WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!
How to Transfer FSMO Roles
In this quick and short but powerful post, I will look how to transfer FSMO roles from one server to another. I will be doing this using CMD as well as PowerShell.
To get start CMD needs to be run as Administrator and the following cmdlet can be used.
Then type: Roles and press ENTER
From the FSMO Maintenance Menu type?, to view the list of available commands
Now let’s go ahead and transfer the Roles to TCLDC02, in order to do that we need to connect to TCLDC02 by typing the following.
Then type: Connect to Server TCLDC02
before we start the transfer process we need to go back to the prevoise menu and then can be done by typing the following.
Type: Q and press ENTER
To start the transfer process, type the following
Type: Transfer Schema master
select “Yes” on the pop up box to move the role.
The remaining roles are:
To view the current FSMO role holder, type the following in CMD.
NETDOM /Query FSMO and press ENTER
As we can see the “Schema Master” role has been move to TCLDC02.
Now let’s look at how we can do the same using Windows PowerShell.
To transfer all 5 roles to another domain controller the following can be run.
Move-ADDirectoryServerOperationMasterRole -Identity “TCLDC01” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster
All 5 Roles has been transferred to TCLDC02, but let’s verify that TCLDC02 holds all the roles now.
To verify this type the following in CMD.
NETDOM /Query FSMO
You can also move individual roles to a different domain controller using PowerShell.
The following list details the role number for each of the five FSMO roles.
PDC Emulator – 0
RID Master – 1
Infrastructure Master – 2
Schema Master – 3
Domain Naming Master – 4
Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_Name” –OperationMasterRole 0,1,2,3,4
seize the roles using the –Force parameter.
Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_name” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster -Force
Of course, could have used the short version
Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_Name” –OperationMasterRole 0,1,2,3,4 -force