Active Directory – move FSMO roles

When you create a domain, all FSMO roles assigned to the first domain controller in the forest by default. You can transfer FSMO roles from one DC to another both the Active Directory graphics snap-ins and the PowerShell command line.

To get FSMO role: netdom query fsmo

Moving FSMO roles using AD PowerShell has the following benefits:

• You do not need to connect with a MMC snap-ins to the future role owner;
• Transferring or seizing FSMO roles does not require a connection to the current or future role owner. You can run AD-PowerShell module cmdlets on a Windows 7 client or on a member server running Windows Server (with the RSAT package installed);
• To seize the FSMO role (if the current owner is not available), it suffices to use an additional parameter -force.
• Important. After the FSMO roles has been seized, the domain controller from which the roles was seized should never be connected to the domain.

To get the current forest level FSMO role owners (Domain Naming Master and Schema Master roles) you can use the following PowerShell command:

Get-ADForest mydomain.com

o transfer FSMO roles between Active Directory domain controllers use the PowerShell cmdlet Move-ADDirectoryServerOperationMasterRole.

To use the Move-ADDirectoryServerOperationMasterRole cmdlet, you must meet the following requirements:

• There must be at least one domain controller with a version of Windows Server 2008 R2 or higher;
• Installed PowerShell 3.0 or newer;
• Imported Active Directory module (2.0  or newer).

First of all, you need to load the Active Directory PowerShell module:

import-module activedirectory

Move-ADDirectoryServerOperationMasterRole -Identity "serverdc2" PDCEmulator

To simplify the command, you can replace the names of roles with numbers from 0 to 4. The correspondence of names and numbers is given in the table:

Move-ADDirectoryServerOperationMasterRole “severdc2” –OperationMasterRole 0,1,2,3,4