Ok, so this is more of a note for me than anyone else, but ever had trouble with FSMO roles on AD? If so,

So what am I trying to do? Well, an old server is being decomissioned and needs all of the FSMO roles transferred off. So I managed to get most of them done, you can do it through AD Users & Computers by selection Operation Master from the menu, or if you’re like me, you’ll prefer using the command line. So ntdsutil is your friend.

Couple of things. Security is a bit odd here. Most roles will be fine, but to transfer the Schema Master role, you need to be a member of both the Enterprise Administrators group and the Schema Admins groups. Use gpresult to check.

So grab your roles in ntdsutil:

C:\Documents and Settings\aled>ntdsutil
ntdsutil: roles
fsmo maintenance: con
server connections: connect to server SERVER
Binding to SERVER ...
Connected to SERVER using credentials of locally logged on user
server connections: q
fsmo maintenance: transfer schema master
Server "SERVER" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=domain,DC=com
Domain - CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=domain,DC=com
PDC - CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=domain,DC=com
RID - CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=domain,DC=com
Infrastructure - CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=domain,DC=com
fsmo maintenance:   

Er, and that’ it. It’s taken me ages because I couldn’t find anythign that said which rights you needed. Stay tuned for more random notes on playing with Windows, AD and Exchange, such as:

Comments are closed.