Active Directory

Active Directory – Move-AD Directory Server Operation Master Role: Access is denied

When working with Active Directory one of the common tasks is to move FSMO roles between servers. Well, maybe not that common but it happens from time to time where you have to move all or just some of the FSMO roles. For that purposes, there is single PowerShell command Move-ADDirectoryServerOperationalMasterRole. Sure you can do this via GUI but if there's one command available to fix it all why bother? To make the move one has to be a Domain Admin, Enterprise Admin and Schema Admin. Everything was going smoothly for some roles but wasn't working for others.

PS C:\Windows\system32> Move-ADDirectoryServerOperationMasterRole -OperationMasterRole SchemaMaster

cmdlet Move-ADDirectoryServerOperationMasterRole at command pipeline position 1
Supply values for the following parameters:
Identity: XXXXXXX

Move Operation Master Role
Do you want to move role 'SchemaMaster' to server 'XXXXXXX.domain.pl' ?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
Move-ADDirectoryServerOperationMasterRole : Access is denied
At line:1 char:1
+ Move-ADDirectoryServerOperationMasterRole -OperationMasterRole Schema ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (XXXXXXX:ADDirectoryServer) [Move-ADDirector...ationMasterRole], ADExcept
   ion
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.MoveADDirectorySer
   verOperationMasterRole
Access is denied for FSMO move role? What now?
Double check of groups my user has – correct.

ForestMode and DomainMode – Correct

PowerShell running as Administrator – correct

So what could be wrong? Nothing that can be considered wrong on first sight. The trick is (for whatever reason) to change your Primary group to Schema Admins.

By default, it should be Domain Users but if you're having problems with FSMO move, just set your Primary group to Schema Admins and you're good to go. Remember that you need to log out for the group changes to update properly. After you log back in you should be able to move FSMO role without a problem.

This post was last modified on %s = human-readable time difference 20:37

Przemyslaw Klys

System Architect with over 14 years of experience in the IT field. Skilled, among others, in Active Directory, Microsoft Exchange and Office 365. Profoundly interested in PowerShell. Software geek.

Share
Published by
Przemyslaw Klys

Recent Posts

Upgrade Azure Active Directory Connect fails with unexpected error

Today, I made the decision to upgrade my test environment and update the version of…

1 month ago

Mastering Active Directory Hygiene: Automating Stale Computer Cleanup with CleanupMonster

Have you ever looked at your Active Directory and wondered, "Why do I still have…

3 months ago

Active Directory Replication Summary to your Email or Microsoft Teams

Active Directory replication is a critical process that ensures the consistent and up-to-date state of…

7 months ago

Syncing Global Address List (GAL) to personal contacts and between Office 365 tenants with PowerShell

Hey there! Today, I wanted to introduce you to one of the small but excellent…

11 months ago

Active Directory Health Check using Microsoft Entra Connect Health Service

Active Directory (AD) is crucial in managing identities and resources within an organization. Ensuring its…

1 year ago

Seamless HTML Report Creation: Harness the Power of Markdown with PSWriteHTML PowerShell Module

In today's digital age, the ability to create compelling and informative HTML reports and documents…

1 year ago