FSMO Roles and moving them

I wrote last week about my move from Exchange 2003 to Exchange 2007, and in that article I mentioned that I moved my Domain Controller over at the same time.

There has been questions about what and how, so I’ve knocked this together for anyone that needs to do likewise.

In this scenario we have our old server, and we have our new freshly Server 2003’d server, OLD and NEW.

  • Install DNS on the NEW server, however do not configure it. To do this just add the DNS role through Add Remove programs. You may also need WINS if you use legacy OS’s.
  • Configure the NEW server’s network with a static IP, and the primary DNS should point to the OLD server for DNS, with itself as a secondary.
  • Join the domain on the new server (through computer properties) and reboot.
  • DCPromo the server upto a DC, you should join this server as ‘Additional Domain Controller for an Existing Domain’. This will automatically configure the DNS to replicate the DNS of the domain. Use the defaults for all the settings, unless you have a good reason not to. Make sure you remember the recovery password that you enter.

Write after a reboot at this point you will have two DC servers on your LAN (NEW and OLD), the problem is however that OLD will still be the FSMO master for all the roles in the domain, seeming as we are decommissioning this box we need to move all the roles.

  • First off we need to make the NEW server a Global Catalogue server, to do this launch ‘Active Directory Sites and Services’, now expand your site, then expand servers, select the NEW server, then right click and properties of NTDS Settings (on the right pain). Select the ‘Global Catalogue check box, now ok out of this screen.
  • Now change the properties of the NEW server network to point to itself for DNS as primary and the OLD server as secondary.

Now that the server is a GC server we can assign it FSMO Roles, lets do that.

  • Launch the ‘Active Directory Users and Computers’ from Admin tools.
  • Select the Domain and right click, select ‘connect to domain controller’, select NEW then ok.
  • Right click the Domain, select ‘Operations Masters’.
  • You should now see a screen with three tabs, Select the change button on each tab to migrate that role to the connected server.
  • Domain Naming Master must now be transferred. Launch the ‘Active Directory Domains and Trusts’ tool from Admin Tools.
  • Right click the root level, and select the ‘Connect to Domain Controller and select the NEW server.
  • Right click the root level, and select ‘Operations Master’ then Change. This should move the Ops Master role over to NEW.

The last couple of roles can either be done through script (as can all of the above), or with an ‘unsupported but shipped’ tool. We will use the later as it’s easiest to describe without going into how to use the NTDSUTIL.EXE tool.

  • First register the Schema Management tool by typing regsvr32 schmmgmt.dll into the run box on the server.
  • Now run MMC and add the Active Directory Schema snapin to it.
  • Right click the Domain name, and select ‘Change Domain Controller, select NEW server.
  • Right click the Domain name, and select ‘Schema Master’, then change.
  • Now we need to change the Site Licensing Server, to do this open ‘Active Directory Sites and Services’, now select Sites, then your domain, then on the right pain right click ‘Licensing Site Settings’ and then Change on the Licensing Computer area.

Ok nearly done now. Reboot the NEW server, and wait, what we are looking for is an event type of 1869 (or 1119, but we should get an 1869) to show up in the NEW servers Directory Service log. Whatever you do don’t shutdown the OLD server until you get this, else nobody will be able to logon, as we will not have a GC server on the lan.

When we get that Event happen, we can remove the Global Catalog role from the OLD server, this is done in the same way as we added it to NEW earlier.

Now we do some checks and force the PDC role over, and for this we will use NTDSUTIL.

  • Launch a command prompt
  • type NTDSUTIL
  • You should see ntdsutil: at the prompt. Here we type Roles and press enter
  • fsmo maintenance: connections and enter
  • server connections: connect to server NEW (or servername here) and enter
  • Connected to NEW using credentials of locally logged on user.
    server connections:
    CTRL-Z and enter
  • fsmo maintenance: Seize PDC
  • This should result in the server attempting a nice transfer of the role (which should already be on the NEW server). The results will also tell you about the other roles. If any of the roles are still on the OLD server, then type the appropriate command from below to seize the role on the NEW server.

    Seize infrastructure master
    Seize domain naming master
    Seize RID master
    Seize schema master
    Select operation target

That should be it. You can now DCPromo out the OLD server, and use the new server as if the OLD one did not exist.

The only things left that may need to do are, setup the helper addresses in DNS so the server can lookup Internet DNS names. Setup your DHCP Scope and options.

If there is anything that I have missed, then please let me know.