PowerShell How-To

Finding Active Directory FSMO Role Holders with PowerShell

Since FSMO roles are typically spread out among various domain controllers, it's not always easy to figure out which domain controller holds a particular role. Luckily, we have PowerShell and the AD module to make this task a breeze.

• By Adam Bertram
• 01/25/2019

Active Directory (AD) is an identity service that many organizations use and rely on every day. To operate efficiently and to spread the various roles it holds, AD relies on a concept called "flexible server master operations" roles -- more commonly referred to as FSMO roles.

Domain controllers (DCs) in an AD forest and domain(s) hold one or more of these files to be in charge of duties like keeping the AD schema in sync, ensuring passwords are synced across all domain controllers and a lot more.

Since FSMO roles are typically spread out among various DCs, it's not always easy to figure out which DC holds a particular role. If you're noticing a problem with a particular AD function or are simply building an AD topology inventory for your team, figuring out how to quickly identify which DCs hold which role can be a chore. Luckily, we have PowerShell and the AD module to make this task a breeze.

To determine where all the FSMO roles in your AD environment are located, you'll first need the ActiveDirectory module. This module comes as part of the Remote Server Administration Tools (RSAT) package. Once this package is downloaded and installed on a domain-joined workstation running as a user with reading permissions to your DCs, you're ready to go.

Since FSMO roles are separated at the forest and domain levels, we'll need to use two commands that come with the ActiveDirectory module to discover all of the FSMO roles: Get-AdDomain and Get-ADForest. These two commands don't just return FSMO role holders but also produce other useful information about your domain and forest.

We'll first find all of the domain-based FSMO roles using Get-AdDomain. If you run Get-AdDomain alone, you'll receive various properties, but we're only interested in the domain FSMO roles of infrastructure master, PDC emulator and RID master. We can find the DCs that hold each of these roles by limiting output to the FSMO role properties using Select-Object.

Get-ADDomain | Select-Object InfrastructureMaster,PDCEmulator,RIDMaster | Format-List

This will return all of the domain-based roles, but we've still got two more to go: the domain naming master and the schema master. These FSMO roles are at the forest-level so Get-ADDomain won't work. For these FSMO roles, we'll need to use the Get-ADForest command.

Again, since Get-AdForest returns other information besides the DCs holding the FSMO roles we're after, we'll need to limit the output again. The Get-AdForest command again returns the FSMO roles each as a property of the object that Get-AdForest returns, so we'll need to use Select-Object to limit that output again.

Get-ADForest | Select-Object DomainNamingMaster,SchemaMaster | Format-List

When run, you'll again see only the names of the DCs that hold those two particular roles. That's it! That's all of the roles. To package this task to run frequently, we can combine these two commands inside of a single function; we'll call it Get-ADFSMORole.

function Get-ADFSMORole {
    [CmdletBinding()]
    param
    ()

    $roles = @()
    $roles += Get-ADDomain | Select-Object InfrastructureMaster,PDCEmulator,RIDMaster
    $roles += Get-ADForest | Select-Object DomainNamingMaster,SchemaMaster
    $roles | Format-List 
}

We now have a handy PowerShell function that can find all of the FSMO roles in our forest and domain simply by running Get-ADFSMORole.