FSMO roles are a way to assign responsibilities of databases, servers and applications in Active Directory. They’re used by network administrators to increase their control over the configuration of an organization’s domain environment.
This tutorial will cover how you can transfer or seize FSMO roles using GUI and PowerShell commands.,
The “seize fsmo roles powershell” is a command-line tool that allows you to transfer and seize FSMO roles. The GUI version of the tool can be found in the Active Directory module for Windows PowerShell.
Any Active Directory (AD) administrator will have to transfer FSMO roles at some point in their career (or seize them). Domain controllers (DCs) come and go, and the FSMO roles they host must be relocated.
With Specops’ 100% free Password Auditor Pro, you can find, report, and prevent unsafe Active Directory account passwords in your environment. Now is the time to get it!
You’ll learn how to transfer and seize all of the AD FSMO responsibilities step by step in this lesson. You’ll learn how to transfer FSMO roles using PowerShell and different GUI tools.
Let’s get this party started!
Please make sure you have the following items if you want to follow along:
- At least two DCs — Although not much has changed, this tutorial will use Windows Server 2019 with a forest-functional level of Windows Server 2016.
- You’re on a domain-joined PC with RBAC installed, or you’re directly on a DC’s desktop.
Installing and Importing the Active Directory PowerShell Module
- Version 5.1 of Windows PowerShell
- Log in to a computer that is part of the Domain using an AD account. No specific permissions are necessary to inquire for the roles. However, further rights are necessary to transfer or seize the positions.
Using the GUI to transfer FSMO roles
The GUI and PowerShell are the two methods for transferring FSMO responsibilities. Let’s take a look at how to transfer FSMO responsibilities using a variety of MMC snap-ins.
Infrastructure Master, RID Master, and PDCe
Let’s start with the FSMO roles that are domain-specific.
- Open up ADUC (dsa.msc), right-click on the domain and choose Operations Masters. Here you’ll find all of the FSMO roles unique to the domain (Infrastructure Master, RID Master, and PDCe) represented via the RID, PDC and Infrastructure tabs.
FSMO roles that are domain-specific
2. Select each tab. The current FSMO role holder (Operations master) and a Change button are shown.
3. Click on the Change button under each tab and select the new DC to perform transfers for the Infrastructure Master, RID Master, and PDCe FSMO roles.
Master of Domain Naming
Next, let’s move onto the Master of Domain Naming role. You can view and change this FSMO role in the Active Directory Domains and Trusts Console.
- Open the Domains and Trusts Console in Active Directory (domain.msc).
2. Select Operations Master from the Active Directory Domains and Trusts parent node by right-clicking on it. The current DC in this job is defined as Domain naming operations master here.
3. Select the DC you’d want to transfer to by clicking the Change button.
Transferring the Master of Domain Naming FSMO role
Next up and finally is the Master Schema role. To change this role, you’ll need the Active Directory Schema MMC snap-in.
Before you begin, make sure you’re signed in as a member of the Schema Administrators AD group.
- Run regsvr32.exe “schmmgmt.dll” from an elevated command prompt or PowerShell console. By default, the Active Directory Schema snap-in is not accessible. This command registers the schema management DLL that is required.
2. Run the mmc.exe program.
3. Click on File —> Add/Remove Snap-in.
4. Select Active Directory Schema from the Available snap-ins and click on Add > and OK.
In the MMC console, add the Active Directory Schema.
5. Once in the snap-in, right-click Active Directory Schema [<your domain name>] and choose Operations Master to view the current Master Schema in the pop-up window.
6. Click on Change and select the new DC to transfer the Master Schema role.
Transferring the Master Schema role
Using PowerShell to Transfer FSMO Roles
If you’d rather use the command line, PowerShell has you covered.
FSMO Role Holders Currently Active
Before transferring using PowerShell, let’s learn how to see the existing FSMO job holders. To locate each of the existing FSMO role holders, launch an elevated Windows PowerShell console and perform Get-ADDomain and Get-ADForest, as shown below.
Get-ADDomain Get-ADForest is a command that returns the name of a domain.
