There are several ways to move FSMO roles between Active Directory domain controllers, the graphical AD consoles, the
ntdsutil
command, and PowerShell. When transferring or seizing multiple roles at a time, PowerShell is likely the fastest and simplest method.
The
Move-ADDirectoryServerMstrOperationRole
![This hyperlink is taking you to a website outside of Dell Technologies. This hyperlink is taking you to a website outside of Dell Technologies.](https://i.dell.com/is/image/DellContent/pop-up-arrow-corner-carbon-64px-1)
cmdlet is used to transfer or seize FSMO roles. It can be run directly on a DC, or on a domain-joined server or workstation with the
ActiveDirectory PowerShell module installed. There are two critical parameters that must be supplied to this command,
Identity and
OperationMasterRole.
The
Identity parameter specifies the destination DC - that is, the DC to which the role or roles are being moved. (It is unnecessary to specify the source DC, since role-holder information is stored within AD.) This is typically the hostname of the destination DC but can also be a fully-qualified domain name, distinguished name, or GUID.
The
OperationMasterRole parameter specifies which role or roles are being moved. Possible values of this parameter are
PDCEmulator,
RIDMaster,
InfrastructureMaster,
SchemaMaster, and
DomainNamingMaster, but there are also numeric shortcuts for each of these:
0: PDCEmulator
1: RIDMaster
2: InfrastructureMaster
3: SchemaMaster
4: DomainNamingMaster
This is where the speed and efficiency of PowerShell becomes apparent. To transfer all five FSMO roles to a DC named NewDC, run this cmdlet:
Move-ADDirectoryServerOperationMasterRole -Identity NewDC -OperationMasterRole 0,1,2,3,4
PowerShell prompts for confirmation of each role by default, but there is a
Yes to All option.
To seize FSMO roles, which should only be done if the existing role holder is permanently offline, add the
-Force parameter to the cmdlet. Using the example above, if all five roles were held by a DC which was permanently offline, they could all be seized on NewDC like so:
Move-ADDirectoryServerOperationMasterRole -Identity NewDC -OperationMasterRole 0,1,2,3,4 -Force
As you can see, the only difference between this and the previous command is the
-Force parameter. You are prompted for each role, as above. Role seizure takes longer to complete than role transfer, because a normal transfer of any roles is attempted before the roles are seized. Assuming the role holder does not respond, a timeout period must expire before the seizure occurs. For this reason, seizing all five roles in this manner takes several minutes.
This video demonstrates the process:
Transfer and Seize FSMO Roles in PowerShell
Duration: 06:02
Closed captions are available in multiple languages. Use the CC icon to change the closed caption language.