How to Check FSMO Roles in Active Directory

Learn how to use the GUI tools and PowerShell to check which domain controllers hold the 5 FSMO roles in AD

Published: Oct 15, 2024

Datacenter networking servers

SHARE ARTICLE

In this article, I’m going to show you how to check which domain controllers (DC) hold the FSMO roles in Active Directory (AD). FSMO roles are assigned to specific domain controllers and are designed to prevent conflicts once data is replicated. You can also quickly transfer FSMO and seize FSMO roles using PowerShell.

How to check FSMO roles in Active Directory

There are three main locations to verify (and change) what FMSO roles are assigned to what domain controllers:

  1. Netdom command-line tool (quickest)
  2. PowerShell
  3. Active Directory GUI tools
  4. NTDSUtil

Quickly check the FSMO roles using Netdom

If you want the quickest, easiest method to check which DCs hold your FSMO roles, you can run netdom from a command line.

netdom query fsmo
Using the simple netdom command-line tool to check FSMO roles all at once
Using the simple netdom command-line tool to get all at FSMO roles at once (Image Credit: Michael Reinders/Petri.com)

How to check FSMO roles in PowerShell

This is much easier and quicker. There are only a handful of commands in PowerShell to run and glean the same information we just spent about 10 minutes doing. Let’s get started.

First, type the following at the PowerShell prompt to get the ‘Schema Master’ and ‘Domain Naming Master’ roles.

Get-ADForest | fl SchemaMaster,DomainNamingMaster
Using PowerShell to get the two forest FSMO Roles
Using PowerShell to get the two forest FSMO Roles (Image Credit: Michael Reinders/Petri.com)

Next, run this similar command to get the remaining three roles.

Get-ADDomain | fl RIDMaster,PDCEmulator,InfrastructureMaster
Using PowerShell to get the three domain FSMO Roles
Using PowerShell to get the three domain FSMO Roles (Image Credit: Michael Reinders/Petri.com)

That is it! You could easily write a simple script to get all 5 roles in one command.

Check FSMO roles using the GUI tools

To view the ‘RID Master’, ‘PDC emulator’, and ‘Infrastructure Master’ roles, open Active Directory Users and Computers. Right-click on the domain name (reinders.local) and click ‘Operations Masters…

Viewing the three domain FSMO Roles in Active Directory Users and Computers
Viewing the three domain FSMO Roles in Active Directory Users and Computers (Image Credit: Michael Reinders/Petri.com)

Here, you can verify what DC owns each role by clicking on the corresponding tab on the top.

Viewing the owner of each domain Role
Viewing the owner of each domain Role (Image Credit: Michael Reinders/Petri.com)

I’ll explain the process of transferring roles later on.

To view the ‘Domain Naming Master’ role, open ‘Active Directory Domains and Trusts‘. Right-click on the ‘Active Directory Domains and Trusts…‘ link at the top of the tree and click ‘Operations Master…‘.

Domains and Trusts - viewing forest Roles
Domains and Trusts – viewing forest Roles (Image Credit: Michael Reinders/Petri.com)

This will inform you of the current assignment for this role. Again, I’ll explain transferring roles in just a bit.

Register the Active Directory Schema MMC

The last one is a little tricky. To view the ‘Schema Master‘, you must register a specific DLL to open the Active Directory schema MMC. Please follow these steps.

  • Open your favorite terminal (administrative permissions needed)
  • Run this command – ‘regsvr32 schmmgmt.dll‘, and click Enter.
Registering the correct DLL to use Schema admin tools
Registering the correct DLL to use Schema admin tools (Image Credit: Michael Reinders/Petri.com)

Done. Next, type in mmc.exe to launch the Microsoft Management Console. Click the File menu and select ‘Add/Remove Snap-in…‘.

Adding AD Schema to the mmc.exe tool
Adding AD Schema to the mmc.exe tool (Image Credit: Michael Reinders/Petri.com)
  • Click on the ‘Active Directory Schema‘ in the list on the left
  • And click the ‘Add >‘ button.
  • Then, click OK.
Adding the AD Schema via the mmc.exe tool
Adding the AD Schema via the mmc.exe tool (Image Credit: Michael Reinders/Petri.com)

Then right-click on the ‘Active Directory Schema…‘ link and click, you guessed it,  ‘Operations Master…‘.

Viewing the Schema Master role in the new console tool
Viewing the Schema Master role in the new console tool (Image Credit: Michael Reinders/Petri.com)

There you have it. Well, this certainly was a good deal of effort and time, huh? Let’s broaden our minds with the ever-sustaining efficiency of the command line and PowerShell!

Use the Ntdsutil command to check FSMO roles

The FSMO role holders can be easily found by use of the Ntdsutil command.
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

  • On any domain controller, click Start, click Run, type Ntdsutil in the Open box
  • And then click OK.
​C:WINDOWS>ntdsutil
ntdsutil:
  • Type roles, and then press ENTER.
​ntdsutil: roles
fsmo maintenance:

Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.

  • Type connections, and then press ENTER.
​fsmo maintenance: connections
server connections:
  • Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER.
​server connections: connect to server server100
Binding to server100 ...
Connected to server100 using credentials of locally logged on user.
server connections:
  • At the server connections: prompt, type q, and then press ENTER again.
​server connections: q
fsmo maintenance:
  • At the FSMO maintenance: prompt, type Select operation target, and then press ENTER again.
​fsmo maintenance: Select operation target
select operation target:
  • At the select operation target: prompt, type List roles for connected server, and then press ENTER again.
​select operation target: List roles for connected server
Server "server100" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
onfiguration,DC=dpetri,DC=net
Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
onfiguration,DC=dpetri,DC=net
PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf
iguration,DC=dpetri,DC=net
RID - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf
iguration,DC=dpetri,DC=net
Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=dpetri,DC=net
select operation target:
  • Type q 3 times to exit the Ntdsutil prompt.

SHARE ARTICLE