Thursday, May 15, 2014

Discover FSMO Roles Using PowerShell

Working with a rather confusing AD setup recently and trying to remove a dead domain controller I needed a quick way to identify which machines had the FSMO roles.
Just run the following commands:
Get-ADForest  | Format-Table SchemaMaster,DomainNamingMaster
Get-ADDomain | Format-Table PDCEmulator,RIDMaster,InfrastructureMaster
This gives a nice quick output as to where the roles reside and allows you to capture them as needed.

If you want to manage the roles with PS the command to move the roles is Move-ADDirectoryServerOperationMasterRole and it can be used in a variety of ways.
To transfer all 5 of the FSMO roles simply run the following command in PowerShell:
Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_name” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster
To shorten the command line syntax you can use role numbers in place of the role names.  The following list details the role number for each of the five FSMO roles.
  • PDC Emulator – 0
  • RID Master – 1
  • Infrastructure Master – 2
  • Schema Master – 3
  • Domain Naming Master – 4
So if you wanted to transfer all 5 FSMO roles using numbers instead you would run the following command in PowerShell:
Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_Name” –OperationMasterRole 0,1,2,3,4
Now in my case since the DC was gone permanently I had to seize the roles using the –Force parameter.  This is the PowerShell command I ran to seize the roles:
Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_name” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster -Force
Of course I could have used the short version:
Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_Name” –OperationMasterRole 0,1,2,3,4 -force
If you are just transferring or seizing a single role you will run the same command with just the name(s) or number(s) of the role(s) you want to move.  These commands can be run from any Windows Server 2008 R2 or newer as well as Windows 7 or newer with RSAT tools installed.

This is a little better than running all over the AD tools to get everything moved over.

Good luck.

No comments: