Learn how to use the GUI tools and PowerShell to check which domain controllers hold the 5 FSMO roles in AD
Published: Oct 15, 2024
In this article, I’m going to show you how to check which domain controllers (DC) hold the FSMO roles in Active Directory (AD). FSMO roles are assigned to specific domain controllers and are designed to prevent conflicts once data is replicated. You can also quickly transfer FSMO and seize FSMO roles using PowerShell.
There are three main locations to verify (and change) what FMSO roles are assigned to what domain controllers:
If you want the quickest, easiest method to check which DCs hold your FSMO roles, you can run netdom from a command line.
netdom query fsmo
This is much easier and quicker. There are only a handful of commands in PowerShell to run and glean the same information we just spent about 10 minutes doing. Let’s get started.
First, type the following at the PowerShell prompt to get the ‘Schema Master’ and ‘Domain Naming Master’ roles.
Get-ADForest | fl SchemaMaster,DomainNamingMaster
Next, run this similar command to get the remaining three roles.
Get-ADDomain | fl RIDMaster,PDCEmulator,InfrastructureMaster
That is it! You could easily write a simple script to get all 5 roles in one command.
To view the ‘RID Master’, ‘PDC emulator’, and ‘Infrastructure Master’ roles, open Active Directory Users and Computers. Right-click on the domain name (reinders.local) and click ‘Operations Masters…‘
Here, you can verify what DC owns each role by clicking on the corresponding tab on the top.
I’ll explain the process of transferring roles later on.
To view the ‘Domain Naming Master’ role, open ‘Active Directory Domains and Trusts‘. Right-click on the ‘Active Directory Domains and Trusts…‘ link at the top of the tree and click ‘Operations Master…‘.
This will inform you of the current assignment for this role. Again, I’ll explain transferring roles in just a bit.
The last one is a little tricky. To view the ‘Schema Master‘, you must register a specific DLL to open the Active Directory schema MMC. Please follow these steps.
Done. Next, type in mmc.exe to launch the Microsoft Management Console. Click the File menu and select ‘Add/Remove Snap-in…‘.
Then right-click on the ‘Active Directory Schema…‘ link and click, you guessed it, ‘Operations Master…‘.
There you have it. Well, this certainly was a good deal of effort and time, huh? Let’s broaden our minds with the ever-sustaining efficiency of the command line and PowerShell!
The FSMO role holders can be easily found by use of the Ntdsutil command.
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.
C:WINDOWS>ntdsutil
ntdsutil:
ntdsutil: roles
fsmo maintenance:
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.
fsmo maintenance: connections
server connections:
server connections: connect to server server100
Binding to server100 ...
Connected to server100 using credentials of locally logged on user.
server connections:
server connections: q
fsmo maintenance:
fsmo maintenance: Select operation target
select operation target:
select operation target: List roles for connected server
Server "server100" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
onfiguration,DC=dpetri,DC=net
Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
onfiguration,DC=dpetri,DC=net
PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf
iguration,DC=dpetri,DC=net
RID - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf
iguration,DC=dpetri,DC=net
Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=dpetri,DC=net
select operation target: