Sunday, September 13, 2015

Powershell - Domain Controller inventory and Transfering / moving FSMO roles between DC

Powershell is always best when doing automation task on Active Directory. I was building some long automation script bringing down my AD infrastructure and wanted to automate many task where migration of FSMO role from one DC to another DC was one of them in my workflow.

We can know what (Flexible Single master operations) fsmo role is on what Domain controller using Active directory users and computers, Active directory Schema snap-in and Active directory domain and trust. (To view active directory Schema snapin you will have to register regsvr32 schmmgmt.dll), Select top root, right click go to all tasks and open Operation Master, you can also transfer the role by clicking button change. (To move role from AD002 to AD001 you will have login on Ad001 and do the further process).

I will not go into much details on GUI and will show you demo on powershell. One of the advantage of using powershell is, you can move FSMO role for AD001 to AD002 and vice versa from any DC, not alike GUI.

First we will collect the small inventory of my Active Directory. Log in to any DC and Run Powershell as administrator. You can run simple one netdom query fsmo to know all the roles details but here I will run native PS commands and want to more details from one liner.
First command need to be run is Import-Module ActiveDirectory. it is a plug in to you AD, (On Powershell v4 and above this commmand however is not required, it loads them automatically when you run cmdlets falls under ActiveDirectory module).

Get-ADDomainController -Filter * | Select HostName, IPV4Address, OperatingSystem, OperationMasterRoles, IsGlobalCatalog, IsReadOnly, Enabled, Site

Above command shows some useful information in list, specially what I am looking for is OperationMasterRoles right now, if you see all my roles are hosted on AD001 domain controller. and AD002 is empty on OperationMasterRoles.

Above command is giving you below information.
hostname: it s full FQDN, it will show your computernamd and domain name,

IPV4Address: IP version 4 address,
OperatingSystem: Operating system is self explanatory
OperationMasterRoles: FSMO roles
IsGlobalCatalog: is server Global catalog - true or false
IsReadOnly: is server Read Only RODC - true or false
Enabled: Many times we decommission AD and metadata is remained behind.
Site: Which site is Domain controller in.

Once we know what is placed where, we are ready to move roles from AD001 to Ad002. For this run below command marked in yellow and green (green marked can be changed according to your need). Make sure you type the Identity hostname is netbios name only (No fqdn) and in the operations master role, you can specify all the roles at a time or specific FSMO roles you want to transfer.

Move-ADDirectoryServerOperationMasterRole -Identity AD002 –OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator -Confirm:$false
Once you moved FSMO roles, verify what changes has been occur, run Get-AdDomainController (inventory command) again and verify the changes. As per below now 3 roles are transferred to AD002.
There is a tip here, Powershell makes your work very easy, it has assigned each FSMO role a number between 0-4, as below. while using move command you can use numbers instead of typing each FSMO role name, which is lot easier to remember and you might not make typo error.

0 – PDCEmulator
1 – RIDMaster
2 – InfrastructureMaster
3 – SchemaMaster
4 – DomainNamingMaster

As per below screenshot After running Move fsmo role command it is asking for me for confirmation because I have forgot to give parameter -confirm:$false in the last. Once you transfered roles again run inventory command to see the details and compare them with previous report.

Move-ADDirectoryServerOperationMasterRole -Identity AD002 –OperationMasterRole 1, 2

Get-ADDomainController -Filter * | Select HostName, IPV4Address, OperatingSystem, OperationMasterRoles, IsGlobalCatalog, IsReadOnly, Enabled, Site
Currently all roles are on AD002 now I will move / transfer all FSMO Roles at a time to AD001 using number coding only.

Move-ADDirectoryServerOperationMasterRole -Identity AD001 –OperationMasterRole 0,1,2,3,4 -Confirm:$false
Verify running inventory command and verify with earlier screenshot. easier than GUI huh...

No comments: