none
Transfering PDC, Infrastructure and RID master to new Domain Controllers

    Question

  • Hi,

    I have a requirement where I have to decommission my existing PDC as the hardware need to be refreshed. Currently I have setup a new DC to move all the Existing roles from my PDC.

    Can anyone tell me , what all things to make sure before I transfer the FSMO roles to new DC ?

    Saturday, February 11, 2017 5:49 PM

Answers

  • Hi

    Normally below are the steps that you take to perform in house AD migration:-

    1. Take a full back up (System state)

    2, If you are moving from 2008 R2 to 2012 R2

    - You would need to raise the functional level of your current AD

    - Check the current schema version (HKEY_LOCAL_MACHINE_Currentcontrolset\services\NTDS\Parameters 

    Schema version on windows 2012 is 38

    3.  Prepare AD forest and domain on old DC

    = Insert the new windows server 2012 R2 CD or ISO 

    = Via CMD, adprep /forestprep

    4. Connect new DC to domain 

    5. Add ADDS Role

    6. Via AD users and computers / sites and services - Verify new DC

    7. Transfer FSMO role from New DC

    1, Schema Master vi MMC

    2, pdc, infra, rid Via users and computers 

    Hope this helps 


    • Marked as answer by Shimith Sunday, February 12, 2017 5:48 AM
    • Edited by Akabe Sunday, February 12, 2017 11:05 AM
    Saturday, February 11, 2017 6:06 PM
  • Hi,

    I have a requirement where I have to decommission my existing PDC as the hardware need to be refreshed. Currently I have setup a new DC to move all the Existing roles from my PDC.

    Can anyone tell me , what all things to make sure before I transfer the FSMO roles to new DC ?

    Hi

     First of all you should check DC's health and replication health also.Then you should take a full backup before process.

    Also you can transfer fsmo roles ntdsutil;

    https://support.microsoft.com/en-us/help/255504/using-ntdsutil.exe-to-transfer-or-seize-fsmo-roles-to-a-domain-controller


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Shimith Sunday, February 12, 2017 5:48 AM
    Saturday, February 11, 2017 8:45 PM

All replies

    1. PDC emulator – for older systems which can’t handle a multi-master domain model.
    2. RID Master – provides unique keys for objects, and performs domain moves.
    3. Infrastructure Master – for inter-domain communication.
    4. Schema Master – manages the schema for the domain forest.
    5. Domain Naming Master – manages naming and conflicts for the domain forest.

    So, we need to point each of the 5 over to the new, proposed PDC.

    Get the new servers in place:
    In my case, I wanted to do fresh installs, and use exiting naming. So first, bring up the domain controllers as regular (NOT read-only) domain controllers. This typically means:

    • Install Windows Server
    • Add the machine to the domain (on the same screen where you set the computer name)
    • From Server Manager – add a new “Role” for “Active Directory Domain Services”, and join the domain. Typically you’d want to install DNS, and I host my DHCP servers from domain controllers too. So, each domain controller can handle it all: user validation, DHCP, and DNS – which allows the other domain controllers to fail, but not impact the network too much.

    At this point, the new server is a domain controller, but it’s not the primary domain controller – and there can be only one primary. Before we get too far, let’s look at an example.

    The Setup:
    This might make more sense when I describe what I have and what I want to do:

    • SHFLPDC01 – old Windows 2012 primary domain controller
    • SHFLBDC01 – old Windows 2012 backup domain controller
    • SPHWPPDC01 – new Windows 2012 R2 (proposed) primary domain controller (plus, moving to a different host server)
    • SPHWPBDC01 – new Windows 2012 R2 backup domain controller

    I ultimately want to decommission the SHFL* servers. I can bring up backup domain controllers, but the tricky part is that I need to promote the replacement as the NEW primary – which is what is described below.

    image

    Another way to look at this is SHFLPDC01 is the primary domain controller, and despite the names, I really have 3 backup domain controllers at the moment. I want to promote one of them to be primary, which will demote SHFLPDC01 to be a backup domain controller. At that point, I can take those old SHFL* servers offline.

