• Active Directory 2003 to 2012 R2 Migration – Part 4 – Checking AD Health and Transferring of FSMO Roles

    Posted on April 26, 2016 by in Latest News, Studying, Tutorials



    Now that we have a newly deployed shiny 2012 R2 Domain Controller, BEFORE delving in and transferring the FSMO roles, you really should run another AD health check against the environment to make sure the new DC is actually replicating and servicing AD correctly.

    To do this I’m going to run the exact same script as per Part 2, to ensure I can see the new server appearing in the AD health check results.

    This time you can see from the below images the new DC (MRDC02) now appears.

    30-01-2015 21-17-55-0135 30-01-2015 21-18-21-0134


    We can also see the netlogon and sysvol shares, and if we look in the netlogon share ts populated with the test document which was placed in there on the old DC.

    30-01-2015 21-18-42-0133

    30-01-2015 21-18-48-0132

    All is looking good so far, so we can now proceed with transferring of the FSMO Roles.

    Firstly, let’s just double check where the current roles are sitting so we can use this as a reference later on

    30-01-2015 21-19-35-0131

    *NOTE* – Although there is no “Official” order of moving the FSMO Roles from Microsoft, the roles are usual moved in the following order:
    Schema > Domain naming > PDC emulator > RID master > Infrastructure

    This is because the Schema and Domain Naming roles are forest level roles, whilst PDC, RID and Infrastructure are domain level roles.

    *NOTE* – The account being used to transfer the FSMO roles requires the following permissions.

    • Schema Role = Schema Admins
    • Domain Naming = Enterprise Admins
    • RID, PDC, Infrastructure = Domain Admins

    In order to move the Schema Master FSMO Role, we must first install/register the schema master AD management tool. From an Administrative command prompt run the following:

    • regsvr32 schmmgmt.dll

    30-01-2015 21-22-58-0122

    If successful the following information box will appear

    30-01-2015 21-23-10-0121

    Now we should be able to access the Active Directory Schema Console. From the same command prompt type “MMC”. From the new management console window which appears select File > Add / Remove Snap-in, and select “Active Directory Schema” as soon in the image below.

    30-01-2015 21-23-31-0120

    If you attempt to transfer the schema straight away by right clicking and selecting operations master

    30-01-2015 21-23-46-0119

    You will see the second MRDC02 server is not listed, and as such unable to change the role holder

    30-01-2015 21-24-26-0118

    This is because you are currently connected to MRDC01 (if you expand the MMC panel)

    30-01-2015 21-24-35-0117

    You need to right click and select “Change ADDC”

    30-01-2015 21-24-52-0116

    From here, select the new DC (MRDC02)

    30-01-2015 21-24-58-0115

    The following information box will popup alerting you to the fact you are unable to make changes to the schema.

    30-01-2015 21-25-10-0114

    Now connected to MRDC02, you can right click and select “Operations Master”

    30-01-2015 21-25-27-0113

    This time you will see MRDC02 is listed as the server you can transfer the FSMO role to. Select Change

    30-01-2015 21-25-33-0112

    Select Yes to the next prompt

    30-01-2015 21-25-39-0111

    You will then be informed the role has been transferred

    30-01-2015 21-25-45-0110

    30-01-2015 21-25-50-0109

    That’s the first FSMO roles down, only four to go….

    Next up is the domain naming master role. Open up Active Directory Domains and Trusts and right click ADDT.

    Select Operations Master

    30-01-2015 21-21-15-0126

    Unlike the schema master, the rest of the role will pre-populate the field with the new 2012 R2 DC

    30-01-2015 21-21-20-0125

    Select “Change”, and then select “Yes”

    30-01-2015 21-21-27-0124

    Click OK once complete.

    30-01-2015 21-21-35-0123

    The next three roles (RID, PDC and Infrastructure can all be transferred via the same console.

    Open up Active Directory Users and Computers, right click the domain name and select “Operations Masters”

    30-01-2015 21-20-09-0130

    Along the top you will see three tabs: RID, PDC, Infrastructure. Start with RID and transfer the role, and then complete for PDC and Infrastructure.

    30-01-2015 21-20-18-0129

    30-01-2015 21-20-30-0128

    30-01-2015 21-20-38-0127

    The final item that needs doing once the PDC Emulator role has been transferred is to set the NTP time source on the new PDC Emulator. The PDC Emulator is the time source for AD, so we must point the PDC Emulator at the NTP device on the network. For most environments this is either a network switch/router or a physical time device to make sure time is sync’d across the estate.

    However in this instance we will be using the local server as the time source. First we need to tell the old PDC Emulator server it is no longer authoritative as the time source. To do so run the following command on the OLD Server (MRDC01)

    • w32tm /config /syncfromflags:domhier /reliable:no /update

    • net stop w32time

    • net start w32time


    Once complete, switch to the new PDC Emulator Server (MRDC02) and run the below

    • w32tm /config /manualpeerlist:MRDC02 /syncfromflags:manual /reliable:yes /update

    30-01-2015 21-30-31-0107

    Stop and Start the w32time service, and finally run the command:

    • w32tm /query /source

    30-01-2015 21-31-44-0106

    The time source now shows as the local CMOS clock on the server.

    On the old DC we can now see MRDC02 as the time source

    30-01-2015 22-10-07-0077

    Now all the above has been performed, double check the FSMO role location by running:

    • netdom /query fsmo

    This will ensure all the FSMO Roles now sit on the correct server.

    30-01-2015 21-26-02-0108

    As can be seen from the above screen shot which was run before and after the roles were transferred all the FSMO roles now sit on the new MRDC02 server.

    There we have it, part 4 is down with part 5 coming up shortly.

Protected by WP Anti Spam