADS-DC01.helocheck.com ADS-DC02.helocheck.com
To display Domain Wide FSMO roles you would run the following command:
Get-ADDomain helocheck |ft PDCEmulator,RIDMaster,InfrastructureMaster -AutoSize
On a closing note keep in mind you don’t need to perform the above operations on a Domain Controller or even a server for what it matters as long as you have ActiveDirectory modules available and RSAT installed.
If you found the article useful take a few seconds to leave me a comment and don’t forget to subscribe to RSS to be notified of any update or article!