    The Process:
    After a little research, it looks like you need to change this pointer in 3 places, all available in mmc.exe:

    1. Active Directory Domains and Trusts
    2. Active Directory Users and Computers
    3. Active Directory Schema

    To help us later, we need to do one step to make #3 possible. That MMC add-in is not available, by default. To make it available, run the following command (on the new, proposed, primary domain controller, for example):

    regsvr32.exe schmmgmt.dll

    This will pop up a confirmation message. You MUST run this as Administrator, you’ll get an error if you don’t. So, right-click on cmd.exe and choose Run as Administrator:

    image

    Now, to do all three of these, launch “mmc.exe” and add the following add-in’s:

    image

    and then click OK. In my case, I see something like this:

    image

    In brackets, it automatically connected me to the existing PDC (SHFLPDC01). So, we need to change the domain controller, and then change the “operations master” on each. Let’s do one at a time:

    Changing Domains and Trust:
    First, I’ll right-click at the “Active Directory Domains and Trusts” level to bring up the context menu, and choose “Change Active Directory Domain Controller”:

    image


    which brings up a screen like this:

    image

    I switch to the new (what I want to be) primary domain controller, then click OK. Now, you might notice that the description in the tree changes:

    image

    This hasn’t changed anything, we are just connecting to a different domain controller. We needed to do that for this second operation: right-click at the Domains and Trust level again but this time choose “Operations Master…”, which brings up this:

    image

    When we click “Change” on this screen, this makes it so our new PDC will become the primary for this particular part of Active Directory.

    image

    Click Close and this part is done – 1 down, 4 to go.

    Changing Users and Computers:
    For this next section, it starts off identical – right-click at the Users and Computers level and “Change Domain Controller…”:

    image

    Similar to the last step, right-click on the domain and choose “Operations Master…”

    image

    Note though that this has THREE tabs, so you need to click that “Change” button on all 3 tabs:

    image

    image

    Click Close and you are done with this part 4 down, 1 to go.

    Changing Schema:
    Lastly, this is pretty much more of the same – right-click on “Active Directory Schema” and change the Active Directory Domain Controller. Then, right-click again and choose “Operations Master”:

    image

    Just like before, confirm the current vs proposed, and if it’s correct click “Change”:

    image

    Click Close and we’re done – 5 out of 5 roles have been switched to point to the new PDC.

    Bottom Line:
    Above, we changed the “operations master” of all five FSMO roles from the old PDC to the new PDC. How do we confirm it? Well, first I used PowerShell to see who the PowerShell thinks the PDC is:

    PS> Import-Module ActiveDirectory
    PS> Get-ADDomain | Select-Object –Property InfrastructureMaster

    and I saw:

    image

    That’s correct! Next, let’s take the PDC offline and try to change our password. That should be something you can only do when the PDC is online. And yes, change  password or create a user account and check if it works 

    So – from everything I’ve read, I think this is all that is needed. 


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Anand Shankar


    • Edited by Anand - Saturday, February 11, 2017 6:07 PM
    Saturday, February 11, 2017 6:05 PM
  • Hi

    Normally below are the steps that you take to perform in house AD migration:-

    1. Take a full back up (System state)

    2, If you are moving from 2008 R2 to 2012 R2

    - You would need to raise the functional level of your current AD

    - Check the current schema version (HKEY_LOCAL_MACHINE_Currentcontrolset\services\NTDS\Parameters 

    Schema version on windows 2012 is 38

    3.  Prepare AD forest and domain on old DC

    = Insert the new windows server 2012 R2 CD or ISO 

    = Via CMD, adprep /forestprep

    4. Connect new DC to domain 

    5. Add ADDS Role

    6. Via AD users and computers / sites and services - Verify new DC

    7. Transfer FSMO role from New DC

    1, Schema Master vi MMC

    2, pdc, infra, rid Via users and computers 

    Hope this helps 


    • Marked as answer by Shimith Sunday, February 12, 2017 5:48 AM
    • Edited by Akabe Sunday, February 12, 2017 11:05 AM
    Saturday, February 11, 2017 6:06 PM
  • Hi,

    I have a requirement where I have to decommission my existing PDC as the hardware need to be refreshed. Currently I have setup a new DC to move all the Existing roles from my PDC.

    Can anyone tell me , what all things to make sure before I transfer the FSMO roles to new DC ?

    Hi

     First of all you should check DC's health and replication health also.Then you should take a full backup before process.

    Also you can transfer fsmo roles ntdsutil;

    https://support.microsoft.com/en-us/help/255504/using-ntdsutil.exe-to-transfer-or-seize-fsmo-roles-to-a-domain-controller


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Shimith Sunday, February 12, 2017 5:48 AM
    Saturday, February 11, 2017 8:45 PM