DefinIT Because if IT were easy, everyone would do it…

7Jan/080

Using NTDSUtil to transfer FSMO Roles by command line

Posted by Sam McGeown

I’ve just removed a domain controller (DC) from my root domain, the very first server not only in the domain, but the forest. The roles were migrating to a newer server, far more up to the job, but it isn’t a job to be taken lightly. If you mess up the root domain, you’ve potentially got problems all the way down your domain hierarchy.

 

Let me explain; the primary domain controller in a domain (normally the first domain controller) hosts all the FSMO roles. It also is (by default) the only copy of the Global Catalog (GC). Potentially, even if you have other domain controllers in the forest, you could end up with a seriously crippled domain.

So, you want to transfer them safely off of your old domain controller (from now on DC1) to your new one (from now on DC2). You must ensure that the following are transfered:

  • Schema Master - The only server in the FOREST that can edit the Schema, all other DCs recieve a read-only copy
  • Domain Naming Master - The only server in the FOREST that can add/remove domains in the Directory.
  • Infrastructure Master - Updates an objects Security ID (SID) and Distinguished Name (DN). One per DOMAIN.
  • Relative ID (RID) Master - Processes RID pool requests to all DCs in the Domain. One per DOMAIN.
  • Primary Domain Controller (PDC) Emulator - Windows Time Server (amongst other things) for Kerboros, it’s authoritative for it’s domain. If it’s the root domain, it’s authoritative for the Enterprise.

This can potentially cause irreparable damage to your Active Directory, so I strongly advise you check that your domain is in good working order and has been fully backed up before you attempt to transfer any roles.

  1.  On any domain controller open a command prompt and run “ntdsutil” (Note: You need to be an ENTERPRISE admin to modify Schema, Domain Naming and Infrastructure masters and a DOMAIN admin for the rest)
  2. Type “roles” to enter FSMO Maintenance mode.
  3. Type “connections” to enter the server connections mode, and “server ” to select the server you are transferring roles to. E.G: “server DC2″.
  4. Type “q” to drop back into FSMO Maintenance mode.
  5. Type “transfer ” to transfer the role you want to transfer. You will get a pop up warning asking if you are sure, if you are, click “Yes”. can be:
    • domain naming master
    • infrastructure master
    • RID master
    • PDC
    • schema master
  6. I transferred the roles in that order, it shouldn’t make much difference which order that you do it. Once all the roles are transfered, type “q” again to drop out, and “q” again to quit NTDSUtil.