Before you can safely remove a domain controller from a Active Directory domain, you need to make sure that any roles it may have are transferred to other DCs. While there are of course ways to seize those roles in the event of a DC becoming unavailable, that’s not something you want to be doing. And though DCPROMO is supposed to reassign those roles automatically when demoting the DC, it’s not unheard of for that to silently fail. So, for a lot of admins, it’s standard operating procedure for manually move the roles off a DC before decommissioning it.
This can be done using NETDOM from the command-line.
- First, you need to know which machine currently has the FSMO roles. It’s entirely possible everything’s already on a different machine and you can move ahead with your dcpromo.
> netdom query /domain:puryear-it fsmo Schema owner dc-1.puryear-it.local Domain role owner dc-1.puryear-it.local PDC role dc-1.puryear-it.local RID pool manager dc-1.puryear-it.local Infrastructure owner dc-1.puryear-it.local The command completed successfully.
In this case, all the roles are on the server named “dc-1.puryear-it.local”. Let’s assume we’re decommissioning that machine, so we need to move the roles to another DC. I’m assuming you already know the names of the DCs in your domain but, just in case:
> netdom query /domain:puryear-it DC List of domain controllers with accounts in the domain: dc-1 dc-2 The command completed successfully.
- We need to move the roles to another machine (dc-2 in this case). There’s some GUI tools to do it but would mean opening several different windows and we’re already in the shell; so we can just use ntdsutil:
> ntdsutil C:WINDOWSsystem32ntdsutil.exe:
Note: for the rest of the steps, I’m putting whatever you’re supposed to type in bold to differentiate it from what ntdsutil is spitting out to the screen.
- By default, ntdsutil will confirm changes by popping up a GUI window; I find this annoying so I turn it off. Warning this disables confirmation completely!
C:WINDOWSsystem32ntdsutil.exe: Popups off Interactive popups are disabled
- The “roles” command switches to FMSO maintanence mode
C:WINDOWSsystem32ntdsutil.exe: roles fsmo maintenance:
- Now you need to connect to the server that’s supposed to host the roles after you’re done. Once connected, you can return to FSMO maintenance.
fsmo maintenance: connections server connections: connect to server dc-2 Binding to dc-2 ... Connected to dc-2 using credentials of locally logged on user. server connections: q fsmo maintenance:
- Now to actually transfer roles. Sending a “?” will give you the list of commands you can run, which helpfully also contains a list of all the roles you can transfer.
fsmo maintenance: ? ? - Show this help information Connections - Connect to a specific domain controller Help - Show this help information Quit - Return to the prior menu Seize domain naming master - Overwrite domain role on connected server Seize infrastructure master - Overwrite infrastructure role on connected server Seize PDC - Overwrite PDC role on connected server Seize RID master - Overwrite RID role on connected server Seize schema master - Overwrite schema role on connected server Select operation target - Select sites, servers, domains, roles and naming contexts Transfer domain naming master - Make connected server the domain naming master Transfer infrastructure master - Make connected server the infrastructure master Transfer PDC - Make connected server the PDC Transfer RID master - Make connected server the RID master Transfer schema master - Make connected server the schema master fsmo maintenance:
We’re mainly interested in the last 5; the “Seize” commands are really only for recovering from the sudden loss of the DC with that role.
- The “transfer pdc” command does exactly that: transfers the PDC role to the connected DC. All the transfer commands will list out the list of role owners after the transfer is complete. In this case, all the roles still remain on dc-1 except “PDC” which now belongs to dc-2:
fsmo maintenance: transfer pdc Server "dc-2" knows about 5 roles Schema - CN=NTDS Settings,CN=dc-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Puryear-IT,DC=local Domain - CN=NTDS Settings,CN=dc-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Puryear-IT,DC=local PDC - CN=NTDS Settings,CN=dc-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Puryear-IT,DC=local RID - CN=NTDS Settings,CN=dc-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Puryear-IT,DC=local Infrastructure - CN=NTDS Settings,CN=dc-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Puryear-IT,DC=local fsmo maintenance:
- Repeat the previous step for each role, then exit ntdsutil
fsmo maintenance: quit C:WINDOWSsystem32ntdsutil.exe: quit Disconnecting from dc-2...
- If you re-run the netdom query above, it should now list all roles as belonging to dc-2:
> netdom query /domain:puryear-it fsmo Schema owner dc-2.puryear-it.local Domain role owner dc-2.puryear-it.local PDC role dc-2.puryear-it.local RID pool manager dc-2.puryear-it.local Infrastructure owner dc-2.puryear-it.local The command completed successfully.
One note of interest: netdom reports a role named “Domain role owner” while ntdsutil let’s you transfer a role named “domain naming master”. These are in fact the same role but it’s anyone’s guess why it has 2 different names.