Discovering Active Directory FSMO Role Holders
FSMO roles play a critical role in the functioning of the Active Directory (AD) environment. Of course, due to the design of these roles, they are distributed among a number of domain controllers in the AD network. This makes it tedious to identify which domain controllers are responsible for which role. There is no direct way to ascertain this information using any console. So, PowerShell can be used to obtain this information from the AD network.
A prerequisite before running the script given below is to have the ActiveDirectory module, which comes with the Remote Server Administration Tools package. After the package is installed on a workstation that is part of the domain, the administrator can identify which domain controllers in the domain are responsible for each of the FSMO roles, provided they have read permissions to the domain controllers.
The following PowerShell script will return the necessary information if the above-mentioned prerequisites are met:
- [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() | Select-Object *owner
- [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() | Select-Object *owner
Related Articles
Automating Active Directory user creation
Creating a single Active Directory (AD) account is a simple task. However, in an organization, the number of AD user accounts an administrator would have to create can rise drastically, making the simple task cumbersome. This is where the process of ...List Attributes of any Active Directory object
Most PowerShell scripts available in the internet can help administrators retrieve certain common attributes of an user, group, or a computer. Most scripts either document only specified attributes, or at best only the attributes that have been ...Creating a custom object in Active Directory
There may be instances where the objects available in an Active Directory (AD) schema do not suit your organization's requirements. In this case, you can create a custom AD object that suits your organization's needs. This task can be done easily ...Identifying Active Directory built-in groups
An Active Directory (AD) environment will contain a set of groups by default when a domain is created. These groups are built-in groups, and they are located in the built-in container. The built-in groups can be used to control access to shared ...Monitoring Active Directory Group Membership Changes
For security reasons, users in an Active Directory (AD) network would be put in groups, and they will be granted or denied certain privileges according to the groups they belong to. This is done so that users do not have unnecessary access to ...