Get FSMO role holders and Global Catalogs with Powershell

    Introduction

    When dealing with Active Directory it is very important to really know your environment. This means knowing your Domain Controllers, your Global Catalogs, which DCs have the FSMO roles, sites, policies and so on. This info is needed especially when you have a problem and want to start debugging or worse, you need to recover some data or to rebuild something.

    Now first I want to mention that all information that you may need can be also obtained via the GUI but the problem there is that in some cases you will waste a lot of time just clicking all over the place. Here is were Powershell comes in: in just a couple of lines of code you can obtain a lot of info about your Active Directory infrastructure.

    In this post I want to show you how to obtain 3 of the things an administrator needs to know in certain moments:what are the Domain Controllers in my domain, what DCs are Global Catalogs and which DCs hold the 5 FSMO roles .It is also useful to know how to obtain this info for writing documentations.

    We are going to get everything using Powershell. These commands work in all PS versions from 2.0 and up and should work on all operating systems that support the Powershell versions. Another requirement is to run the commands from a computer with the Active Directory Powershell module installed. This means you can run the commands from a Domain Controller, a server with the Powershell Module for Active Directory installed or a client with the RSAT tools installed. For Powershell 2.0 you will also need to import the module in order to use the commands.

    Enough talking; let’s start. First we will get a list with all Domain Controllers in the current domain.

    If you are using Powershell 2.0 run the following command first in order to import the Active Directory module in the Powershell console:

 


Import-Module ActiveDirectory

    Get a list of Domain Controllers

    In big AD infrastructures you may have a lot of DCs so it does not hurt to know a command that can find all of them at once. The Powershell CmdLet to do this is Get-ADDomainController. By running the below command you will get a list of all DCs with some basic info about them:


Get-ADDomainController -Filter *

    Here is the result for my test domain with 2 DCs promoted.

Get a list of Domain Controllers

Get a list of Domain Controllers

    You can see I got DC1 and DC2. The thing is that all I really wanted is just to see the Domain Controller names and nothing more. This ca be done by piping the above command to Select-Object so you keep only the Name property:


Get-ADDomainController -Filter * | Select-Object Name

    Now the result is much cleaner and easier to read.

Get DC names

Get DC names

    Get FSMO role holders

    With the DC list covered let’s see which one has what FSMO role on it. FSMO or Flexible Single Master Operations roles represent special tasks that Domain Controllers must do in order for AD to work. One role is assigned to one Domain Controller and it is important to not forget where each role is installed.

    There are 5 FSMO roles: 3 are domain wide and the other 2 are forest wide. This is an important fact as the commands to get the roles are different for domain and forest scopes.

    For the domain wide FSMO roles the command to use is Get-ADDomain. This brings up some useful info about the domain your are connected to.

Get Domain information

Get Domain information

    To clean up the code a little so it shows only the 3 FSMO roles at the domain level just run the command and select the desired fields:


Get-ADDomain | Select-Object InfrastructureMaster,PDCEmulator,RIDMaster

Get domain wide FSMO roles

Get domain wide FSMO roles

    With the Get-ADForest CmdLet you can obtain some info regarding the forest your domain is in. This includes the 2 FSMO roles remaining.

Get Forest info

Get Forest info

    As before, using Select-Object can help us concentrate on the information we need right now:


Get-ADForest | Select-Object DomainNamingMaster,SchemaMaster

Get forest wide FSMO roles

Get forest wide FSMO roles

    Get Global Catalogs

    Another thing that will be useful to you is to know which Domain Controllers are Global Catalogs. Every domain must have at leats one GC so it doesn’t hurt to have this information up to date.

    A Global Catalog list for the forest can be obtained from the Get-ADForest CmdLet by selecting the output like shown in the code below:


Get-ADForest | Select-Object -ExpandProperty GlobalCatalogs

    The result can be seen in the picture:

Get Global Catalogs list

Get Global Catalogs list

    So there you have it. This is how easy it si to obtain this info from your AD infrastructure.

 

Leave a Comment

Your email address will not be published. Required fields are marked *