Now that we have a newly deployed shiny 2012 R2 Domain Controller, BEFORE delving in and transferring the FSMO roles, you really should run another AD health check against the environment to make sure the new DC is actually replicating and servicing AD correctly.
To do this I’m going to run the exact same script as per Part 2, to ensure I can see the new server appearing in the AD health check results.
This time you can see from the below images the new DC (MRDC02) now appears.
We can also see the netlogon and sysvol shares, and if we look in the netlogon share ts populated with the test document which was placed in there on the old DC.
All is looking good so far, so we can now proceed with transferring of the FSMO Roles.
Firstly, let’s just double check where the current roles are sitting so we can use this as a reference later on
*NOTE* – Although there is no “Official” order of moving the FSMO Roles from Microsoft, the roles are usual moved in the following order:
Schema > Domain naming > PDC emulator > RID master > Infrastructure
This is because the Schema and Domain Naming roles are forest level roles, whilst PDC, RID and Infrastructure are domain level roles.
*NOTE* – The account being used to transfer the FSMO roles requires the following permissions.
In order to move the Schema Master FSMO Role, we must first install/register the schema master AD management tool. From an Administrative command prompt run the following:
If successful the following information box will appear
Now we should be able to access the Active Directory Schema Console. From the same command prompt type “MMC”. From the new management console window which appears select File > Add / Remove Snap-in, and select “Active Directory Schema” as soon in the image below.
If you attempt to transfer the schema straight away by right clicking and selecting operations master
You will see the second MRDC02 server is not listed, and as such unable to change the role holder
This is because you are currently connected to MRDC01 (if you expand the MMC panel)
You need to right click and select “Change ADDC”
From here, select the new DC (MRDC02)
The following information box will popup alerting you to the fact you are unable to make changes to the schema.
Now connected to MRDC02, you can right click and select “Operations Master”
This time you will see MRDC02 is listed as the server you can transfer the FSMO role to. Select Change
Select Yes to the next prompt
You will then be informed the role has been transferred
That’s the first FSMO roles down, only four to go….
Next up is the domain naming master role. Open up Active Directory Domains and Trusts and right click ADDT.
Select Operations Master
Unlike the schema master, the rest of the role will pre-populate the field with the new 2012 R2 DC
Select “Change”, and then select “Yes”
Click OK once complete.
The next three roles (RID, PDC and Infrastructure can all be transferred via the same console.
Open up Active Directory Users and Computers, right click the domain name and select “Operations Masters”
Along the top you will see three tabs: RID, PDC, Infrastructure. Start with RID and transfer the role, and then complete for PDC and Infrastructure.
The final item that needs doing once the PDC Emulator role has been transferred is to set the NTP time source on the new PDC Emulator. The PDC Emulator is the time source for AD, so we must point the PDC Emulator at the NTP device on the network. For most environments this is either a network switch/router or a physical time device to make sure time is sync’d across the estate.
However in this instance we will be using the local server as the time source. First we need to tell the old PDC Emulator server it is no longer authoritative as the time source. To do so run the following command on the OLD Server (MRDC01)
w32tm /config /syncfromflags:domhier /reliable:no /update
net stop w32time
Once complete, switch to the new PDC Emulator Server (MRDC02) and run the below
w32tm /config /manualpeerlist:MRDC02 /syncfromflags:manual /reliable:yes /update
Stop and Start the w32time service, and finally run the command:
The time source now shows as the local CMOS clock on the server.
On the old DC we can now see MRDC02 as the time source
Now all the above has been performed, double check the FSMO role location by running:
This will ensure all the FSMO Roles now sit on the correct server.
As can be seen from the above screen shot which was run before and after the roles were transferred all the FSMO roles now sit on the new MRDC02 server.
There we have it, part 4 is down with part 5 coming up shortly.