I have been running 2 Virtual Machines as Active Directory Domain Controllers in the Lab for sometime now. DC00 was running Windows Server 2003 R2 and DC01 is running Windows Server 2008 R2. But recently I lost a Hyper-v machine hosting DC00 Domain Controller VM, I had no replica available to immediately failover and didn’t want to do a restore from backup. So, I decided to spin up a WS2012 Domain Controller . There was a small problem though, the failed DC00 held all the FSMO roles: the PDCEmulator, DomainNamingMaster, RIDMaster, InfrastructureMaster and Schema FSMO roles. This scenario disrupted my initial attempt to add another Domain Controller.
I had to seize all the roles and move them to the only existing Domain Controller DC01. Normally I would use the NTDSUTIL tool and all its subcommands: roles, fsmo maintenance etc. , to achieve this task . But with PowerShell 4.0, the task is simpler and can be achieved with one single cmdlet and one line of PowerShell code (Awesome.) I ran the cmdlet from a remote Windows Server 2012 R2 machine. The following screenshots show how I achieved this task:
Identify the current Roles:
Get-ADForest cmdlets helped me identify what roles needed to be seized from the failed Domain Controller DC00. After identifying the Operation Master roles, I used the
Move-ADDirectoryServerOperationMasterRole cmdlet, with the Force parameter to actually seize and move the roles to the target Domain Controller DC01:
I forgot to seize the DomainNamingMaster and so ran the cmdlet again for that specific role:
After running the cmdlet, you will observe that all the specified roles have successfully been seized and moved to the target Domain Controller.I verified to make sure the roles have been moved to the target Domain Controller DC01, with the ;
Using this cmdlet, requires PowerShell 4.0. This cmdlet eliminates using the ntdsutil tool and the multiple steps involved in accomplishing the same task.