Active Directory Security Tip #10: FSMO Roles

Active Directory Security Tip #10: FSMO Roles
文章介绍微软支持的域控制器备份策略，并建议将所有FSMO（Flexible Single Master Operation）角色集中在一个域控制器上以简化备份流程。同时提供PowerShell脚本用于检查森林和当前域中的FSMO角色持有者。 2025-10-2 00:3:0 Author: adsecurity.org(查看原文) 阅读量:13 收藏

Oct 01 2025

Getting Microsoft supported backups of Domain Controllers is an important part of recovery strategy.

A best practice is to locate all Flexible Master Single Operator (FSMO) roles on a single DC in the domain. That way you can more easily target the DC that hosts the FSMOs for backup.

PowerShell code to check for FSMO role holders for the forest & current domain:

$ADForestArray = Get-ADForest 
$ADForestArray | Select-Object SchemaMaster,DomainNamingMaster 
ForEach ($ADForestArrayDomain in $ADForestArray.Domains)
 {
    $DomainDC = (Get-ADDomainController -Discover -DomainName $ADForestArrayDomain).Name
    Get-ADDomain -Server $DomainDC | Select-Object PDCEmulator,RIDMaster,InfrastructureMaster
 }

(Visited 7 times, 7 visits today)

Sean Metcalf

I improve security for enterprises around the world working for TrustedSec & I am @PyroTek3 on Twitter.
Read the About page (top left) for information about me. :)
https://adsecurity.org/?page_id=8

文章来源: https://adsecurity.org/?p=4591
如有侵权请联系:admin#unsafe.sh