windows powershell

How to transfer FSMO Roles using PowerShell


When you create a domain, all FSMO roles assigned to the first domain controller in the forest by default. You can transfer FSMO roles from one DC to another both the Active Directory graphics snap-ins and the PowerShell command line. Moving FSMO roles using AD PowerShell has the following benefits:

  • You do not need to connect with a MMC snap-ins to the future role owner;
  • Transferring or seizing FSMO roles does not require a connection to the current or future role owner. You can run AD-PowerShell module cmdlets on a Windows 7 client or on a member server running Windows Server (with the RSAT package installed);
  • To seize the FSMO role (if the current owner is not available), it suffices to use an additional parameter -force.

To get the current forest level FSMO role owners (Domain Naming Master and Schema Master roles) you can use the following PowerShell command:

Get-ADForest contoso.com| ft DomainNamingMaster, SchemaMaster

To view domain-wide FSMO roles (Infrastructure Master, PDC Emulator and Relative Identifier Master roles):

Get-ADDomain contoso.com | ft InfrastructureMaster, PDCEmulator, RIDMaster

get ad forest fsmo roles

Transfer FSMO Roles using PowerShell

To transfer FSMO roles between Active Directory domain controllers use the PowerShell cmdlet Move-ADDirectoryServerOperationMasterRole.

To use the Move-ADDirectoryServerOperationMasterRole cmdlet, you must meet the following requirements:

  • There must be at least one domain controller with a version of Windows Server 2008 R2 or higher;
  • Installed PowerShell 3.0 or newer;
  • Imported Active Directory module (2.0  or newer).
READ ALSO  Accessing Hyper-V Virtual Machine Console Using RDCMan

First of all, you need to load the Active Directory PowerShell module:

Import-Module ActiveDirectory

Tip. In Windows Server 2012 or later, the Active Directory module for PowerShell is loaded by default.

Unlike the Ntdsutil.exe utility, the Move-ADDirectoryServerOperationMasteRole cmdlet can be performed from any domain computer to migrate the Operations Master roles if you have the appropriate rights (Domain admins and Enterprise Admins).

For example, to transfer the PDC Emulator role to a domain controller named dc2, use the command:

Move-ADDirectoryServerOperationMasterRole -Identity "dc2" PDCEmulator

It is possible to transfer several roles at once:

Move-ADDirectoryServerOperationMasterRole -Identity “dc2” –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster

Tip. To simplify the command, you can replace the names of roles with numbers from 0 to 4. The correspondence of names and numbers is given in the table:

PDCEmulator
RIDMaster 1
InfrastructureMaster 2
SchemaMaster 3
DomainNamingMaster 4

Thus, the last command can be replaced by a shorter one:

Move-ADDirectoryServerOperationMasterRole “dc2” –OperationMasterRole 0,1,2,3,4

transfer fsmo roles

After entering the transfer command for all or several roles, a window appears asking whether you want to confirm your actions or cancel them.

In the event that the current owner of one or all of the FSMO roles fails, the forced transfer of FSMO roles is performed by the same command, but with the -Force option:

Move-ADDirectoryServerOperationMasterRole -Identity “dc2” –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster –Force

Important. After the FSMO roles has been seized, the domain controller from which the roles was seized should never be connected to the domain.

READ ALSO  Integrate WSUS Offline Updater with MDT 2013 to Deploy Windows 10

As you can see, to transfer FSMO roles using PowerShell just follow the steps above! It is quite simple.


You may also like:

How to copy files with BITS using PowerShell If you use local (and global) networks, you might know that files between systems are transferring by using SMB, FTP or HTTP protocols. The problem wi...
How to Manage Backups using PowerShell Quite often there is a situation when the backup is performed on Windows Server by using standard tools. Of course, the size of network folder is limi...
Removing Old and Unused Drivers from Driver Store ... Each time you install or update your device driver, Windows OS (since Vista) continues to store the old version of the driver in the system Driver Sto...
How to remotely enable Remote Desktop using PowerS... If you want to remotely enable Remote Desktop on the server, but you have not access to the terminal, we will show you how to do it. In our case we ar...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...