Technical Summary

The Microsoft FSMO (Flexible Single Master Operation) roles are a set of specialized roles within an Active Directory (AD) domain controller infrastructure. These roles are responsible for managing various critical functions and operations within an Active Directory environment. There are five FSMO roles, each serving a specific purpose:

1. Schema Master Role: This role is responsible for maintaining and managing the Active Directory schema. The schema defines the structure and attributes of objects within the directory. Changes to the schema must be controlled to ensure consistency across the domain.
2. Domain Naming Master Role: The Domain Naming Master role manages the addition and removal of domains in the forest. This role ensures that domain names are unique within the forest and helps maintain the forest’s overall structure.
3. RID (Relative Identifier) Master Role: The RID Master is responsible for allocating unique RIDs to each domain controller in a domain. RIDs are used to create security identifiers (SIDs) for objects within the domain. Ensuring unique RIDs is crucial for security and object identification.
4. PDC (Primary Domain Controller) Emulator Role: This role emulates the behavior of the old Windows NT primary domain controller in a mixed environment. It handles password changes, authentication requests, and time synchronization for the domain. It is crucial for maintaining backward compatibility.
5. Infrastructure Master Role: The Infrastructure Master role ensures that object references between domains in a multi-domain environment are up to date. It is particularly important in situations where you have multiple domains and trusts, as it prevents stale or incorrect references.

In a single-domain environment, all these roles can be held by a single domain controller. However, in larger and more complex environments, these roles are distributed across multiple domain controllers to ensure redundancy and fault tolerance. Proper management of FSMO roles is vital to maintaining the integrity and functionality of an Active Directory domain. If any of these roles fail or are not functioning correctly, it can lead to issues in the Active Directory environment, such as problems with object replication, authentication, and schema updates.

Move FSMO Roles with Powershell

First, you should check which Server is the Owner of your FSMO Roles.

For this step, open a POWERSHELL and type in:

netdom query fsmo

Now, you are getting an List of the FSMO Roles and the FQDN of the Server which is operating the Role.

For Tranferring the FSMO Roles with Powershell you have 2 Options:

• Transfer typing in the Rolenames
• Transfering typing in the Numeric-Codes for each Role (really faster)

TRANSFERING WITH THE ROLENAMES:

Move-ADDirectoryServerOperationMasterRole -Identity <Target-DC> -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator

TRANSFERING WITH THE NUMERIC CODES:

For this Command, you have to know that each FSMO Role has an Numeric Code which you can find here:

• PDC Emulator (0)
• RID Pool Manager (1)
• Infrastruktur Master (2)
• Domain Naming Master (3)
• Schema-Master (4)

So, if you are using the Numeric Code instead of the Full Role Name, you save a lot of time for a coffee 😉

So the new Command looks like the following:

Move-ADDirectoryServerOperationMasterRole -Identity <Target-DC> -OperationMasterRole 0,1,2,3,4

-FORCE Move of the FSMO Roles

A Force Move of FSMO (Flexible Single Master Operation) Roles is a manual process used to reassign these critical roles from one domain controller to another within an Active Directory environment. This action is typically performed when the current role holder is unavailable, malfunctioning, or needs to be decommissioned. Unlike a standard role transfer, a force move involves seizing the roles, which should be done cautiously as it can potentially lead to data inconsistency or conflicts if not executed correctly. This process requires administrative privileges and should only be undertaken when absolutely necessary.
The old servers are then no longer allowed to come online.

Move-ADDirectoryServerOperationMasterRole -Identity <Target-DC> -OperationMasterRole 0,1,2,3,4 -force