3

How to Transfer FSMO Roles in Server 2019 Using Powershell

Last Updated by Paul Contreras

In any Active Directory environment it’s always a good practice to have some form of redundancy and the resiliency to go along with it. In the case of FSMO Roles (Flexible Single Master Operation Roles), it’s an excellent idea to have them scattered across multiple Domain Controllers. The idea of “having all of your eggs in one basket” applies here and it’s something that we definitely want to avoid if we can control it. So in this article I am going to show you how to transfer FSMO Roles in Server 2019 Using Powershell. In case you’re wondering, this is also compatible with Server 2016, Server 2012R2 and even 2008R2.
 

What Are Active Directory FSMO Roles And What Do They Do

If you’re new to the world of Active Directory administration, you might have heard the term FSMO roles (pronounced “fizzmo”). FSMO roles are the roles needed to keep an Active Directory environment healthy and running smoothly. There are 5 Flexible Master Operation Roles in total. Here’s what they are and what they do:

  • PDC Emulator Role
    • This role is the most used of all FSMO roles and has the widest range of functions
    • The PDC Emulator is the authoritative DC in the domain and the domain source for time synchronization for all other domain controllers
    • The PDC Emulator changes passwords, responds to authentication requests and manages Group Policy Objects
  • RID Master Role (Relative ID)
    • The RID Master is the single DC responsible for processing RID Pool requests from all domain controllers within a given domain
    • Responds to requests by retrieving RIDs from the domain’s unallocated RID pool and assigns them to the pool of the requesting DC
  • Infrastructure Master Role
    • The Infrastructure Master role is to ensure that cross-domain object references are correctly handled
  • Schema Master Role
    • The Schema Master Role’s purpose is to replicate schema changes to all other domain controllers in the forest
    • Typical implementations that involve schema changes are Exchange Server, SCCM, Skype for Business etc.
  • Domain Naming Master Role
    • This role processes all changes to the namespace
    • Adding subdomains is an example of Domain Naming Master Role in use

 

How to Query FSMO Roles

Before we decide to change any FSMO roles, we’ll want to check which roles belong to which Domain Controllers. To do this we’ll perform the following steps.

  • Open Powershell Window
  • Type: netdom /query fsmo

Netdom Query FSMO

 

Why It’s Important To Move FSMO Roles Across Multiple DCs

It’s important to make sure you move FSMO roles across multiple domain controllers in your environment. As I mentioned before, you don’t want to keep your eggs in one basket in the event that the server goes down for any number of reasons. A good rule to keep in mind that I learned early on is: Two is one and one is none. This means that you should always strive to have some form of redundancy with everything in IT.

Transfer FSMO Roles Using Powershell

Another thing to note is that you must have the ActiveDirectory Module imported into Powershell for it to work. Domain Controllers will have it by default.

In my example above we have all of our eggs in one basket so let’s use Powershell to move the roles to a different DC. The single command to transfer fsmo roles is:


Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_Name” –OperationMasterRole 0,1,2,3,4 -Confirm:$false -Force

Move-ADDirectoryServerOperationMasterRole

 

IDFSMO Role
0PDC Emulator
1RID Master
2Infrastructure Master
3Schema Master
4Domain Naming Master

 
The above is a table of which number corresponds to which roles. This is critical to know beforehand because you don’t want to inadvertently transfer the wrong FSMO role to an unwanted domain controller.

If you’ve searched around on how to move FSMO roles there is a lot content out there and shows you how to do it from the GUI but this method seems soo much easier. I prefer this because of the simplicity and ease of the command.

Hopefully you were able to get what you were looking for and now you know how to use Powershell to transfer FSMO roles should you ever need to. If you like using Powershell or want to get more involved, check out our gallery of real world scripts. Also make sure you head over to our Youtube Channel for general sysadmin content as well.

5/5 - (23 votes)

Paul Contreras

Hi, my name is Paul and I am a Sysadmin who enjoys working on various technologies from Microsoft, VMWare, Cisco and many others. Join me as I document my trials and tribulations of the daily grind of System Administration.

3 Comments

  1. You have a mistake in your code formatting in this blog. I copy the line and it errors in PS due to the missing `-` even though it is clearly there to read, I guess it is being removed on copy

    “`
    Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_Name” –OperationMasterRole 0,1,2,3,4 -Confirm:$false -Force
    “`

    Should be
    “`
    Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_Name” -OperationMasterRole 0,1,2,3,4 -Confirm:$false -Force
    “`

  3. Was super concerned regarding replacing the primary DC in our organization. This made is so much easier. I split the roles between two servers as you did. So thank you. And my primary DC is just a machine now and can be demoted.

Leave a Reply

Your email address will not be published.