Scroll Top
Evotec Services sp. z o.o., ul. Drozdów 6, Mikołów, 43-190, Poland

Active Directory – Move-AD Directory Server Operation Master Role: Access is denied

Move-ADDirectoryServerOperationMasterRole

When working with Active Directory one of the common tasks is to move FSMO roles between servers. Well, maybe not that common but it happens from time to time where you have to move all or just some of the FSMO roles. For that purposes, there is single PowerShell command Move-ADDirectoryServerOperationalMasterRole. Sure you can do this via GUI but if there's one command available to fix it all why bother? To make the move one has to be a Domain Admin, Enterprise Admin and Schema Admin. Everything was going smoothly for some roles but wasn't working for others.

PS C:\Windows\system32> Move-ADDirectoryServerOperationMasterRole -OperationMasterRole SchemaMaster

cmdlet Move-ADDirectoryServerOperationMasterRole at command pipeline position 1
Supply values for the following parameters:
Identity: XXXXXXX

Move Operation Master Role
Do you want to move role 'SchemaMaster' to server 'XXXXXXX.domain.pl' ?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
Move-ADDirectoryServerOperationMasterRole : Access is denied
At line:1 char:1
+ Move-ADDirectoryServerOperationMasterRole -OperationMasterRole Schema ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (XXXXXXX:ADDirectoryServer) [Move-ADDirector...ationMasterRole], ADExcept
   ion
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.MoveADDirectorySer
   verOperationMasterRole
Access is denied for FSMO move role? What now?
Double check of groups my user has – correct.

ForestMode and DomainMode – Correct

PowerShell running as Administrator – correct

So what could be wrong? Nothing that can be considered wrong on first sight. The trick is (for whatever reason) to change your Primary group to Schema Admins.

By default, it should be Domain Users but if you're having problems with FSMO move, just set your Primary group to Schema Admins and you're good to go. Remember that you need to log out for the group changes to update properly. After you log back in you should be able to move FSMO role without a problem.

Related Posts