Using the Get-ADDomain command
Using the Get-ADForest command
Roles of the FSMO are being transferred.
You may also transfer FSMO positions once you know which DCs currently hold them. Run the Move-ADDirectoryServerOperationMasterRole command in Windows PowerShell with the Identity parameter set to the DC you want to move the FSMO role to (ChildDC1 in this example), then the name of the FSMO role. The RID Master position is transferred in the example below.
RidMaster -Identity “ChildDC1” Move-ADDirectoryServerOperationMasterRole
You may utilize PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster, and DomainNamingMaster as FSMO role names.
Using PowerShell to Transfer FSMO Roles
You may also transfer many roles at once by separating each role name with a comma, for example: PDCEmulator,InfrastructureMaster,Move-ADDirectoryServerOperationMasterRole -Identity “ChildDC1”
Maybe you’re just too lazy to write down all those lengthy names. You could simply just use numbers in such situation, with each FSMO job matching to a certain number.
The command to transfer the PDCE role is as short as Move if you use the IDs instead of the role names. ChildDc2 0 -ADDirectoryServerOperationMasterRole
You’re asked whether you want to transfer the FSMO role name merely to make sure you understand what you’re doing. Because this isn’t a common job, you may wish to provide the entire name(s) of the role(s) you’re transferring. It’s easy to grasp, especially if you’re using the command in a script that will be used by others.
The quick and easy method for transferring the PDCE function
Using the GUI to Take Control of FSMO Roles
Transferring roles is usually the best solution when moving an FSMO position from one DC to another. The FSMO job is totally deleted from the previous DC and transferred to the new DC when you transfer. However, things do not always go as to plan.
You may seize FSMO roles if a DC is no longer online or has failed in some manner. This effectively creates a new FSMO role on a new DC without deleting the previous one.
Only take over an FSMO job if you’re certain you won’t be able to bring the existing role holder back online. Make sure the former FSMO position holder is never brought back after the role has been seized.
By deactivating a DC computer account from the Active Directory Users and Computers (ADUC) console, you may seize roles using the GUI. To do so, follow these steps:
- To begin, connect ADUC to the DC to whom you want to transfer the FSMO job. Change the domain controller by right-clicking on the root Active Directory Users and Computers node in ADUC.
2. Locate and connect to the DC you want to connect to.
3. Select the Domain Controllers OU from the drop-down menu.
4. Right-click the DC you want to take over the FSMO job and choose Delete.
Select Delete from the context menu of the offline DC account.
5. After that, answer Yes to the first two questions.
To proceed with the deletion, click OK.
Confirm that you wish to remove a GC-based DC.
6. Finally, a prompt will appear informing you that the DC was an FSMO role holder and that the role(s) would be changed to another DC. This is the DC to which your ADUC Console is linked. When you click OK, the offline DC’s computer account will be destroyed, and the roles will be seized and relocated to the new DC.
The FSMO role(s) will be reassigned to another DC, according to the final prompt. To seize the role(s) and finish the deletion procedure, click OK.
Using PowerShell to Take Control of FSMO Roles
To grab FSMO responsibilities using PowerShell, launch Windows PowerShell and execute Move-ADDirectoryServerOperationMasterRole, providing the new DC’s name as the Identity parameter value and the Force parameter as the Force parameter value.
A free read-only Password Auditor scan from Specops will check your Active Directory for 750M+ known leaked credentials.
The RID Master role is seized and assigned to the NewDC3 DC in the example below.
RidMaster -Force Move-ADDirectoryServerOperationMasterRole -Identity “NewDC3”
The Move-ADDirectoryServerOperationMasterRole cmdlet uses the same FSMO role names as the transferring function.
Although moving FSMO responsibilities isn’t a common activity, it is necessary when promoting new DCs, demoting existing DCs, and decommissioning servers.
Follow the instructions in this guide to cross this item off your to-do list!
- transfer fsmo roles command-line
- powershell get fsmo roles
- move-addirectoryserveroperationmasterrole access is denied
- transfer fsmo roles gui
- transfer fsmo roles ntdsutil