Query FSMO Roles Quickly & Easily

Flexible Single Master Operation Roles (FSMO Roles) are an incredibly important aspect of Active Directory. When you first deploy a domain controller on a fresh domain these roles are assigned to that domain controller. Generally, these roles are best left where they are at.

Eventually, though, you’re going to want to add a new domain controller to your domain and retire old ones. Before you retire a domain controller you need to check it’s FSMO roles and make sure to move any off of it to another properly functioning domain controller.

Failure to do so can be anything from a nuisance (because you have to manually clean up AD after decommissioning your DC) to catastrophic and potentially leading to a Disaster Recovery (DR) restore of your domain or a complete rebuild (yikes!).

Understanding FSMO Role Assignment

Within the realm of FSMO roles there are three roles for each domain and two roles for each forest.

What are the three domain wide roles?

  • PDC Emulator
  • RID Master
  • Infrastructure Master

What are the two forest wide roles?

  • Schema Master
  • Domain Naming Master

How to Query FSMO Roles?

As with most things in Windows land, you can check FSMO roles via command line or PowerShell.

Netdom Query FSMO Roles Command Line

Netdom itself is a tool that can be used for many purposes. Right now we’re going to use it to check the FSMO roles.

  1. Open command prompt (CMD.exe) as as admin on one of your domain controllers (or use Psexec to open it remotely).
  2. Enter the command:

    netdom query fsmo

  3. The output will show all of the roles and which domain controller holds them:

    C:\Windows\system32>netdom query fsmo
    Schema master  DOMCON1.npgdom.com
    Domain naming master DOMCON1.npgdom.com
    PDC DOMCON1.npgdom.com
    RID pool manager DOMCON1.npgdom.com
    Infrastructure master DOMCON1.npgdom.com
    The command completed successfully.

PowerShell Get FSMO Roles

The PowerShell method for getting FSMO roles isn’t quite as simple as command line because you have to check the domain wide and forest wide roles separately. That said, it’s still quick and easy.

  1. Open PowerShell on your domain controller and enter the command:

    Get-ADForest domainname | Format-Table SchemaMaster,DomainNamingMaster

    This will return the following output:

    PS C:\Windows\system32> Get-ADForest npgdom.com | Format-Table SchemaMaster,DomainNamingMasterSchemaMaster DomainNamingMaster
    – – – – – – – – – – – – – – – – – – – – – –
    DOMCON1.npgdom.com DOMCON1.npgdom.com

  2. For the remaining roles, enter the command:

    Get-ADDomain yourdomain | format-table PDCEmulator,RIDMaster,InfrastructureMaster

    This will return the rest of the FSMO roles and their holder in the following output:

    PS C:\Windows\system32> Get-ADDomain npgdom.com | format-table PDCEmulator,RIDMaster,InfrastructureMasterPDCEmulator RIDMaster InfrastructureMaster
    – – – – – – – – – – – – – – – – – – – – – –
    DOMCON1.npgdom.com DOMCON1.npgdom.com DOMCON1.npgdom.com

It’s important that you know which domain controllers hold which roles for the reasons mentioned at the start of this article.

Also, if you’re using backup software such as Veeam to back up your environment it’s important that you backup the FSMO roles holder. It’s also important that you only restore the FSMO roles holder during a disaster recovery scenario to prevent synchronization issues and other issues like tombstoning.

Recommended for You: Solarwinds Server & Application Monitor (SAM)

Know which applications are having issues in your environment before users complain? Know which systems are causing those problems? How about which servers are about to have problems like running out of space or memory?

Automate collection of data and alerting on your applications and servers with Solarwinds Server & Application Monitor so you have these answers.

Get insight into Active Directory, DNS, DHCP, and your Virtual environment without needing to mess with complex templates or knowing a single line of code.

Leave a Reply

Your email address will not be published. Required fields are marked *