There are several ways to move FSMO roles between Active Directory domain controllers: the graphical AD consoles, the ntdsutil command,
and PowerShell. When transferring or seizing multiple roles at a time,
PowerShell is likely the fastest and simplest method.
The Move-ADDirectoryServerOperationMasterRole cmdlet
is used to transfer or seize FSMO roles. It can be run directly on a
DC, or on a domain-joined server or workstation with the ActiveDirectory PowerShell module installed. There are two critical parameters that must be supplied to this command: Identity and OperationMasterRole.
The Identity parameter specifies the destination DC - i.e.,
the DC to which the role or roles are being moved. (It's not necessary
to specify the source DC, since role-holder information is stored within
AD.) This is typically the hostname of the destination DC but can also
be a fully-qualified domain name, distinguished name, or GUID.
The OperationMasterRole parameter specifies which role or roles are being moved. Possible values of this parameter are PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster, and DomainNamingMaster, but there are also numeric shortcuts for each of these:
0: PDCEmulator
1: RIDMaster
2: InfrastructureMaster
3: SchemaMaster
4: DomainNamingMaster
This is where the speed and efficiency of PowerShell becomes
apparent. To transfer all five FSMO roles to a DC named NewDC, simply
run this cmdlet:
Move-ADDirectoryServerOperationMasterRole -Identity NewDC
-OperationMasterRole 0,1,2,3,4
PowerShell will prompt for confirmation of each role by default, but there is a Yes to All option.
To seize one or more FSMO roles, which should only be done if the existing role holder is permanently offline, simply add the -Force parameter to the cmdlet. Using the example above, if all five roles were held by a domain controller which was in an unrecoverable state, they could all be seized on NewDC with this cmdlet:
Move-ADDirectoryServerOperationMasterRole -Identity NewDC
-OperationMasterRole 0,1,2,3,4 -Force
沒有留言:
張貼留言