Transfer and Seize FSMO Roles in PowerShell

Name: Transfer and Seize FSMO Roles in PowerShell
Uploaded: 2025-02-07T00:00:00
Duration: 6 min
Description: This video illustrates how to transfer and seize Active Directory (AD) Flexible Single Master Operations (FSMO) roles using PowerShell commands.

Published FEB 07, 2025

This video illustrates how to transfer and seize Active Directory (AD) Flexible Single Master Operations (FSMO) roles using PowerShell commands.

Hello, my name is David. I'm a principal engineer with Dell.

In this video, I'm going to talk about transferring and seizing Active Directory FSMO roles in PowerShell. If you've been working with Active Directory for any amount of time, you most likely know how to transfer and seize FSMO roles using the "AD GUI" tools or the old "ntdsutil" method.

But PowerShell can actually save you some time and effort in some situations, and I hope to illustrate that here. So, I've currently got a simple environment with two domain controllers that are both running 2019 Datacenter.

If I run "netdom query dc", you can see their name "DC1" and "NEWDC". And now if I run "netdom query fsmo", you can see that all five of the roles are currently held by "DC1".

So, the command to transfer FSMO roles in PowerShell is rather a long one. It's "Move-ADDirectoryServerOperationMasterRole". There we go. And as you can see, tab completion is your friend here, as it often is in PowerShell.

Command requires a couple of switches. The "Identity" switch is used to designate the destination domain controller. So, the one that you want to move the role to, here we'll specify "newdc".

And then, of course, we have to specify what role or roles we want to move. And we'll just tab through the roles here, so, you can see how they're designated in PowerShell.

There's "DomainNamingMaster", "InfrastructureMaster", PDCEmulator, "RIDMaster", and "SchemaMaster". And let's say we want to move the "RIDMaster" to "newdc".

We'll tab back to that and press "Enter", and it will prompt you to confirm. Say, "Yes", and it's an almost instantaneous process. We can confirm that it worked by running "netdom query fsmo" again.

And now we can see the "RIDMaster" is held by "newdc". All the other four roles are still held by DC1. So, let me just move that back real quick. Just change the destination and confirm again.

Now, what if we want to move more than one role? Let's say, for example, we want to move all five roles to one DC. This is where PowerShell can save you a lot of time and effort.

We go back and change the destination to "newdc" again, and we can type out all the names of the roles if we want, or we can use this shortcut. There are, in fact, numeric designators for all five roles.

Zero represents the PDC Emulator. One represents the RID Master. Two represents the Infrastructure Master. Three represents the Schema Master. And four is the Domain Naming Master.

If we're going to move all five roles, we can simply type, "0,1,2,3,4", and it will prompt you for all of them. You can say "Yes" to all, if you don't want to respond to every single one.

But I figured I would just show you all five prompts here. So, I'm just specifying "Yes" for each one. And just like that, it's done. We'll confirm it again with "netdom query fsmo", and you can see that all five roles are now held by "newdc".

So, that's transferring FSMO roles in PowerShell. Seizing roles is quite similar. To demonstrate this, I'm going to take down "newdc". You won't be able to see it, but trust me, but trust me, I'm taking it down hard right now. And there it goes.

It is now not even down, it's gone. If we "ping newdc", it's no response. And of course, lack of a ping response doesn't really tell you anything. But I promise you, newdc is just a smoking hole in the ground at this point.

Since it held all of our FSMO roles, we need to get those back. And to seize them in PowerShell, we use the same command, but with a little bit of an addition.

Once again, it's "Move-ADDirectoryServerOperationMasterRole", and we'll change the destination since we're seizing them on DC1. And to specify that we're seizing them, we need to add the "force" switch to the end, and it will prompt you for all five roles again.

You can say "Yes" to all, but again, I was just wanting to show you all the prompts. What I'm not going to show you is how long this takes. If you've seized roles before using some other method, you know it takes a little longer than a transfer because it tries to do a friendly transfer first by contacting the original role holder.

And if that role holder doesn't respond, it waits for a timeout period before it decides, This thing must be really gone. That timeout period appears to be about a minute and a half.

I don't know that exactly, but that's what I've seen in my experience. You don't want to sit here for a minute and a half times five, just watching this go.

So, I'm going to fast-forward a little bit. Just keep in mind that seizing normally takes quite a bit longer than you're going to see here. So, there's the second prompt for the "RIDMaster". And once again, about a minute and a half.

Third prompt for "InfrastructureMaster", and "SchemaMaster", and finally, "DomainNamingMaster". And they're all done. If we run "netdom query fsmo", we confirm once again the roles are back on DC1.

So, that's transferring and seizing FSMO roles in PowerShell. Once again, I'm David, and thank you for watching.