FSMO role transfer is something a windows admin generally does if there is some issue with our Primary domain controller. It is a lengthy task when we do use GUI or from the command prompt, whereas in PowerShell this task can be done with a one-line command. Today we will see how to create an efficient script for our use.

What are the FSMO Roles in Active Directory?

There are 5 FSMO roles in general.

1. RID (Relative ID) Master 

If you want to create a security principle, you should probably include access permissions in it. Because a user’s or group’s name can change, you can’t grant these permissions based on it. Instead, you assign them a unique security ID (SID). The relative ID is a component of that unique identifier (RID). A RID Master processes RID pool requests from DCs within a single domain and ensures that each SID is unique to prevent two objects from having the same SID.

2. PDC (Primary Domain Controller) Emulator

This is the domain’s most authoritative DC. This DC’s responsibilities include responding to authentication requests, managing password changes, and managing Group Policy Objects (GPO). Users cannot even change their passwords without the PDC Emulator’s permission. It’s a commanding position!

3. Domain Naming Master

This DC simply prevents you from creating a second domain with the same name in the same forest.

4. Infrastructure Master

This controller is familiar with the organization’s overall IT infrastructure, including the objects that are present. The infrastructure master updates object references on a local level while also ensuring that they are current in the copies of other domains. It accomplishes this through the use of unique identifiers such as SIDs.

5. Schema Master

This DC contains a read-write replica of your AD schema. A schema is essentially all of the attributes that are associated with an object (passwords, roles, designations, etc.). As a result, if you need to change a role on a user object, you must do so through the Schema Master.

How to identify which server holds the FSMO role?

We can identify the FSMO role holder DC from GUI but I am not going to show it as it can be time taking hence showing via Command prompt and PowerShell.

#CMD

				
					C:\Users\Administrator>netdom query fsmo
Schema master               DC1.meanmachine.com
Domain naming master        DC1.meanmachine.com
PDC                         DC1.meanmachine.com
RID pool manager            DC1.meanmachine.com
Infrastructure master       DC1.meanmachine.com
The command completed successfully.

#PowerShell

For Forest wide roles (meanmachine.com is my domain name)

				
					PS C:\Users\Administrator> Get-ADForest meanmachine | Format-Table SchemaMaster,DomainNamingMaster

SchemaMaster                    DomainNamingMaster
------------                    ------------------
DC1.meanmachine.com             DC1.meanmachine.com

For Domain wide roles

				
					PS C:\Users\Administrator> Get-ADDomain meanmachine | format-table PDCEmulator,RIDMaster,InfrastructureMaster

PDCEmulator                     RIDMaster                       InfrastructureMaster
-----------                     ---------                       --------------------
DC1.meanmachine.com             DC1.meanmachine.com             DC1.meanmachine.com

PowerShell script to transfer FSMO roles

Let’s create our favorite script and understand step by step what we need to understand.

Step #1

Your account should have at least Domain admin and schema admin rights in order to transfer roles.

Step #2

Make sure we run the script from the destination server in which we want the FSMO roles to be transferred.

Step #3

We will use a switch case in order to transfer the role one at a time or completely at one go.

Step #4

				
					#Provide the destination DC in which you want to transfer the fsmo role
$destinationdc= Read-Host "Provide the Destination domain controller" 

#Choose the role you want to transfer
$role=read-host "Choose the role"
Switch($role)
{

1 { $result = 'DomainNamingMaster'}
2 { $result = 'PDCEmulator'}
3 { $result = 'RIDMaster'}
4 { $result = 'SchemaMaster'}
5 { $result = 'InfrastructureMaster'}
6 {$result = 'All'}
}

Step #5

If we put value more than 6 we should get an error.

				
					if($role -gt 6)

{
Write-host "Choose correct option" -ForegroundColor Cyan

}

Step #6

				
					#This will transfer DomainNamingMaster role to destination server

if ($role -eq 1)
{

 Move-ADDirectoryServerOperationMasterRole -OperationMasterRole DomainNamingMaster -Identity $destinationDc -confirm:$false

 Write-host "$result is transferred successfully to $destinationDc" -ForegroundColor DarkGreen -BackgroundColor Cyan

 netdom query fsmo |Select-String "Domain Naming Master" 
}

Step #7

				
					#This will transfer PDCEmulator role to destination server

 if ($role -eq 2)
{

 Move-ADDirectoryServerOperationMasterRole -OperationMasterRole PDCEmulator -Identity $destinationDc -confirm:$false

 Write-host "$result is transferred successfully to $destinationDc" -ForegroundColor DarkGreen -BackgroundColor Cyan

 netdom query fsmo |Select-String "PDC" 
}

Step #8

				
					#This will transfer RID pool manager role to destination server

 if ($role -eq 3)
{

 Move-ADDirectoryServerOperationMasterRole -OperationMasterRole RIDMaster -Identity $destinationDc -confirm:$false

 Write-host "$result is transferred successfully to $destinationDc" -ForegroundColor DarkGreen -BackgroundColor Cyan

 netdom query fsmo |Select-String "RID pool manager" 
}

Step #9

				
					#This will transfer Schema Master role to destination server

 if ($role -eq 4)
{

 Move-ADDirectoryServerOperationMasterRole -OperationMasterRole SchemaMaster -Identity $destinationDc -confirm:$false

 Write-host "$result is transferred successfully to $destinationDc" -ForegroundColor DarkGreen -BackgroundColor Cyan

 netdom query fsmo |Select-String "Schema Master" 
}

Step #10

				
					#This will transfer Infrastructure Master role to destination server

 if ($role -eq 5)
{

 Move-ADDirectoryServerOperationMasterRole -OperationMasterRole InfrastructureMaster -Identity $destinationDc -Credential  -confirm:$false

 Write-host "$result is transferred successfully to $destinationDc" -ForegroundColor DarkGreen -BackgroundColor Cyan

 netdom query fsmo |Select-String "Infrastructure Master" 
}

Step #11

				
					#This will transfer All roles to destination server

 if ($role -eq 6)
{

 Move-ADDirectoryServerOperationMasterRole -OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster -Identity $destinationDc  -confirm:$false 

 Write-host "$result roles are transferred successfully to $destinationDc" -ForegroundColor DarkGreen -BackgroundColor Cyan

 netdom query fsmo  
}

Conclusion

This script is a time saver and you can modify it as you want and will be beneficial for you. I guess you learnt something today and I will continue to bring some great posts, so stay tuned for some exceptional posts on PowershellGuru.

Categorized in:

Powershell Script blogs