How to Transfer FSMO Roles on Server 2019 using PowerShell

How to Transfer FSMO Roles on Server 2019 using PowerShell

Transferring FSMO Roles in Active Directory

In Active Directory, the Single Master model is modified to split the responsibilities of the single master into multiple roles. These roles are called the Flexible Single Master Operation (FSMO) roles and can be assigned to either a single domain controller or separate domain controllers, based on the requirements. These domain controllers are called FSMO or Operations Master. The five FSMO roles are:
  1. Schema Master
  2. Domain Naming Master
  3. RID Master
  4. PDC Emulator
  5. Infrastructure Master
The transfer of an FSMO role is done when both the original role holder and the future role holder are online and considered to be operational. This is in contrast to seizing FSMO roles, where the action is unplanned and occurs due to unexpected circumstances. These scenarios may include a crash or failure of the role holder. FSMO roles should be transferred only under the following scenarios.

  1. The new FSMO role holder is able to access the current role holder, which is operational.
  2. The FSMO roles need to be assigned to a different domain controller for a specific purpose. This can be done by gracefully demoting the current role holder.
  3. The current role holder is taken offline for scheduled maintenance and hence the FSMO roles need to be transferred to a live domain controller.
  4. To transfer FSMO roles on Server 2019, PowerShell commands can be used. This is discussed in the following sections.

How to View Current FSMO Role Holders using PowerShell

The domain controllers which are current FSMO role holders should be determined before transferring the roles to other domain controllers. The forest-wide roles are delegated to one domain controller per forest and the domain wide roles are delegated to one domain controller per domain. There are two forest-wide roles namely Schema Master and Domain Naming Master, while the domain wide roles are PDC Emulator, RID Master and Infrastructure Master. In order to view the current holders, PowerShell commands can be used. There are separate commands to view the forest wide and domain wide roles, given as follows.

To view the forest wide role holders, the following command can be used.

Get ADForest yourdomain | Format-Table SchemaMaster,DomainNamingMaster

Similarly, to view the domain wide role holders, the following command can be used.

Get ADDomain yourdomain | Format-Table PDCEmulator,RIDMaster,InfrastructureMaster

The above commands return the domain controllers which hold the forest wide and domain wide FSMO roles respectively.

How to Transfer FSMO Roles using PowerShell

Once the domain controllers which hold the FSMO roles have been identified, the roles can be moved to the required domain controllers using PowerShell on Windows Server 2019. The Move-ADDirectoryServerOperationMasterRole cmdlet can be used for this purpose. This cmdlet can be used from any domain controller. The prerequisite for this process is, the computer which is used to transfer the roles must be on the domain and should possess the proper permissions to move or transfer the FSMO roles. In addition to this, the Active Directory module must be imported into PowerShell.

To transfer a single FSMO role to the target domain controller, the following cmdlet can be used. In this example, the Infrastructure Master role is transferred to the target DC named DC01.The “Identity” parameter is used to specify the target domain controller to which the role must be transferred.

Move-ADDirectoryServerOperationMasterRole –Identity “DC01” InfrastructureMaster

Similarly, more than one role can be transferred simultaneously to a DC by defining the various role names separated by commas. The following cmdlet can be used for this purpose.

Move-ADDirectoryServerOperationMasterRole -Identity “DC01” –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster

In order to simplify the above cmdlet, numbers corresponding to specific FSMO roles can be used. This reduces the hassle of typing out each FSMO role properly. The numbers are assigned to the roles in the following manner.

Role Name
Number
PDCEmulator
0
RIDMaster
1
InfrastructureMaster
2
SchemaMaster
3
DomainNamingMaster
4
 
Hence, the simplified version of the previous cmdlet can be given as follows.

Move-ADDirectoryServerOperationMasterRole -Identity “DC01” –OperationMasterRole 0,1,2,3,4

After entering the PowerShell cmdlet for transferring FSMO roles, you will be prompted to confirm or cancel your actions. Enter Y to confirm for each role or A for all the roles. The other available options are N and L to cancel the transfer for each role or for all the roles, respectively. Besides this, S can be entered to suspend the transfer process.

The advantages of using PowerShell commands to transfer FSMO roles are:
  1. The script can be customized and reused according to one’s requirements. This in turn saves time.
  2. There is no need to connect to the future role owners by means of the MMC snap-ins.
  3. The PowerShell cmdlets can be run on any computer running the Windows Server. Thus, a connection to the original or future role holders is not required.
  4. The same cmdlets can be modified to seize FSMO roles by using the –force parameter.
    • Related Articles

    • FSMO Roles

      Active directory is a multi-master enabled database. It provides the flexibility to allow changes to occur at any of the domain controllers. Flexibility comes with added responsibility. There is a need to prevent conflicting updates from being made ...
    • Seizing FSMO Roles from a Dead Domain Controller | Step-by-step guide

      A quick introduction to Flexible Single Master Operation (FSMO) Active Directory uses the multi- master model for replicating changes between domain controllers. This multi-master enabled database allows changes to occur on any domain controller ...
    • Best Practices | Active Directory FSMO Roles

      FSMO Roles in Active Directory In Flexible Single Master Operation, the responsibilities of the single-master are split into separate roles. These roles can be distributed to any domain controller in the enterprise, based on the requirements. This in ...
    • Transitioning your Active Directory to Windows Server 2008 R2

      Transitioning AD to Windows Server 2008 R2  Introduction  Active Directory (AD), a service provided by Microsoft, functions as a central database for securely storing and managing information about user accounts, user groups, applications, and other ...
    • Quickly Check Windows Server Uptime

      A system is only useful as long as it is up and running. Server administrators use a utility called "Windows Uptime" as a measurement to troubleshoot day-to-day issues that can arise in the Windows environment. A computer with a high downtime has ...