Transferring FSMO roles with PowerShell

 

Some time ago, I introduced on my blog two articles about

and

They are still valid but some new options appeared when Windows Server 2012 and PowerShell 3.0 were released.

From now, you can simply use PowerShell cmd-lets to do that very quick and simple. This not requires any snap-ins registration on a server or machine, just simply run PowerShell and execute dedicated cmd-let with appropriate syntax.

Of course to be able to use this feature some prerequisites are required:

  • At least one Windows Server 2008R2 Domain Controller
  • Access to Active Directory Web Services (9389/tcp port unblocked)
  • Server or client machine with PowerShell 3.0 or newer
  • Imported PowerShell 2.0  or newer module for Active Directory

If above prerequisites are met, you can use this cmd-let

Move-ADDirectoryServerOperationMasterRole

its name is really long but don’t worry it is really simple in use.

To get an overview of this command let’s see its help by typing

Get-Help Move-ADDirectoryServerOperationsMasterRole
Move-ADDirectoryServerOperationMasterRole help

Move-ADDirectoryServerOperationMasterRole help

as you can see, there are two parameters required to successfully initiate FSMO roles transfer

  • target Domain Controller name
  • FSMO role(s) name

 Active Directory contains five unique operation master roles.

Two from them are unique at forest level

  • Schema Master
  • Domain Naming Master

to check where they are currently located, you need to use Get-ADForest cmd-let

Get-ADForest | Select SchemaMaster, DomainNamingMaster | Format-List

You will get a list of server(s) which hold forest-wide FSMO roles

List of forest-wide FSMO roles

List of forest-wide FSMO roles

and three are unique at domain level. That means, every domain in the forest has its own set of FSMO roles. These roles are:

  • PDC Emulator
  • RID Master
  • Infrastructure Master

to check where they are currently located, you need to use Get-ADDomain cmd-let

Get-ADDomain | Select PDCEmulator, RIDMaster, InfrastructureMaster | Format-List
List of domain-wide FSMO roles

List of domain-wide FSMO roles

In case you have multiple domains and you would like to check FSMO roles location there, you need to specify -Server switch and put there DNS domain name which you want to check

Get-ADDomain -Server testenv.devel | Select PDCEmulator, RIDMaster, InfrastructureMaster | Format-List
List of FSMO roles for selected domain

List of FSMO roles for selected domain

Note! Global Catalog is a Domain Controller role not Operation Master role!

To start transferring Operation Master roles to other Domain Controller, you need to specify role name within -OperationMasterRole switch.

Available role names are:

  • SchemaMaster
  • DomainNamingMaster
  • PDCEmulator
  • RIDMaster
  • InfrastructureMaster

all you have to do is put single role name or multiple role names separated by comma (,), in example:

-OperationMasterRole PDCEmulator

or

-OperationMasterRole SchemaMaster, DomainNamingMaster

specified role(s) would be transferred to other Domain Controller.  Hey, but which one? You need to put DC’s name under -Identity switch.

General syntax for that is:

Move-ADDirectoryServerOperationMasterRole -Identity <DomainControllerName> -OperationMasterRole <FSMORoleName>

An example for transfer Infrastructure Master operation master role is:

Move-ADDirectoryServerOperationMasterRole -Identity DC06 -OperationMasterRole InfrastructureMaster

You need to confirm operation by answering “Y yes” or “A yes to all” to the question, and role(s) are transferring.

Transferring single FSMO role

Transferring single FSMO role

To transfer more than one FSMO role in single run, you need to put FSMO roles separated by comma (,) sign

Move-ADDirectoryServerOperationMasterRole -Identity <DomainControllerName> -OperationMasterRole <FSMORoleName1>,<FSMORoleName2>,..<FSMORoleNameN>

Let’s see cmd-let full syntax for transferring InfrastructureMaster and RID Master

Move-ADDirectoryServerOperationMasterRole -Identity DC06 -OperationMasterRole InfrastructureMaster, RIDMaster

Press “A yes to all” and you do not have to confirm every transferring role separately

Transferring multiple FSMO roles

Transferring multiple FSMO roles

OK, so let’s see 4 commonly used actions in productive environments:

  • transferring single FSMO role
  • transferring forest-wide FSMO roles
  • transferring domain-wide FSMO role
  • transferring all FSMO roles

Transferring single FSMO role

As it was shown above, you need to only know to which Domain Controller are you going to migrate the role and its name. So, below syntax may be used in this case

Move-ADDirectoryServerOperationMasterRole -Identity DC06 -OperationMasterRole InfrastructureMaster
Transferring single FSMO role

Transferring single FSMO role

Just replace InfrastructureMaster role name with this one you would like to transfer and that’s all.

Information! When you transfer PDC Emulator role, you need to remember that you should introduce new time server within your environment. If you wish, you may follow steps described in the article on my blog at Advertising new time server in domain environment

Transferring forest-wide FSMO roles

As it was introduced above, there are 2 forest-wide roles:

  • Schema Master
  • Domain Naming Master

to transfer them, use this below’s simple command specifying target Domain Contoller’s name and forest-wide role names

Move-ADDirectoryServerOperationMasterRole -Identity DC06 -OperationMasterRole SchemaMaster, DomainNamingMaster
Transferring forest-wide FSMO roles

Transferring forest-wide FSMO roles

and your forest-wide roles are transferred!

Transferring domain-wide FSMO role

You also know these roles, they were introduced above and there are 3 domain-wide FSMO roles:

  • PDC Emulator Master
  • RID Master
  • Infrastructure Master

to transfer them, use this below’s simple command specifying target Domain Contoller’s name and domain-wide role names

Move-ADDirectoryServerOperationMasterRole -Identity DC06 -OperationMasterRole PDCEmulator, RIDMaster, InfrastructureMaster
Transferring domain-wide FSMO roles

Transferring domain-wide FSMO roles

and they are transferred!

Information! When you transfer PDC Emulator role, you need to remember that you should introduce new time server within your environment. If you wish, you may follow steps described in the article on my blog at Advertising new time server in domain environment

Transferring all FSMO roles

You know all FSMO roles, so you may wish to transfer them all from the old Domain Controller to the new one. Below syntax does it smoothly

Move-ADDirectoryServerOperationMasterRole -Identity DC06 -OperationsMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster
Transferring all FSMO roles

Transferring all FSMO roles

and voila! All FSMO roles are transferred!

Information! When you transfer PDC Emulator role, you need to remember that you should introduce new time server within your environment. If you wish, you may follow steps described in the article on my blog at Advertising new time server in domain environment

Well done! You have already transferred all your FSMO rles to the other Domain Controller.

Author: Krzysztof Pytko

Facebooktwittergoogle_plusredditpinterestlinkedinmail

2 responses to “Transferring FSMO roles with PowerShell”

  1. Michał says :

    Debeściarskie 😉
    Czy autor polecił by jakąś książeczkę PowerShell do adminki domeną 2012r2? 😉

     
    • kpytko says :

      Dziękuje 🙂
      Przykro mi ale nie znam książek dla PowerShell. Popytam kolegów zajmujących sie PSem czy mogą coś polecić i dam znać 🙂

      Pozdrowienia,
      Krzysztof

       

Leave a Reply

Your email address will not be published. Required fields are marked *