So how many times have your thought, dammit – there must be a quicker or easier way to do something? Worse still, its one of those things that you dont need to do often – and its a pig to try and track down the information on?
One such task is the famous FSMO role lookup or transfer. Ive been working through my estate, upgrading servers from the “old” 2008 R2 to the new 2012 R2…and it is DC time. Thankfully, this isnt too bad, you just DC promo it down – upgrade and bring it back.
But oh no – you forgot the FSMO roles…!! And they live in all sorts of places in the GUI and it was generally a proper pain to track down and change…
POWERSHELL…to the rescue…
It doesnt seem that long ago that PowerShell was released – maybe it was, and weve just become too used to it being there?! Even more so as its finding its way into all sorts of programs…the OS, System Centre, Exchange, Sharepoint…everything GUI just triggers something PowerShell.
“Anything you can do in the GUI you can do in PowerShell” – Brad Anderson at the Windows Server 2012 partner Airlift keynote
Case in point, managing ADDS in Windows Server 2012. The PS command to move the roles is Move-ADDirectoryServerOperationMasterRole and it can be used in a variety of ways.
To transfer all 5 of the FSMO roles simply run the following command in PowerShell:
Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_name” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster
How often do you have them all in one place though…best practice is to split them across a few DCs…and you likely dont want to have to type out that lot a few times! To shorten the command line syntax you can use role numbers in place of the role names. The following list details the role number for each of the five FSMO roles.
- PDC Emulator – 0
- RID Master – 1
- Infrastructure Master – 2
- Schema Master – 3
- Domain Naming Master – 4
So if you wanted to transfer all 5 FSMO roles using numbers instead you would run the following command in PowerShell…
Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_Name” –OperationMasterRole 0,1,2,3,4
What about broken DCs? Well, yes, you can seize the roles using the –Force parameter…
Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_name” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster -Force
Of course, the short version:
Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_Name” –OperationMasterRole 0,1,2,3,4 -force
If you are just transferring or seizing a single role you will run the same command with just the name(s) or number(s) of the role(s) you want to move. These commands can be run from any Windows Server 2008 R2 or newer as well as Windows 7 or newer with RSAT tools installed. WIN!!