1
00:00:01,440 --> 00:00:06,220
I want to finish this demo by RDPing back to our Forest root domain

2
00:00:06,220 --> 00:00:09,770
controller for my main head domain. In other words, I'm on

3
00:00:09,770 --> 00:00:15,730
rootdc1.timw.info. And I have all of this code in the exercise files by

4
00:00:15,730 --> 00:00:19,920
the way, so you can make use of this Active Directory PowerShell that

5
00:00:19,920 --> 00:00:21,590
I'm sharing with you. First of all,

6
00:00:21,590 --> 00:00:25,650
in terms of understanding which of your domain controllers in the domain

7
00:00:25,650 --> 00:00:30,310
holds a particular role, let me go to the root of drive C and run netdom

8
00:00:30,310 --> 00:00:35,830
/query fsmo, and that'll just give you a quick report of your current role

9
00:00:35,830 --> 00:00:40,380
holders, and the Forest root first domain controller holds all of those

10
00:00:40,380 --> 00:00:44,900
roles at this point. You can use PowerShell to look both at Forest and

11
00:00:44,900 --> 00:00:46,110
root role holders.

12
00:00:46,110 --> 00:00:47,530
As you can see on line 3,

13
00:00:47,530 --> 00:00:51,870
you can use the PowerShell pipeline, the Get‑ADDomain selecting out

14
00:00:51,870 --> 00:00:55,000
InfrastructureMaster, PDCEmulator, RIDMaster.

15
00:00:55,000 --> 00:00:59,550
We can do Get‑ADForest to look at DomainNamingMaster and SchemaMaster.

16
00:00:59,550 --> 00:01:04,180
And then lastly, the question of moving or seizing roles.

17
00:01:04,180 --> 00:01:08,440
The difference between a move or a seize is a move would be a gentle online

18
00:01:08,440 --> 00:01:12,540
operation, a seize would be a brute force offline operation.

19
00:01:12,540 --> 00:01:15,110
If a role holder is inaccessible,

20
00:01:15,110 --> 00:01:18,440
you'll want to do a seize. And it's the same PowerShell. You do

21
00:01:18,440 --> 00:01:23,770
Move‑ADDirectoryServerOperationsMasterRole, the Identity of the new server,

22
00:01:23,770 --> 00:01:28,340
then you specify the OperationMasterRoles either using the name or

23
00:01:28,340 --> 00:01:31,030
there's an integer, as you can see in my comment up here.

24
00:01:31,030 --> 00:01:36,050
Microsoft has integer values that are a shorthand for each of the roles. I'm

25
00:01:36,050 --> 00:01:41,920
going to in this case move role 0 and 1, PDCEmulator and RIDMaster to my rootdc2

26
00:01:41,920 --> 00:01:47,260
domain controller and Confirm$false. Force is what makes this a seize. Without

27
00:01:47,260 --> 00:01:49,890
the Force, it's a gentle online operation.

28
00:01:49,890 --> 00:01:53,660
So let me actually get rid of the Force, because both of these servers

29
00:01:53,660 --> 00:01:56,740
are fully online and I want to do this in a gentle way.

30
00:01:56,740 --> 00:01:59,620
So let me right‑click and run this selection. And once

31
00:01:59,620 --> 00:02:01,910
that operation completes successfully,

32
00:02:01,910 --> 00:02:05,060
I can verify the change by clearing the screen and running

33
00:02:05,060 --> 00:02:13,000
netdom /query fsmo again, and you can see that PDC and RID pool manager have now been moved to rootdc2.