How to transfer FSMO roles using PowerShell?


When you create a new Active Directory domain, all FSMO roles are assigned by default to the first domain controller in the forest. You can transfer FSMO roles from one DC to another using the Active Directory graph plugins and the PowerShell prompt.
There are several tools to manage FSMO roles in an AD domain: MMC snap-ins, Ntdsutil.exe command line utility, and PowerShell. In our opinion, PowerShell is the most convenient way to manage AD FSMO roles today. The only drawbacks are the unusual syntax. Otherwise, there are only positive things, PowerShell allows you to transfer or assume roles with a single command.
Active Directory Domain Services has 5 special roles for domain controllers called Flexible Single Master Operations (FSMO or Operations Master).

The five FSMO roles are:

  • schema master;
  • Domain Name Master;
  • CDP;
  • RID group master;
  • Master in Infrastructure.

FSMO roles can be assigned to a single domain controller or distributed among different DCs, depending on your requirements. You can move the FSMO role between domain controllers in one of two ways:

  • Role transfer — involves transferring a role from the original role holder to a new DC when both servers are online and considered healthy. Role transfers occur when you need to retire a domain controller, perform routine maintenance on a physical server or underlying hardware;
  • Role Seizure — Forced transfer of FSMO roles caused by unexpected circumstances, such as role holder crashes or crashes.

Transferring FSMO roles using PowerShell cmdlets using the Active Directory PowerShell module has the following benefits:

  • You do not need to connect with the MMC snap-ins to the source or destination role owner;
  • Transferring or assuming FSMO roles does not require a connection to the current or future role owner. You can run the AD-PowerShell module cmdlets on a Windows 10 desktop client or member server running Windows Server (with the RSAT package installed);
  • To assume the FSMO role (if the current owner is not available), use the -force additional parameter.

Finding Active Directory FSMO Role Holders Using PowerShell
You can identify the domain controllers with the FSMO roles using the Active Directory snap-in GUI, but this can be quickly verified using the command prompt and PowerShell.

Import the Active Directory module into the current PowerShell session:

Import-Module activedirectory

Tip . On Windows Server 2012 or later, the Active Directory Module for PowerShell is loaded by default.
To get the forest-level FSMO role holders in the specified domain (domain naming master and schema master roles), use the following PowerShell command:
Get-ADForest | ft DomainNamingMaster, SchemaMaster
To view domain-wide FSMO role owners (Infrastructure Master, PDC Emulator, and Relative Identifier Master roles):
Get-ADDomain | ft InfrastructureMaster, PDCEmulator, RIDMaster
In this example, has all the FSMO roles.
Or you can get information about all the roles in your AD using the following PowerShell line:
Get-ADDomainController -Filter * | Select-Object Name, Domain, Forest, OperationMasterRoles | Where-Object {$_.OperationMasterRoles}
Transfer FSMO Roles Using PowerShell
To transfer FSMO roles between Active Directory domain controllers, use the Move-ADDirectoryServerOperationMasterRole PowerShell cmdlet. The Move-ADDirectoryServerOperationMasterRole cmdlet allows you to move one or more operations master roles to a new directory server.
To use the Move-ADDirectoryServerOperationMasterRole cmdlet, your environment must meet the following requirements:

  • There must be at least one domain controller running a version of Windows Server 2008 R2 or later;
  • PowerShell 3.0 or later installed;
  • Imported Active Directory Module (2.0 or later).

Check the current version of the Active Directory schema:

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion
In this case, the AD objectVersion is 87. This corresponds to the AD schema version in Windows Server 2016, so we can transfer the FSMO roles from PowerShell.

Unlike the Ntdsutil.exe utility, the Move-ADDirectoryServerOperationMasteRole cmdlet can be run from any domain computer.

