Forum Discussion

Mikeg0210's avatar
Mikeg0210
Copper Contributor
May 28, 2024
Solved

Cannot transfer schema using NTDSUTIL

When trying to transfer operational control to a new A/D server, I tried to use the GUI but it would not show the new A/D.  I found a note which indicated to use NTDSUTIL to perform the task.  When i...
ntdsutil
Server 2022
  • L_Youtell_974's avatar
    L_Youtell_974
    May 29, 2024

    hello Mikeg0210 ,

    did you use the microsoft guide ? If you follow the guide below, everything should be ok. You really need to register Schmmgmt.dll to be able to use it.

     

    Register Schmmgmt.dll

    1. Click Start, and then click Run.
    2. Type regsvr32 schmmgmt.dll in the Open box, and then click OK.
    3. Click OK when you receive the message that the operation succeeded.

    Transfer the Schema Master Role

    1. Click Start, click Run, type mmc in the Open box, and then click OK.
    2. On the File, menu, click Add/Remove Snap-in.
    3. Click Add.
    4. Click Active Directory Schema, click Add, click Close, and then click OK.
    5. In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.
    6. Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK.
    7. In the console tree, right-click Active Directory Schema, and then click Operations Master.
    8. Click Change.
    9. Click OK to confirm that you want to transfer the role, and then click Close.


      PS: You have to do those actions on a domain controller.
Karl-WE's avatar
Karl-WE
MVP
Jun 03, 2024

Mikeg0210 ease your life. You can transfer roles easy with DSAC (Active Directory Administrative Center) or PowerShell without the hacky schema dll thingy is correct. But ut is an annoyance of the past. Leave your MMCs alone 🙂 

https://learn.microsoft.com/en-us/powershell/module/activedirectory/move-addirectoryserveroperationmasterrole?view=windowsserver2022-ps

https://activedirectorypro.com/transfer-fsmo-roles/#:~:text=To%20move%20a%20role%20with%20PowerShell%20you%20will,the%20hostname%20of%20the%20server%20to%20transfer%20to.

  • Mikeg0210's avatar
    Mikeg0210
    Copper Contributor
    Jun 04, 2024
    Thanks I was able to get it resolved. For some reason, all transfers but the Schema had to be done on the source system. To do the schema, there were 2 items. The Admin account did not have Schema Admin permissions which needed to be added. Then the schema transfer had to be performed on the target. Not sure why and only have 1 A/D server so not trying to troubleshoot anymore.
    Thank
    • Karl-WE's avatar
      Karl-WE
      MVP
      Jun 05, 2024
      glad to hear it is solved. Domain Admins do not have necessarily have Schema admin rights. Usually Schema do not change, exception are installation of special software that would change the Schema. like Windows LAPS (modern), Exchange and Exchange Updates.

      security hint: make sure that you are not assign schema admin, enterprise (or domain admin rights) when not actually needed for this account. Remove these permissions when no longer used and assign when required.

Resources