SOLVED

Cannot transfer schema using NTDSUTIL

Copper Contributor

When trying to transfer operational control to a new A/D server, I tried to use the GUI but it would not show the new A/D.  I found a note which indicated to use NTDSUTIL to perform the task.  When issueing the commands:

roles
connections
connect to server dc1 - put the target DC server’s name here
quit
transfer infrastructure master
transfer naming master
transfer pdc
transfer rid master
transfer schema master
quit
quit

 

Everything appears to be fine, however, when I issue the netdom query fsmo, all of the roles refer to the new server, but the Schema Master still points to the existing A/D server.   I am part of the schema admin group but I don't know what else to do except maybe to use the Seize option which appears to be a last resort.   What other settings should I look for?

 

 

4 Replies
best response confirmed by Mikeg0210 (Copper Contributor)
Solution

hello @Mikeg0210 ,

did you use the microsoft guide ? If you follow the guide below, everything should be ok. You really need to register Schmmgmt.dll to be able to use it.

 

Register Schmmgmt.dll

  1. Click Start, and then click Run.
  2. Type regsvr32 schmmgmt.dll in the Open box, and then click OK.
  3. Click OK when you receive the message that the operation succeeded.

Transfer the Schema Master Role

  1. Click Start, click Run, type mmc in the Open box, and then click OK.
  2. On the File, menu, click Add/Remove Snap-in.
  3. Click Add.
  4. Click Active Directory Schema, click Add, click Close, and then click OK.
  5. In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.
  6. Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK.
  7. In the console tree, right-click Active Directory Schema, and then click Operations Master.
  8. Click Change.
  9. Click OK to confirm that you want to transfer the role, and then click Close.


    PS: You have to do those actions on a domain controller.

@Mikeg0210 ease your life. You can transfer roles easy with DSAC (Active Directory Administrative Center) or PowerShell without the hacky schema dll thingy is correct. But ut is an annoyance of the past. Leave your MMCs alone :) 

https://learn.microsoft.com/en-us/powershell/module/activedirectory/move-addirectoryserveroperationm...

https://activedirectorypro.com/transfer-fsmo-roles/#:~:text=To%20move%20a%20role%20with%20PowerShell....

Thanks I was able to get it resolved. For some reason, all transfers but the Schema had to be done on the source system. To do the schema, there were 2 items. The Admin account did not have Schema Admin permissions which needed to be added. Then the schema transfer had to be performed on the target. Not sure why and only have 1 A/D server so not trying to troubleshoot anymore.
Thank
glad to hear it is solved. Domain Admins do not have necessarily have Schema admin rights. Usually Schema do not change, exception are installation of special software that would change the Schema. like Windows LAPS (modern), Exchange and Exchange Updates.

security hint: make sure that you are not assign schema admin, enterprise (or domain admin rights) when not actually needed for this account. Remove these permissions when no longer used and assign when required.
1 best response

Accepted Solutions
best response confirmed by Mikeg0210 (Copper Contributor)
Solution

hello @Mikeg0210 ,

did you use the microsoft guide ? If you follow the guide below, everything should be ok. You really need to register Schmmgmt.dll to be able to use it.

 

Register Schmmgmt.dll

  1. Click Start, and then click Run.
  2. Type regsvr32 schmmgmt.dll in the Open box, and then click OK.
  3. Click OK when you receive the message that the operation succeeded.

Transfer the Schema Master Role

  1. Click Start, click Run, type mmc in the Open box, and then click OK.
  2. On the File, menu, click Add/Remove Snap-in.
  3. Click Add.
  4. Click Active Directory Schema, click Add, click Close, and then click OK.
  5. In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.
  6. Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK.
  7. In the console tree, right-click Active Directory Schema, and then click Operations Master.
  8. Click Change.
  9. Click OK to confirm that you want to transfer the role, and then click Close.


    PS: You have to do those actions on a domain controller.

View solution in original post