FSMO is an Active Directory term that stands for Flexible Single Master Operation. Although Active Directory uses a multi-master enabled database, which provides the flexibility of allowing changes to occur on any domain controller, certain operation requires a single-master model where only one domain controller is allowed to process updates to prevent conflicting updates.

There a five FSMO roles, two of which of forest-level and three of which are domain-level. The forest-level FSMO roles are:

  • Schema Master
  • Domain Naming Master

The domain-level FSMO roles are:

  • RID (Relative Identifier) Master
  • PDC (Primary Domain Controller) Emulator
  • Infrastructure Master

Occasionally, you need to know which domain controller owns each FSMO role and move the FSMO roles to a new domain controller. There are command-line utilities and PowerShell cmdlets that will get the FSMO owner and move the FMSO roles, but since it’s not something that’s done very often, and that means you need to search for the correct commands. I decided to create a couple of PowerShell scripts to do the work and eliminate the search. (Download link is found below.)

List FSMO Role Owners

The script Get-ActiveDirectoryFSMORoles.ps1 lists the domain controller that owns each FSMO role. It also shows the functional level of the forest and domain and lists all the domain controllers noting if they are offline. Simply run the script in a PowerShell window.

This requires the ActiveDirectory module which is only installed by default on domain controllers. When run on a non-domain controller (or at least a system without the ActiveDirectory module), it will not work.

Move FSMO Roles

Sometimes you need to move the FSMO roles to another domain controller. This is often done when upgrading to a newer version of Windows Server and the old domain controllers will be decommissioned. The script Move-ActiveDirectoryFSMORoles.ps1 will transfer the FMSO roles to the domain controller on which it is run. If that domain controller already owns the FSMO role, the transfer of that role is skipped.

If the domain controller does not own the FSMO role, it is transferred.

The scripts uses a ping check to determine if the owning domain controller is online. If the owning domain controller is not online, the FSMO role cannot be transferred gracefully. It must be seized. This should only be done if the offline domain controller will not be brought back online.

There are rare cases where a domain controller can be on an isolated network, and generally is only done in very large Active Directory topologies. In such a case, the ping test would fail and the script would try to seize the FSMO role even though the owning domain controller is online. Use this script care if the Active Directory topology includes isolated networks.

The script transfers all FSMO roles to the domain controller on which it is run. There is no option to transfer only selected FSMO roles. To transfer only certain FSMO roles, use the cmdlet Move-ADDirectoryServerOperationMasterRole.

Package Download: Active Directory FSMO Scripts