none
Can't logon DC1.

    Question

  • Hello,

    I have 3 DCs. (DC1, DC2 and DC3)

    Can't logon DC1. DC1 holds all FSMO roles.

    So in this case, how to transfer FSMO roles to other DC.

    Thanks in advance.

    Friday, March 24, 2017 2:12 PM

Answers

  • Hi,

    If you are trying to move roles try it first from another server. Login to your second DC and from there transfer roles.

    PDC, RID, Infrastructure Master:

    Go to Active Directory Users & Computers and right-click on your domain and select Operations Masters. You will have 3 tabs and for each tab click on change and choose the new server.

    Domain naming (you can transfer it from Active Directory Domains and Trusts) and Schema you need to register it first. Open cmd as admin and type in regsvr32 schmmgmt.dll
    Next Open MMC & add Active Directory Schema

    ------------------------------------------------------------------------------------------------------------
    If you found this post helpful, please give it a "Helpful" vote. 
    Please remember to mark the replies as answers if they help.
    (This can be beneficial to other community members reading the thread).


    • Marked as answer by Nidjat Saturday, March 25, 2017 6:32 PM
    Saturday, March 25, 2017 9:15 AM
  • Hi Nedim,

    Thanks for reply.

    This is good but at the first I have to  Change Active Directory Domain Controller in MMC & add Active Directory Schema. This is not available on other DC.  http://www.techunboxed.com/2012/07/how-to-transfer-fsmo-roles-in-windows.html

    if I change PDC, RID and Infrastructure in health DC then can I change Domain Controller? and Should I change it also? Because PDC, RID and Infrastructure Master is possible to change on other DCs.

    Thanks again.

    Nidjat
    • Edited by Nidjat Saturday, March 25, 2017 11:14 AM
    • Marked as answer by Nidjat Saturday, March 25, 2017 6:32 PM
    Saturday, March 25, 2017 11:06 AM
  • Only in DSRM mode with local administrator can logon.

    in this case using

    ntdsutil - connection to server dc2

    binding to server dc2

    DsBindWithSpnExW error 0x533<Logon failure: account currently disabled..

    Then you should seize the fsmo roles to other healthy dc,you can seize with ntdsutil(you can check the steps under seize fsmo roles) .When done just forcefully demote this dc from domain will perform metadata cleanup.Install clean OS and promote it again domain controller.

    Metadata cleanup ; https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx?f=255&mspperror=-2147217396


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Nidjat Saturday, March 25, 2017 6:32 PM
    Saturday, March 25, 2017 9:30 AM
  •  in MMC & add Active Directory Schema. This is not available on other DC. 

    Did you?

    regsvr32 schmmgmt.dll

    https://blogs.technet.microsoft.com/canitpro/2015/02/10/step-by-step-migrating-windows-server-2003-fsmo-roles-to-windows-server-2012-r2/

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Marked as answer by Nidjat Saturday, March 25, 2017 6:32 PM
    Saturday, March 25, 2017 1:23 PM

All replies

  • Hi

     If the PDC (fsmo roles holder) become unavaible,you can seize fsmo roles with Ntdsutil.exe,check this article;

    https://support.microsoft.com/en-us/help/255504/using-ntdsutil.exe-to-transfer-or-seize-fsmo-roles-to-a-domain-controller


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Friday, March 24, 2017 2:25 PM
  • Thanks. The server is running. When I try to logon "Preparing your desktop" then it disappears and nothing is shown. I mean desktop is not shown.

    Thanks in advance.

    Friday, March 24, 2017 3:18 PM
  • Did you try to reboot it? 

    ------------------------------------------------------------------------------------------------------------
    If you found this post helpful, please give it a "Helpful" vote. 
    Please remember to mark the replies as answers if they help.
    (This can be beneficial to other community members reading the thread).

    Friday, March 24, 2017 3:23 PM
  • Thanks. The server is running. When I try to logon "Preparing your desktop" then it disappears and nothing is shown. I mean desktop is not shown.

    Thanks in advance.


    So first you should check this DC health status.Try to logon with other account and also run "dcdiag" to analyse...

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Friday, March 24, 2017 3:37 PM
  • Only in DSRM mode with local administrator can logon.

    in this case using

    ntdsutil - connection to server dc2

    binding to server dc2

    DsBindWithSpnExW error 0x533<Logon failure: account currently disabled..

    Friday, March 24, 2017 4:02 PM
  • Only in DSRM mode with local administrator can logon.

    in this case using

    ntdsutil - connection to server dc2

    binding to server dc2

    DsBindWithSpnExW error 0x533<Logon failure: account currently disabled..

    Then you should seize the fsmo roles to other healthy dc,you can seize with ntdsutil(you can check the steps under seize fsmo roles) .When done just forcefully demote this dc from domain will perform metadata cleanup.Install clean OS and promote it again domain controller.

    Metadata cleanup ; https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx?f=255&mspperror=-2147217396


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Nidjat Saturday, March 25, 2017 6:32 PM
    Saturday, March 25, 2017 9:30 AM
  • Hi Nedim,

    Thanks for reply.

    This is good but at the first I have to  Change Active Directory Domain Controller in MMC & add Active Directory Schema. This is not available on other DC.  http://www.techunboxed.com/2012/07/how-to-transfer-fsmo-roles-in-windows.html

    if I change PDC, RID and Infrastructure in health DC then can I change Domain Controller? and Should I change it also? Because PDC, RID and Infrastructure Master is possible to change on other DCs.

    Thanks again.

    Nidjat
    • Edited by Nidjat Saturday, March 25, 2017 11:14 AM
    • Marked as answer by Nidjat Saturday, March 25, 2017 6:32 PM
    Saturday, March 25, 2017 11:06 AM
  •  in MMC & add Active Directory Schema. This is not available on other DC. 

    Did you?

    regsvr32 schmmgmt.dll

    https://blogs.technet.microsoft.com/canitpro/2015/02/10/step-by-step-migrating-windows-server-2003-fsmo-roles-to-windows-server-2012-r2/

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Marked as answer by Nidjat Saturday, March 25, 2017 6:32 PM
    Saturday, March 25, 2017 1:23 PM
  • Thanks everybody. The problem is solved.
    Saturday, March 25, 2017 6:32 PM
  • So first you are saying to seize roles and now you are saying to first check the DC Health? 

    Thank you for your comments. I still believe there are better ways to express your opinions towards ideas of our experts. Since I am not allowed to edit your comments, I will remove them.

    FYI, FSMO roles can always seized back.

    Regards.


    Mahdi Tehrani | | www.mahditehrani.ir
    Make sure to download my free PowerShell scripts:


    Tuesday, April 4, 2017 2:21 PM
    Moderator