Powershell to the rescue

So how many times have your thought, dammit – there must be a quicker or easier way to do something? Worse still, its one of those things that you dont need to do often – and its a pig to try and track down the information on?

One such task is the famous FSMO role lookup or transfer. Ive been working through my estate, upgrading servers from the “old” 2008 R2 to the new 2012 R2…and it is DC time. Thankfully, this isnt too bad, you just DC promo it down – upgrade and bring it back.

But oh no – you forgot the FSMO roles…!! And they live in all sorts of places in the GUI and it was generally a proper pain to track down and change…

POWERSHELL…to the rescue…

It doesnt seem that long ago that PowerShell was released – maybe it was, and weve just become too used to it being there?! Even more so as its finding its way into all sorts of programs…the OS, System Centre, Exchange, Sharepoint…everything GUI just triggers something PowerShell.

“Anything you can do in the GUI you can do in PowerShell” – Brad Anderson at the Windows Server 2012 partner Airlift keynote

Case in point, managing ADDS in Windows Server 2012. The PS command to move the roles is Move-ADDirectoryServerOperationMasterRole and it can be used in a variety of ways.

To transfer all 5 of the FSMO roles simply run the following command in PowerShell:

Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_name” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster

How often do you have them all in one place though…best practice is to split them across a few DCs…and you likely dont want to have to type out that lot a few times! To shorten the command line syntax you can use role numbers in place of the role names. The following list details the role number for each of the five FSMO roles.

  • PDC Emulator – 0
  • RID Master – 1
  • Infrastructure Master – 2
  • Schema Master – 3
  • Domain Naming Master – 4

So if you wanted to transfer all 5 FSMO roles using numbers instead you would run the following command in PowerShell…

Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_Name” –OperationMasterRole 0,1,2,3,4

What about broken DCs? Well, yes, you can seize the roles using the –Force parameter…

Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_name” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster -Force

Of course, the short version:

Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_Name” –OperationMasterRole 0,1,2,3,4 -force

If you are just transferring or seizing a single role you will run the same command with just the name(s) or number(s) of the role(s) you want to move. These commands can be run from any Windows Server 2008 R2 or newer as well as Windows 7 or newer with RSAT tools installed. WIN!!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s