Seize FSMO Roles with PowerShell

Manage FSMO roles via PowerShellThis morning one of my customers faced a major failure with the Domain Controllers that were hosting three of the five FSMO roles, as the servers were over the point of recovery I was forced to Seize the FSMO roles to other Domain Controllers that were still working correctly.

In the past to seize FSMO roles we used ntdsutil command line tool which was not the most intuitive or easy to use tool out there, thankfully since Microsoft released PowerShell even most of the tasks that were previously possible only through obscure tools or almost unknown commands can now be easily performed via PowerShell.

To seize FSMO roles on a Windows 2012 machine you use the following cmdlet:

Move-ADDirectoryServerOperationMasterRole -Identity <target_dc_name> -OperationMasterRole<name_of_role>

Refer to the following table to subsitute <name_of_role> with the correct Name:

Operations Master Role Name Operations Master Role Number 
PDCEmulator 0
RIDMaster 1
InfrastructureMaster 2
SchemaMaster 3
DomainNamingMaster 4

The above command assumes that you already have imported ActiveDirectory module to your PowerShell session which can be performed with the following command:

Import-Module ActiveDirectory

Assuming you want to move the Schema Master FSMO role to a Domain Controller named DC01 you would use the following command:

Move-ADDirectoryServerOperationMasterRole -Identity DC01 -OperationMasterRole SchemaMaster

Of course you can also substitute the Operations Master Role Name with any of the corresponding numbers so the above example could be written as follows:

Move-ADDirectoryServerOperationMasterRole -Identity DC01 -OperationMasterRole 3

If you need to move multiple roles with a single command that would be possible with the following command:

Move-ADDirectoryServerOperationMasterRole -Identity DC01 -OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster

Again the above could be written for brevity with numbers in place of FSMO Names:

Move-ADDirectoryServerOperationMasterRole -Identity DC01 -OperationMasterRole 0,1,2,3,4

Any of the above commands will try to perform a graceful move of the FSMO roles but, as in the case I was following today, you need to seize the FSMO role from a defunct DC you would run the above command with -force switch like in the following example:

Move-ADDirectoryServerOperationMasterRole -Identity DC01 -OperationMasterRole 0,1,2,3,4 -Force

Finally if you want to find out if the above command ran correctly or are unsure which server is currently running FSMO roles you can run this set of commands to find out, for Forest Wide FSMO:

Get-ADForest helocheck.com |ft  DomainNamingMaster, SchemaMaster -autosize

Which will produce an output similar to the following

DomainNamingMaster       SchemaMaster
------------------       ------------
ADS-DC01.helocheck.com   ADS-DC02.helocheck.com

To display Domain Wide FSMO roles you would run the following command:

Get-ADDomain helocheck |ft PDCEmulator,RIDMaster,InfrastructureMaster -AutoSize

On a closing note keep in mind you don’t need to perform the above operations on a Domain Controller or even a server for what it matters as long as you have ActiveDirectory modules available and RSAT installed.

If you found the article useful take a few seconds to leave me a comment and don’t forget to subscribe to RSS to be notified of any update or article!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s