I Need To Make A Change With My IT Support! Call (225) 706-8414

Moving Active Directory FSMO roles in Windows 2003

Before you can safely remove a domain controller from a Active Directory domain, you need to make sure that any roles it may have are transferred to other DCs.  While there are of course ways to seize those roles in the event of a DC becoming unavailable, that’s not something you want to be doing.  And though DCPROMO is supposed to reassign those roles automatically when demoting the DC, it’s not unheard of for that to silently fail. So, for a lot of admins, it’s standard operating procedure for manually move the roles off a DC before decommissioning it.

Solution

This can be done using NETDOM from the command-line.

  1. First, you need to know which machine currently has the FSMO roles.  It’s entirely possible everything’s already on a different machine and you can move ahead with your dcpromo.
    > netdom query /domain:puryear-it fsmo
    Schema owner dc-1.puryear-it.local
    
    Domain role owner dc-1.puryear-it.local
    
    PDC role dc-1.puryear-it.local
    
    RID pool manager dc-1.puryear-it.local
    
    Infrastructure owner dc-1.puryear-it.local
    
    The command completed successfully.

    In this case, all the roles are on the server named “dc-1.puryear-it.local”. Let’s assume we’re decommissioning that machine, so we need to move the roles to another DC. I’m assuming you already know the names of the DCs in your domain but, just in case:

    > netdom query /domain:puryear-it DC
    List of domain controllers with accounts in the domain:
    
    dc-1
    dc-2
    The command completed successfully.
  2. We need to move the roles to another machine (dc-2 in this case). There’s some GUI tools to do it but would mean opening several different windows and we’re already in the shell; so we can just use ntdsutil:
    > ntdsutil
    C:WINDOWSsystem32ntdsutil.exe:

    Note: for the rest of the steps, I’m putting whatever you’re supposed to type in bold to differentiate it from what ntdsutil is spitting out to the screen.

  3. By default, ntdsutil will confirm changes by popping up a GUI window; I find this annoying so I turn it off. Warning this disables confirmation completely!
    C:WINDOWSsystem32ntdsutil.exe: Popups off
    Interactive popups are disabled
  4. The “roles” command switches to FMSO maintanence mode
    C:WINDOWSsystem32ntdsutil.exe: roles
    fsmo maintenance:
  5. Now you need to connect to the server that’s supposed to host the roles after you’re done. Once connected, you can return to FSMO maintenance.
    fsmo maintenance: connections
    server connections: connect to server dc-2
    Binding to dc-2 ...
    Connected to dc-2 using credentials of locally logged on user.
    server connections: q
    fsmo maintenance:
  6. Now to actually transfer roles. Sending a “?” will give you the list of commands you can run, which helpfully also contains a list of all the roles you can transfer.
    fsmo maintenance: ?
    
     ?                             - Show this help information
     Connections                   - Connect to a specific domain controller
     Help                          - Show this help information
     Quit                          - Return to the prior menu
     Seize domain naming master    - Overwrite domain role on connected server
     Seize infrastructure master   - Overwrite infrastructure role on connected server
     Seize PDC                     - Overwrite PDC role on connected server
     Seize RID master              - Overwrite RID role on connected server
     Seize schema master           - Overwrite schema role on connected server
     Select operation target       - Select sites, servers, domains, roles and
                                     naming contexts
     Transfer domain naming master - Make connected server the domain naming master
     Transfer infrastructure master - Make connected server the infrastructure master
     Transfer PDC                  - Make connected server the PDC
     Transfer RID master           - Make connected server the RID master
     Transfer schema master        - Make connected server the schema master
    
    fsmo maintenance:

    We’re mainly interested in the last 5; the “Seize” commands are really only for recovering from the sudden loss of the DC with that role.

  7. The “transfer pdc” command does exactly that: transfers the PDC role to the connected DC. All the transfer commands will list out the list of role owners after the transfer is complete. In this case, all the roles still remain on dc-1 except “PDC” which now belongs to dc-2:
    fsmo maintenance: transfer pdc
    Server "dc-2" knows about 5 roles
    Schema - CN=NTDS Settings,CN=dc-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Puryear-IT,DC=local
    Domain - CN=NTDS Settings,CN=dc-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Puryear-IT,DC=local
    PDC - CN=NTDS Settings,CN=dc-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Puryear-IT,DC=local
    RID - CN=NTDS Settings,CN=dc-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Puryear-IT,DC=local
    Infrastructure - CN=NTDS Settings,CN=dc-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Puryear-IT,DC=local
    fsmo maintenance:
  8. Repeat the previous step for each role, then exit ntdsutil
    fsmo maintenance: quit
    C:WINDOWSsystem32ntdsutil.exe: quit
    Disconnecting from dc-2...
  9. If you re-run the netdom query above, it should now list all roles as belonging to dc-2:
    > netdom query /domain:puryear-it fsmo
    Schema owner dc-2.puryear-it.local
    
    Domain role owner dc-2.puryear-it.local
    
    PDC role dc-2.puryear-it.local
    
    RID pool manager dc-2.puryear-it.local
    
    Infrastructure owner dc-2.puryear-it.local
    
    The command completed successfully.

One note of interest: netdom reports a role named “Domain role owner” while ntdsutil let’s you transfer a role named “domain naming master”. These are in fact the same role but it’s anyone’s guess why it has 2 different names.

 

Concerned About Cyber Attacks?

CLICK HERE >

Want to Migrate to the Cloud?

CLICK HERE >
Office 365

Ready to Experience Microsoft Office 365?

Want the latest IT news directly in your inbox? Subscribe now!