Posted in Azure Windows Server Hybrid Administrator, MCSA Windows Server 2016

Manage AD FSMO Roles

   April 19, 2023

Managing Active Directory FSMO (Flexible Single Master Operations) roles is an important aspect of managing an AD environment. There are several methods for managing FSMO roles, including using the GUI, PowerShell, and ntdsutil. In this section, we will explore how to manage AD FSMO roles using all three methods and provide transfer and seize examples.

Managing FSMO Roles using GUI:

  1. Open the Active Directory Users and Computers snap-in on the target domain controller.
  2. Right-click the domain name and select “Operations Masters” to view the current role holders.
  3. To transfer a role, click the “Change” button next to the role you want to transfer, select the new domain controller to hold the role, and click “OK.”
  4. To seize a role, click the “Seize” button next to the role you want to seize and click “Yes” to confirm.

Managing FSMO Roles using PowerShell:

PowerShell is a powerful tool that can be used to manage Active Directory FSMO roles. To manage FSMO roles using PowerShell, follow these steps:

  1. Open PowerShell as an administrator.
  2. To view the current FSMO role holders, run the following command:





Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster, PDCEmulator
Get-ADDomain | Select-Object RIDMaster, InfrastructureMaster






    

  1. To transfer a role, use the “Move-ADDirectoryServerOperationMasterRole” cmdlet. For example, to transfer the PDC Emulator role to a new domain controller named “NewDC,” run the following command:
    2. 











Move-ADDirectoryServerOperationMasterRole -Identity NewDC -OperationMasterRole PDCEmulator






    

  1. To seize a role, use the “Move-ADDirectoryServerOperationMasterRole” cmdlet with the “-Force” parameter. For example, to seize the PDC Emulator role to the current domain controller, run the following command:
    2. 











Move-ADDirectoryServerOperationMasterRole -Identity $env:COMPUTERNAME -OperationMasterRole PDCEmulator -Force






Managing FSMO Roles using ntdsutil:





ntdsutil is a command-line tool that is used to manage Active Directory. To manage FSMO roles using ntdsutil, follow these steps:





    

  1. Open Command Prompt as an administrator.
    2. 




  2. Type “ntdsutil” and press Enter.
    3. 




  3. Type “roles” and press Enter.
    4. 




  4. Type “connections” and press Enter.
    5. 




  5. Type “connect to server <NewServer>” and press Enter.
    6. 




  6. To transfer a role, type “transfer <RoleName>” and press Enter. For example, to transfer the PDC Emulator role, type “transfer pdc” and press Enter.
    7. 




  7. To seize a role, type “seize <RoleName>” and press Enter. For example, to seize the PDC Emulator role, type “seize pdc” and press Enter.
    8. 




  8. Type “quit” and press Enter to exit ntdsutil.
    9. 






It’s important to note that seizing a role should only be done as a last resort if the current role holder is permanently unavailable. Seizing a role can cause data loss and other issues, so it should be done with caution.

    


    
    
Share: TwitterFacebookPinterestLinkedin

    
    
            

            

            

            
                
            
            

                
Author: tonyhughes