Note: To migrate operations master roles, your account must be a member of privileged domain groups: domain administrators and enterprise administrators.
For example, to transfer the PDC emulator role to a domain controller named dc2, use the command:
Move-ADDirectoryServerOperationMasterRole -Identity "dc2" PDCEmulator
You can run this command on any domain controller, including one that is neither the old nor the new role holder.
It is possible to transfer several roles at once:
Move-ADDirectoryServerOperationMasterRole -Identity “dc2” –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster
Tip . To simplify the use of the Move-ADDirectoryServerOperationMasterRole cmdlet, you can replace the names of the roles with numbers from 0 to 4. The correspondence of names and numbers is provided in the following table:

PDCEmulator    0
RIDMaster    1
InfrastructureMaster    2
schema master    3
domain name master    4
Therefore, the last command can be replaced by a shorter one:
Move-ADDirectoryServerOperationMasterRole “dc2” –OperationMasterRole 0,1,2,3,4
Do you want to move role 'PDCEmulator' to server 'dc2.theitbros.loc'?
[Y] yes [A] Yes to all [N] No [L] No to all [Y] Suspend [?] Help (default is "Y"): A
After entering the FSMO transfer command for all or multiple roles, a message appears asking if you want to confirm your actions or cancel them. To transfer all roles, press A > Enter. To bypass confirmation, you can add the -Confirm:$false parameter to the above command.
You can move forest-wide operations master roles to a directory server in a different domain in the same AD forest.
If you want to run the FSMO transfer command under another user account, you can use the -Credential parameter:
$cred = Get-Credential
Move-ADDirectoryServerOperationMasterRole -OperationMasterRole SchemaMaster -Identity AD -Verbose -Force -Credential $cred

You can verify if the transfer task completed successfully by running the Get-ADForest and Get-ADDomain cmdlets again.
If you receive an "Access Denied" error when running Move-ADDirectoryServerOperationMasterRole, make sure you are a member of the Enterprise Administrators group. Add your account to this group, sign out and sign in again.

Move-ADDirectoryServerOperationMasterRole: Access Denied
Online: 1 character: 1
+Move-ADDirectoryServerOperationMasterRole -Identity dc01 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo: Unspecified: (dc02:ADDirectoryServer) [Move-ADDirector…ationMasterRole]ADException + Fully Qualified Error ID: ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.MoveADDirectoryServerOperationMasterRole
Leverage FSMO Roles Using PowerShell
If the current owner of one or all of the FSMO roles fails, you may receive the following error when trying to use the Move-ADDirectoryServerOperationMasterRole cmdlet:
Move-ADDirectoryServerOperationMasterRole: Directory service is unavailable
In this case, you can force the transfer (preemption) of FSMO roles using the -Force option:
Move-ADDirectoryServerOperationMasterRole -Identity “dc2” –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster –Force
Use the --force parameter when facing the error when moving FSMO roles using the graphical plugins:

The transfer of the operations master role cannot be performed because: The requested FSMO operation failed. The current FSMO role holder could not be contacted.

When transferring or assuming FSMO roles, be aware of the following restrictions:

  • Do not assign the infrastructure master role to a domain controller that is a global catalog server, as it will not update object information in the domain. The reason for this behavior is that the global catalog server maintains partial replicas of all objects in the forest;
  • Once the FSMO roles have been seized, the domain controller from which the roles were seized should never connect to the domain. Be sure to remove this DC computer object from your domain (see below).

To demote a domain controller after assuming FSMO roles, you need to clear the metadata in AD:

  1. Run the Active Directory Users and Computers snap-in (dsa.msc) with Domain Admin permissions;
  2. Expand the domain tree and select the Organizational Unit named domain controllers;
  3. Right click on the DC and select Delete .
  4. A warning will appear:

You are trying to remove a domain controller without running the removal wizard. To successfully remove the domain controller from the domain, you must run the Remove Roles and Features Wizard in Server Manager or the Active Directory Domain Services Installation Wizard (DCPromo) for Windows Server 2008 r2 or earlier.
5. Select the check box “Delete this domain controller anyway. It is permanently offline and can no longer be removed using the removal wizard” and click Remove;

6. Then clean up the deleted domain controller metadata in Active Directory Sites and Services . Run the dssite.msc snap-in Locate the decommissioned domain controller in the mmc console, right-click it and select Delete.

Hint . Starting with Windows Server 2008, domain controller metadata is automatically cleaned up after the domain controller is removed using the ADUC snap-in. On Windows Server 2003 or earlier, you must use the ntdsutil command-line tool to perform Active Directory metadata cleanup.
As you can see, PowerShell allows you to perform FSMO role management tasks much faster and easier than the Ntdsutil tools and MMC snap-ins.

No comments

Powered by Blogger.