Tip: You can transfer or seize FSMO roles in some cases.
For example, you need to install updates and reboot a DC holding FSMO roles, in this case you need to temporarily transfer its FSMO role(s) to other DC.
Transfer = the “clean” way
When the DC “source” (holding the role) and the DC “destination” (receiving the role) are online.
Seize = the “dirty” way
When the DC “source” (holding the role) is offline (crashed, hardware issue, etc.) but the DC “destination” is online. It is like a forced transfer.
WARNING : Never connect to the domain a DC from which you seized the role, this DC should be remain permanently offline forever.
===
The cmdlet to transfer or seize is the same (Move-ADDirectoryServerOperationMasterRole), the only difference is that you use -Force parameter to seize (vs no parameter to transfer).
===
Transfer
Important: If you want to transfer FSMO roles from DC1 to DC2, you need to run this command on DC2 (the reason behind that is to be sure that the FSMO role is transferred to a DC available).
|
1 |
Move-ADDirectoryServerOperationMasterRole -Identity DC02 -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator |
===
Seize (with -Force parameter)
|
1 |
Move-ADDirectoryServerOperationMasterRole -Identity DC01 -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator -Force |
I disabled the network card on DC02 to simulate that it is down.
To seize, the trick here is to use the -Force parameter, without that it will not work.
Note: You can use numbers instead of names.
0 : PDCEmulator
1 : RIDMaster
2 : InfrastructureMaster
3 : SchemaMaster
4 : DomainNamingMaster
|
1 |
Move-ADDirectoryServerOperationMasterRole -Identity DC02 -OperationMasterRole 0,1,2,3,4 |
