Case #

You need to be able to move (gracefully) or seize (forcefully) one or more Active Directory FSMO roles. FSMO roles are also now known as operation master roles. This FSMO role migration can be required in cases in which you are migrating the FSMO roles to a new machine or if an existing domain controller which is the holder of one or more FSMO roles is damaged and goes out of operation. This can cause significant Active Directory operational issues, since most of the Active Directory features, e.g. NTP time management and LDAP authentication and authorization depend on the FSMO roles to execute properly. One error you may come across in such scenarios is the following.

You cannot modify domain or trust information because a Primary Domain Controller (PDC) emulator cannot be contacted. Please verify that the PDC emulator for the current domain and the network are both online and functioning properly.

This article provides guidance on how to migrate Active Directory FSMO roles.

Solution #

Gracefully move FSMO roles #

Run the following Powershell cmdlets in an elevated prompt:

#First identify the location of the FSMO roles

Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator
Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster

$ADNewTarget = Get-ADDomainController -Identity "[FQDN OF THE NEW TARGET SERVER GOES HERE]"

#Move the FSMO roles included in the -OperationMasterRole to the $ADNewTarget domain controller
Move-ADDirectoryServerOperationMasterRole -Identity $ADNewTarget -OperationMasterRole SchemaMaster,DomainNamingMaster,PDCEmulator,RIDMaster,InfrastructureMaster

Forcefully size FSMO roles #

You should follow exactly the same procedure as in the previous section "Gracefully move FSMO roles" but you need to add the -Force parameter in the Move-ADDirectoryServerOperationMasterRole cmdlet.

Move-ADDirectoryServerOperationMasterRole -Identity $ADNewTarget -OperationMasterRole SchemaMaster,DomainNamingMaster,PDCEmulator,RIDMaster,InfrastructureMaster -Force

Forcefully demote a domain controller #

After gracefully (move) or forcefully (seize) migrating the FSMO roles from your old domain controller, you will need to demote that old domain controller from the Active Directory domain. Demote instructions provided here are valid for Windows Server 2012 or later. For Windows Server 2003 and 2008, you will need to consult Microsoft archived documentation. Before demoting any Domain Controller, ensure that there are no other server roles or server role services running on the demoted machine, such as DNS, DHCP, certificate services, etc.

Graceful demotion #

If you are performing a graceful demotion without first moving the FSMO roles from the demoted server, Active Directory will automatically migrate these FSMO roles for you to another functional server. Graceful demotion can be carried out from the Windows Server Manager console by navigating to menu Manage - Remove Roles and Features.

Afterwards ensure that you also delete the Domain Controller in question from the Active Directory Sites and Services MMC console.

Forceful demotion #

Please note that domain controllers running Windows Server 2008 or later OS automatically clean up their metadata. For earlier Windows Server releases, the metadata cleanup will need the ntdsutil command to be run.

Forceful demotion is pretty simple and carried out in one step. Simply open the Active Directory Users and Computers MMC console, right click the domain controller computer object and click Delete, then accept the deletion by checking the checkbox "Delete this domain controller anyway".

References #

https://activedirectorypro.com/demote-domain-controller/
https://www.dell.com/support/kbdoc/en-us/000202630/how-to-force-demotion-of-an-active-directory-domain-controller